Show Notes: Pivoting from Physical Security to INFOSEC with Kyle Croll | Episode #30

7 months ago

Play episode

Overview

In this next episode, I was stoked to be joined by Kyle Croll, GMON, GCIH, Sec+, and MBA candidate at UT Austin.

He’s lived the life of a physical security practitioner, from being in the US Navy to protecting high-net-worth clients and advising organizations — what’s more is that he’s also pivoted from purely physical security projects to technical information/cyber security projects. And this is the focus of our conversation:

  • What was his experience like making that career change?
  • What advice does he have for others following a similar path?
  • Are there special vocational programs that military vets should consider?
  • And so much more.

This was an insightful conversation to kick off 2024 with a bang! I hope you enjoy it.


Highlights from This Episode

  1. Passion for Learning: A passion for continuous learning and curiosity is THE driving force in succeeding in cybersecurity (or any security discipline)
  2. Demystifying the Unknown: Seeking to demystify topics of ignorance and expanding one’s knowledge is an essential aspect of personal and professional growth.
  3. Well-rounded Security Practitioner: Striving to be a well-rounded security professional, both in physical and information security, is valuable for adapting to career changes and uncertainties.
  4. Proactive Security Mindset: A proactive security mindset and the ability to think like an adversary are crucial attributes for cybersecurity professionals.
  5. Transferable Skills: Many skills from physical security, such as risk management, threat assessment, and investigation, are highly transferable to cybersecurity roles.
  6. Certifications: Security+ and CISSP certifications are mentioned as valuable credentials for cybersecurity professionals.
  7. Cyber Threat Intelligence: The role of a CTI analyst involves tracking threats, conducting investigations, and staying updated on cyber threats and vulnerabilities.


Memorable Quotes:

  • “You shouldn’t discount yourself [a physical security pro] as an entry-level professional, because those skills are… one for one.”

RESOURCES MENTIONED

  • CISSP Certification: Mentioned as a valuable certification for cybersecurity professionals.
  • Security+ Certification: Recommended as an entry-level certification for those starting in information security.
  • DoD 8570 Compliance: Discussed as a requirement for certain government security jobs.
  • Udemy and Coursera: Online platforms where courses and practice tests for certifications can be found.
  • ASIS International (ASIS): Mentioned in the context of certifications such as CPP and PSP, which are related to physical security.


Use CONTROL + F to search the transcript below if you want to learn more!

Transcript from this episode

*Note: this transcript was generated using automated software, and may not be a perfect transcription. But I hope you find it useful.

Unknown Speaker  0:00  
Ladies and gentlemen, welcome to the security student podcast Travis here. In this next episode, I was joined by Kyle, an experienced security practitioner whose career has led him from the US military, to executive protection. And on to being a senior cyber threat intelligence analyst and MBA candidate today. If you're sincerely interested in making a career move from the physical side to information security, then you have to listen to this episode, Kyle and I explored topics ranging from applicable skills that span physical and InfoSec roles, the need for humility and the interview process. If you're moving from physical to InfoSec, we also talked about educational programs, including those specific to veterans. And then finally, we got Kyle's thoughts about InfoSec certifications, and some tips for studying for the CISSP or security plus, I hope you enjoy the following conversation. And as a reminder, if you want to support the podcast, please open your Spotify or Apple podcast app and click follow. So you never miss a show. Cheers.

Unknown Speaker  1:13  
it's awesome to have you on the podcast. It's kind of funny how we got connected. So we originally got connected, I think we connected on LinkedIn, I'm sure like a year or two ago. But then recently, when I posted on LinkedIn about starting a CISSP study group, you reached out with some really helpful insights for maybe how to approach the exam and then even considering other like other fundamental courses that might lead into it and be a better pathway. So very much appreciate your insights there. And then also, from there, it was funny, we jumped on a zoom call to chat a little bit, and then kind of realized that we have many mutual connections, which is really funny. Even one of them being kind of like a cyber mentor of sorts. So it's just kind of funny how, you know, we just happen to have some mutual colleagues from some of our past working relationships. So it's just funny how small the security industry is. So yeah, Kyle, welcome to the podcast. And thanks a lot for sharing your time. Know that indeed, Travis, thanks so much for having me on. Yeah, small world indeed, and happy to share my insights with the broader security community just kind of excited to share, share your platform and kind of, you know, show other physical security professionals out there. And there's way more that the industry has to offer. In that, you know, you don't have to carry bags for you know, a fortune 500 exec or, you know, stay at a physical site, you know, your entire career and that there's so many different verticals to pivot into, and kind of get a copy to get into that. So thank you very much for having me on today, Travis. Of course. Yeah. And that's exactly why I started the podcast, because there's so many different aspects of security. I think it's easy to get locked into some type of niche when we initially get started. But there's so many diverse roles from physical to cyber to compliance to like, you name it, just giant landscape. So I think this would be a great conversation to contribute there. And I was thinking, one good place to start might be with you sharing a little bit about what your career path has looked like leading up to working in cyber. So could you share a little bit there? Yeah, no, absolutely. So my name is Kyle Crowell. 30 years old, and I started out my career. In 2016. I joined the Navy to do you know, the basic underwater demolition program out there in Coronado, I wound up getting injured in training. And I had some events that led to me getting out early, after only two years of service. And it didn't really know what I was going to do. And I wound up taking a job as a security guard at a marijuana dispensary right after I dropped out in 2018. And I had a buddy that I went through the pipeline with who wound up recommending that, I go to this course called SEC board International and it's a you know, PTSD school that was located out in San Diego, Rick Sweeney runs it. It's a great program. I can't speak highly enough about it. And I wound up self funding that in late 2018. And it was, for me a life changing experience. And that kind of threw me headfirst into the industry. And I just put my nose down and worked really hard at it. I didn't really know where I wanted to go with it. But right after graduating at the end of September in 2018, I wound up going kind of headfirst right into the industry started working residential out in LA, wanting to networking while on a on a job and then I wound up becoming a team lead of an EP team out there in Beverly Hills. I ran that for about seven months where the contract ended before I wound up pivoting into more of like a consulting role where

Unknown Speaker  5:00  
I was, you know, working for a couple of different firms out in Los Angeles, doing a lot of things my private investigations, EP work residential work risk management work, and kind of got exposed to a lot of different facets within the industry and kind of took it took it head on and started running with it.

Unknown Speaker  5:19  
And then right around 2020, we you know, that's what we're talking about, right? When we were on the Zoom call, the other week, we wound up working for the same firm, same small private family office and 2020 was kind of a catalyst for me. I was kind of at this, this road in my career where I kept getting interviews and corporate gigs, but I was 25. They said, I didn't have a bachelor's degree, I was too young. And I kept banging my head against the wall trying to pivot into like a full time corporate role within management. And I was kind of conflicted on whether or not I'm going to keep continuing forward in the career, I kept finding that, you know, I wasn't a retired law enforcement officer, and that was playing against me and I didn't have my HR to 18. And, you know, I'm sitting there, I had these credentials. I had my Asus APB, I had, you know, all this f 500 experience, I had celebrity experience. And I had, you know, glowing client reviews, but I couldn't find a way out that would have one on one pay me more to give me more responsibility. And, you know, it kind of came to this, this this, this very huge catalyst in my career where it was, you know, I had this major life event happened during COVID 2020. I'm sure like, a lot of us went through some really bad stuff during that time. For me, it was really bad. But I took it upon myself to look back into school. And I knew that security was pretty much the only skill set I had as a young professional, and it was somewhere I wanted to stay at. And that's kind of where I looked into school. And I looked into University of Arizona Cyber Operations Program, I applied to like three or four schools a lot of getting into you have a one of choose choosing U of A and that our mutual friend, Chris Lee, who has been a massive mentor in my life. The first inkling I got to really like make that pivot was him, showing me the security plus study guide. And he said, You know what, Kyle, you, I know you're bored with the with EP, I know, you're kind of getting, you know, restless, and you really want to try to do something else, you know, just take a look at it. Let me know what you think. And, you know, we'll talk about it more. And when I was getting into school, I reached back out to Chris and said, Hey, can you come down to San Diego? And can we have lunch?

Unknown Speaker  7:40  
I wound up taking that security plus and passing it and then just kind of asked him like, what, what I should do as a young professional moving from one industry to the other, and what would make me successful in cyber. And that's kind of what started my career. That's kind of my background. And then currently, right now I'm in cyber threat intelligence at UPS working in the security operation center there. I currently have my security plus GCIH Gmod. And working like you said towards my CISSP Certified Information Security Systems professional, which is kind of that gold standard cert for cyber similar to what like the for those physical security listeners that listen to the podcast. That's what the CPP is to like the physical security industry. And yeah, and then currently, I'm attending university of texas of Austin becomes business school, getting my MBA and just kind of trying to grow as a professional make like that next, pivot into whatever it may be, whether it's cyber management or another roles in tech. So very cool. Yeah. And I feel like your experience is probably not all that unique. I know there's I've definitely talked with a ton of people who have had similar experiences, like you mentioned, everything from just getting a little bored with EP of sitting in an ops center doing the residential security thing, the travel security thing,

Unknown Speaker  9:03  
flying all over the place year round, never being home.

Unknown Speaker  9:08  
And then it's also funny, too, you mentioned like, not having a bachelor's being too young not being in law enforcement. And I think one of the really unique things about cybersecurity is that it's actually possible to get good experience and good roles without a bachelor's degree when you just have good work experience. And just a solid technical background. Like we talked about one of our one of our friends. Yeah, one of our friends, Chris, who also works in cyber and for him, he doesn't for some of these things, he doesn't have them but he's crazy passionate, he has a ton of practical experience and you could solve like any problem you could think of. So I think that's one really unique thing about the key skill there you mentioned right is like

Unknown Speaker  10:00  
problem solving, right? And taking your ability to not only have the technical acumen, but be able to apply it to like a practical problem. And I think that's where he shines. And I think that's what I've really tried to do early on in my career, right is, you know, you can walk the walk, you can close a ticket, you can, you know, get another certification, but unless you're actively trying to find problems within your organization that you can solve, and make your operation more resilient and more capable. That's kind of where you can shine as a candidate. And especially if that comes through in an interview that you're, you know, a problem solvers, a lot of people in physical security are right, like, us as EP guys, that was what we did, right? Or else we got fired, right? It was solved the problem, book, the reservation, you know, pick the best driving route, like that's what you did, right was, you know, streamline things for the client, make things make the operation more resilient, right. And it's no different for cyber. Yeah. And I think another thing that's unique to physical security. And this is kind of like a problem that plagues our industry everywhere. If you are too young, if you haven't worked in local or federal law enforcement for 20 plus years, some of these roles, you're just never going to get like I've come to terms, there's absolutely no chance I will ever be a security director for any of the resorts, casinos venues here in Las Vegas, because I haven't worked for Las Vegas Metro for 20 plus years. And I'm okay with them and gatekeeping at its finest.

Unknown Speaker  11:36  
I'm not saying that's necessarily bad insecurity, right, there has to be some form of like check and balance, and keeping up a culture. Because security teams rely on a specific culture and unity and cohesiveness that you need for the operation to be successful. However, you lose the inclusive part of that you kind of lose out on a lot of prime candidates that would work harder than I, in my opinion than someone who's you know, retired, resting on their they're already getting a pension, right, like the need for them to perform at a high level, you know, like if they get fired, they already have the pension. Right, they can pivot to their friends other operation who's over X, Y, and Z. Right. And there's some of that in cybersecurity as well. I think that, you know, there's a little bit more of a technical aspects of that, where like, you still have to prove yourself even late in your career through like a technical interview or whatever. But I think that was the biggest problem for me. And there's, there's still some of that in cyber, but there's, in my opinion, a lot more opportunity, especially for the younger professional who might not want to go the traditional route of a bachelor's at, you know, John Hopkins University and criminal justice, or what's the other one out there? John Jay College, right.

Unknown Speaker  12:51  
Georgetown? I just think, yeah, really? Yeah, there's, you know, I just think that, you know, there's so many more verticals to go into. And I think that, you know, I think cyber is often underlooked. And, inversely, I think that people looking to get into cyber, if they are listening to this podcast, you know, might want to consider a physical security role to start out. And I think that, you know, when we get into talking about this, and we kind of dive into some of the other topics, one thing I'm going to talk about more is, you know, how people try to get into cyber, if they're struggling to get that help desk job, or that network engineer job, that might be the precursor of getting like, as an operations role in cyber, whether it's CTI, GRC, sock, pentesting, whatever it might be physical security, we'll at least get you in the security realm, it adds to that security experience. And it gets you understanding the principles of security, which I think a lot of people try to skip and go right into the technical skills. But unless you understand things like the difference of a risk and a threat, and knowing what defense in depth security is, and knowing, you know how to fortify physical assets, you're gonna have a hard time conceptualizing how to secure virtual assets. Yeah, and that's a really good point you make to about just like career mobility, and cyber versus physical. So that's definitely something for people to consider, as well. And before we get into what your transition from physical to cyber looked like, and kind of what inspired it, I just wanted to ask one dumb question. So I often hear people say, like, that people use the terms incorrectly, cyber versus information security, are these the same thing? Or is there a way to think about them separately? So I mean, they're, they overlap, right? Like information security, relates to you know, securing physical information, I think more than anything, whereas, you know, cybersecurity might deal more in the asset space. I'm kind of curious to the physical definition is some kind of looking it up right now.

Unknown Speaker  15:00  
because that's something that I, that I've never really looked into. Yeah, just because there's a handful of people out there. And I always see them posted up on LinkedIn like this. And I'm like, I don't know, I just see people use them interchangeably. If I've been doing it wrong all these years. Yeah, I remember. So cybersecurity is more of a subset of InfoSec. Right? Like, you can think of InfoSec as the umbrella of the general industry, whereas cyber is kind of like that subset, right. And this kind of outlines this as well. None of them kind of thinking back through like the wrote documentation that is cyber, right. And this even governs some of the physical security stuff. And yeah, so it's, they're not They're two, they're two separate fields, not necessarily identical. But information security teams, also, when I think of it are more there to implement policies, and systems to protect the information. And cyber is kind of defending those networks is kind of how I see it. I think that's my definition of it. But they need each other they go hand in glove, right. So I think it's important to understand both realms equally. But to understand broader InfoSec, before diving into security principles, I think is really important. Cool, yeah. Thanks for shedding some light on that for us.

Unknown Speaker  16:18  
Okay, so now I wanted to learn a little bit more about what did your transition from physical to cyber look like? You've talked a little bit about how, like, a lot of the principles overlap from, we're talking about assets, vulnerabilities, threats, defense, in depth layers of security. So what did that transition look like? Yeah, so mine, I kind of speed ran. But I realized early on after talking to our mutual acquaintance, Chris Wright, that, you know, I wasn't necessarily, quote unquote, an entry level candidate, right. I had expertise in security already, I had worked at a high level than it was really. But this is the most important part for really any Junior InfoSec, or cyber practitioner wanting to get into the industry is that if you work in physical security, and you want to make that pivot, you're not your typical entry level, quote, unquote, professional, you have transferable skills, from risk management, to physical security, to asset protection to data protection to, you know, being able to understand how a threat actor works. And I think that's the most important part. And it was something that came up in my technical interview, for the job that I have now was, you know, they gave me a network map and said, If you were a threat actor, how would you break in, I think a lot of physical security professionals understand the things that they're protecting, and why they're protecting them. And I think that's a huge part of understanding security in general is not only that you're protecting the asset or the client or whatever it is. But understanding how someone's brain would work to try to break into it and using that to fortify your defensive protection strategy, that all that we were talking about how to how I made that pivot, right. And I speed ran it by identifying that I had these skills, and kind of tweaking my resume to show that those skills

Unknown Speaker  18:22  
would be transferable from a broader security perspective, right. And when I moved out to Texas in 2021, and I was enrolled full time at University of Arizona, and my cyber ops degree, I hadn't planned on getting a job until the degree had finished. And it was right around January 2022. I was I had someone reach out to me locally here in Texas. And they said, hey, you know, you have a very unique profile, but I see your, you know, university student and cyber, and I kinda want to talk to you, we had some help desk rolls open, but I actually have a project that I think you could do. And I wound up meeting with my now good friend and colleague, Tristan croson, who was a director of security at a small it firm. And he wound up, you know, giving me a shot on this three month project. And I wasn't completing the project in 45 days, but it was essentially more or less like in like an information technology infrastructure analyst role. And it gave me experience with kind of working on you know, patching vulnerabilities of OSS that we're in these computers across an enterprise for the company that was contracted out to and kind of being able to really understand some of just the rote it stuff of patching some of these programs, you know, remoting into computers and making sure they were configured correctly, and making sure they match like these compliance standards for the for the enterprise wide configuration setup that they wanted to move to right. And it was during that, that I had, you know, I'd gotten my security plus I was stuck

Unknown Speaker  20:00  
Being in my home lab, like I had built a computer with our buddy Chris, right? When I got into cyber X, I want to know one, how does a computer work? Right? I think at the fundamental level, if you're looking to transfer into it, or you just want to learn more about technology, the first thing you should do, just build a computer, at the very base, understand, you'll understand what parts are in it, what they do, and kind of how a computer is architected at like a very high level, right? And then after that, it was okay, what how are some of these other processes systems working? Right, so I started studying the coursework for CompTIA a plus, right, which is like more of like that help desk certification, it gets you exposure, all the operating systems, you know how a computer works from like kernel to USB, kind of a thing. And then I knew the Security Plus was like that, that definite like stamp of like, you know, if you want to be in InfoSec, or cyber, you have to have your SEC plus. And that will expose you to a lot more of the general security practices within the industry. Different, you know, encryption algorithms, different NIST standards, different incident response procedures, you know, it's a very broad cert, very high level cert, but it gets you familiar with all these different things. And they're kind of covered in my degree programs. So they kind of went hand in hand to begin with. And, you know, I started doing the small things that added up, right, I got the Security Plus, I was working in a home lab I was using try hack me pack the box, understanding how offensive security procedures worked, I was doing PluralSight courses on incident response and using a sim or security event manager, right. So learning how some of these tools that are used industry wide work and how log aggregation works and how network security works, how TCP IP works, the OSI layers, like how information travels from layer one to seven, in truly understanding kind of like the very fundamental basics of what, you know, network security were and like really understanding the fundamentals of it. And then, you know, networking, right, we talked about it and physical security, we talked about it really any profession you want to grow in, that I wound up, you know, networking with somebody who wound up posting a job that someone else had posted, right. And it wound up being one of my now co workers and kind of like more of my mentor, Kurt Waller. And he was saying that they're looking for junior cyber threat intelligence analysts to work in their sock. So I added him on LinkedIn. And I reached out and it was like, probably 35 minutes after the post was out there. So I want to catch it super early. And I elevator pitch them. You know, my name is Kyle, I have, you know, at that point, it was three years of comprehensive security experience. I'm pivoting into cyber, I'm currently enrolled at University of Arizona and the cyber ops program, I have my SEC Plus, these are the transferable skills I have, right, like we did the protective intelligence part. I've written threat assessments I've done, you know, risk management I've done I know, I know all these realms and physical security, and I'm looking to get into cyber, how do you think I'll fit into this organization? And if I'm not quite there yet, how do I get there as a professional trying to pivot? Right? That's what the question you want to ask, right? It's easy to say, just give me job, right? I need job give me job. But when you ask someone, what am I doing to get how am I doing in terms of getting to where I want to get but if I'm short, you know, where can I improve? And we wound up building this relationship, and he wound up recommending me, and I wound up, you know, interviewing, and you know, getting the job. And that was kind of when, you know, things shifted for me. And then I was able to break into the industry that way. And during that interview process, it was really, you know, iterating, you know, I understand the technical part of cyber, these are the things I've learned from the degree. I went on Glassdoor I went on the internet and I was researching, you know, what kind of questions am I going to be asked in this interview, prepping that way going over old school docks and stuff like that? So definitely, definitely say that, like, you have to understand the skills you possess, where you're lacking, and then bridge those gaps and explain that, you know, if you are someone in the security industry trying to pivot there, that you're already halfway there, you have those skills, they do transfer, but there's going to be a huge bridging of the gap. So you can't, you can't rest on your laurels and he definitely can't skip the fundamentals of information security of network security of the compliance frameworks and understanding how all those work. And you just got to cybersecurity and information security is one of those things you have to constantly hammer on. You can't stop learning and it changes you know, as rap

Unknown Speaker  25:00  
If not more rapidly than in physical security, right? threat actors are always changing their TTPs or their tactics, techniques and procedures, they're always changing their infrastructure, they're always changing the mode of which they operate. So you as a defensive practitioner, we're always playing one step behind the ball. Whereas a lot of people in our industry call it the infinite game, right? My my mentor, Kurt talks about that a lot. And I've given some talks on that. We're always in this infinite game of, you know, going against people whose sole job and intention is to break these systems, you know, get those credentials ransomware, those systems extract money from corporations. So that's kind of the game we're playing.

Unknown Speaker  25:43  
Yeah, you mentioned a lot of really interesting ideas. Like, for example, approaching cyber and approaching this new career path within the understanding, you're not a total noob, you have a lot of these transferable skills when it comes to broadly understanding security, like you mentioned, just thinking about like, the adversaries path going from one point to compromising an asset. And also, I do really like some of these ideas that you had around interviewing, especially for those people that are transitioning from physical to cyber, like you mentioned, just having, approaching it with a little bit of humility, and being able to talk to the interviewer like a normal human and ask,

Unknown Speaker  26:29  
and basically state, okay, here's the experience that I have, here's how I'm developing myself. And if I'm not already in the right place, for this particular role, how can I get there? I think that's so huge. Just having a little bit of humility, and being able to show the learning path that you're on.

Unknown Speaker  26:51  
Yeah. And then just like you mentioned, in particular, of course, I think in all aspects of security, you should always be learning. But yeah, cyber seems to be one part that's especially unique. And you mentioned as a project, building a computer. So I'm a little curious about how you went about building a computer. Like, for example, did you know is there like a subreddit that kind of walked you through? Hey, here's a good place to start. And here's a good place to get additional resources. How did he go about doing that when he wanted to build a computer? Um, definitely, you know,

Unknown Speaker  27:33  
I'm not gonna lie. I leaned a lot on Chris, right, like, I just straight up asked him like, Hey, could you like, how do I go about this? Right, like, kinda like, is there a subreddit? Is there something I can look at, and he just told me like, hey, go to PC Parts picker.com. And kind of look at what kind of computer you want to build. And I told him my budget, and he went with me on Newegg, which is like a computer sales site, they thought like hardware, and a bunch of other things for computers, and we wound up sitting down, and kind of looking over what would fit my budget what I wanted in it, and then I ordered all the separate parts. And once they all got there, he just sat down with me and helped me put it together. So I would recommend just, you know, if you have a budget in mind, you want to build a computer, you're gonna need, you know, the case that holds all the parts to it, you're gonna need a motherboard, you're going to need RAM, you're going to need a GPU power supply, you're going to need the actual CPU chip, you're going to and there's other things you can add on to it, right, but you know, you have to identify, you know, the parts that you're going to need to build the computer. And then you're gonna want to build it out to the specifications

Unknown Speaker  28:44  
that you want. And it's just a good starter, home lab. 16 gigabyte, the ram should be just plenty to run like virtualized assets and stuff like that, if you're building a VM or like a lab environment to, you know, examine malware or to do open source intelligence research or something like that. But you know, at the very simple base layer of it is just understanding what belongs in the computer, what parts should go in there, and then architecting it based on your price point, and you know, how powerful you need that computer to be.

Unknown Speaker  29:20  
Yeah, that's a really cool idea. I think I will probably add that onto my list for 2024, even if that's just like one of my side projects, because that does sound really cool. And quite frankly, that would be a great thing to brag about. If you are someone transfer. Moving on from from physical to cyber, because it just shows Hey, like, on the inside, I'm a total nerd. And this is how dedicated I am to learning to jumping into something I'm probably completely unfamiliar with, just so that I can continue to learn and just better understand these devices that I'm working with day to day. I think that's it

Unknown Speaker  30:00  
I think that's an awesome project 100%. And I mean, our mutual acquaintance hammered on that, right? Like he had built hundreds of computers, right? That's just something he enjoyed doing. But I think the number

Unknown Speaker  30:14  
I want to say like the number one thing you have to have as a cybersecurity practitioners curiosity, right? You have to be like, there's no guidebook on how to do the thing, you just do it, right, you fail fast, you fail often. And you just learn as you go, right?

Unknown Speaker  30:33  
And that goes for even everyone who claims is out there a subject matter expert, right? Even if they're learning something new, they're going to be just out there throwing stuff at the wall, seeing what works, right. And, you know, the one thing you have to be able to do is be curious, and you know, always be wanting to learn something, I think the very, you know, at the very base level, what you could do is just, you know, learn how to build the computer. You know, I think that that's one of the things that got me started got me interested. And definitely something I'd recommend that really everyone does. Yeah, and as we think about transferable skills, I think really like the core transferable skill across all security domains is going to be curiosity. 100%. I agree more. Yeah, I remember, I had one conversation in the past couple of years. And they were like, they're leading security teams. And they made a point to come out and tell me, hey, you know, that educational program that I see you're doing, I would never dedicate my time on the weekend, or the evenings, or 6am, before I show up to work to learn about that program. And I was like, oh, like, this person, this person is out there leading security teams. And they're coming to me making a point about how they would definitely never use their time for continuing education. And it's kind of a unique dynamic that I think a lot of people will see if they haven't seen it already in their careers. But when you really aspire to continue to develop your skills, maybe even past some of the peers that you have in organizations or your peer groups, you kind of have experienced some unique interpersonal dynamics. Have you ever seen anything like that?

Unknown Speaker  32:21  
Yeah, and I'm going to touch on your point, right, with the continuing education part, like I chose both like certifications and degrees. And for me, it was more of the curiosity of like, learning what I was going to be getting into, and I figured that like, one, the bachelor's degree for me was always a aspiration, I had originally gone to college, when I got out of high school in 2012, I was playing football, and I didn't really have a direction, and I wound up having to drop out for financial reasons. But going back to school at 26, that was, I was a first generation college kid and graduate. Now I guess I can say that. But you know, that curiosity and that, that wanting to learn, you know, even if you are a leader, leader, a thought leader, as some of them, put it servant leader, whatever they want to throw on their LinkedIn bio, if you aren't developing those skills, or you know, sharpening that edge, you're eventually going to fall out of practice. And it's not, it's not going to do any benefit to the team you're working on.

Unknown Speaker  33:22  
But I just wanted to say that right is like, you know, to your point you you have to continuously, you know, build upon your skill set, you know, sharpen that that tool set. So, yeah, definitely agree with that. And then what was the second question you want me to follow up on? Oh, it was kind of like,

Unknown Speaker  33:41  
have like others in your network in others, they that are in your network or others that you've worked with? Have you ever gotten? I don't know. Have you ever been treated differently for just being someone that's obviously aspiring to do more than some of the peers that are around you? Yeah, I mean, I would get like, kinda like people will do the condescending remarks about the college degree thing, even people that are already in InfoSec Well, there's a good a good number of people who got in without the bachelor's degree, or that they're naturally technical, right. And I'm not a naturally technical practitioner by trade, I will admit that I am more of a soft skills person, obviously, coming from like the EP side, I can manage projects really well. And that's kind of my niche that I've carved out. Not saying that I don't conduct incident response at a level that I think is you know, amicable with the team and that I can't you know, do investigation solo or that, you know, I don't have a firm grasp on like, incident response practices, but I do recognize my talent fly kind of more like that soft skill that I lean into that right and some people you know, give me give me a hard time for doing the MBA, they're like, you know, you don't need an MBA in our field. Doesn't really make a whole lot of sense. You know, you're

Unknown Speaker  35:00  
Spending $125,000 for this degree, you know, just kind of think it's dumb. And, you know, it's everyone has a different path. And I think that, you know, we go back to sharpening those skill sets, right. And I think the biggest gap that we have in the security industry as a whole is senior leadership, especially, you know, talking Cisco level, which a lot of different topic in and of itself that I could go on for hours about is, you know, a lot of CSOs are at a VP level and not a board level or C level. In organization that I think that speaks to the organization's security, maturity, and how much they value it. But digressing from that, it, you know, I think the biggest gap is senior leadership and security, being able to speak, security risk, and put it into a monetary value, right. And showing that like this risk can actually equate to like a monetary value in speaking, taking the technical jargon of that, and putting it into an into a form of a language that, you know, other stakeholders in the organization can understand at that business level. And that's kind of where I wanted to bridge the gap. And I knew that once I was done with my bachelor's, I was interested in doing a master's degree. And instead of doing I see my job in the industry as a whole as being your masters in cyber, right, the Master's in cyber is kind of just going to be another iteration of what your Bachelor's was right? If you did a bachelor's in cyber security. So for me, I got some advice that if you wanted to strengthen your skill set, as a practitioner, get a degree, a master's degree, specifically that lied outside of the traditional skill set that would strengthen you as a professional. So that's why I personally chose the MBA is not only for the obvious return on investment of getting the MBA, especially in a top 20 school. But being able to down the line, if I'd gotten to a leadership position, be able to speak the same language that other board level members are speaking in other sea level, they're speaking to other directors, right. And being able to translate that risk into you know, you know, essentially what the corporate language is money, right. Yeah, you mentioned a lot of really interesting points, like first, just being able to translate,

Unknown Speaker  37:26  
being able to translate into what the corporation actually cares about. And I've seen a couple interesting talks about this recently, one, one that was at GSX. And this gentleman who's he's built giant businesses, he's advised like some of the largest companies on the planet. And his entire presentation at GSX was around connecting, connecting security projects back to very tangible business objectives. And then yeah, just like you mentioned, connecting it back to value. So there's definitely a very important skill set there. And I think, when we think about transferable skills, that's one that just kind of spans across all industries. It doesn't matter if you're in security, or otherwise, which is translating all of the technical stuff into what actually matters to the executives at the top. And it's funny that you mentioned like pursuing education, educational programs that are outside of the traditional, and I think I've kind of done the same with my career path, too. And I think, of course, right you have an MS in psychology, right? Yeah, I did a Applied Psychology Master's. And what was your thought behind that? Just curious. I don't mean to interrupt. I'm just curious. Like, what? Maybe other listeners haven't heard the story before, but like, what led you to do an Applied Psychology master's from USC? So I think it's a couple of things. One, like one of my good mentors, actually, the gentleman I did my last podcast with Ilya Umansky. So I've been connected with him, since I don't know probably like 2013 ish. And we've just chatted so much over the years, and I've seen him talk a lot, and then also write articles connecting a lot of security ideas, topics, everything, all back to psychology. So that was kind of like simmering in the back of my mind. And then also, I think, probably listening to too many podcasts with Jordan Peterson and some of those other people like hearing stuff like that just made me think like, oh, wow, like so many challenges in the world, business, interpersonal, otherwise, they kind of all come back to human behavior, thinking, like these cognitive shortcuts and biases that we have. So it was kind of like all these things kind of simmering in my mind.

Unknown Speaker  40:00  
For a while, and then back in, I think it was 25. Probably like 2016 2017. I was like, Alright, my next big educational project is not a master's degree, it's going to be studying for the CISSP. So I bought the I bought the book, the study guide, had probably read half the book created a ton of note cards. And then, like, one day, I'm just like, is this actually help? Is this actually like the most practical useful thing I could be doing? So I was like, Alright, and then actually looking back, it would have been very practical to continue it. But anyways, I was like, alright, scrap that I'm going to start looking at master's programs. So I started looking at programs.

Unknown Speaker  40:45  
And really like the most

Unknown Speaker  40:48  
one I like, the more I don't know, legitimate prestigious ones was the one at USC. So I like looked at all the different topics, courses, professors, like very much in detail.

Unknown Speaker  41:03  
And I just saw a lot of stuff that I could connect back to security, everything from org psychology, consumer psychology,

Unknown Speaker  41:13  
doing qual and quant research. Even cool courses like user experience research, like when we think about the security tools that people are using inside a sock, whether whether that's like a operation center for something like EP or global security, or whether it's something like G sock, yeah. Or whether it's something like a sock doing like threat intelligence or something like that. Like, everything kind of comes back to psychology. And like even some of these other topics that we've mentioned so far. Like when it comes to influencing stakeholders,

Unknown Speaker  41:50  
influencing stakeholders or implementing policies, procedures, standards that people are actually going to follow. Like all of these things come back to psychology in like a very broad way. Like, when we think about governance, everything kind of comes down to habit formation. It's like, how visible is this in the environment? Yeah, how security posture as a whole is habit formation, building the culture, right, getting people in the mindset that security isn't, it's it's necessary period. And it has to become a culture. And another thing, he really hit on his biases, right. And as from an investigation standpoint, as like a CTI or a sock analysts like one of the most important foundations, and I learned it from a course called investigation theory by Chris Sanders. And if you have a spare 600 bucks, and you want to pivot into cyber, take investigation theory by Chris Sanders, it's a fantastic course. And he goes over this and addresses like a number of different biases and shows how like, these biases can not only hamper like your investigation, but could change the course of the investigation if you let them. So being able to identify, address those biases and move through them. You know, I think that psychology degree you're talking about, it's like, that's amazing for that, right? It's like taking all these different realms of the practices, psychology and understanding, like, you know, these are all applicable to our field. And you know, when you address them from like an organizational standpoint, it can you know, build a more resilient security culture. I think that was really cool that you hit on that. Yeah. And I'll definitely leave a link to that in the show notes, too. So people can check out that course as well.

Unknown Speaker  43:31  
Yeah. And then also, I'd even kind of gone around talking to different people in the security industry, getting some of their thoughts. I got Ilias thoughts on that program in particular, and he kind of gave me his thumbs up. I had I remember, I went to

Unknown Speaker  43:45  
went to an educational course at GSX, like years ago, this, like successful security consulting course. And I talked to some of the dudes leading that class. And I was like, hey, you know, if I do any other educational programs, what do you think? And they all, they're all Baby Baby Boomers, and all their answers, were MBA, and I was like, Okay, there's definitely something to that. But it's kind of not my style to do, like the standard thing.

Unknown Speaker  44:12  
So being able to find a program that broadly connected to security was different and just wasn't like the standard path. Yeah, it was kind of like all these different aspects. And today, like so much of that work does apply. I had a conversation, like,

Unknown Speaker  44:29  
had a conversation not that long, long ago with like, he's like a mid middle manager and corporate security. He's like, like Master's in Applied Psychology. Have you figured out a way to use that insecurity? But really, like, I use it every single day, especially on the consulting side, when it comes to interviewing stakeholders facilitating group discussions, eliciting the right information in those conversations, like body language, the way you craft your questions the way you present yourself. So

Unknown Speaker  45:00  
So much of that applies and is so critical in those consulting engagements. So yeah, I've got a ton of value out of it absolutely. No 100%. And I definitely like what what you said about why it's the norm, right? Like, my path isn't going to be your path. And it's not going to be someone else's path, like, well, an MBA is a great degree and a great tool. It's not for everyone. And if you're going to pursue continuing education, especially at a master's degree level, you want to make sure that it's something you're going to be passionate about. And it's going to be something that you retain, and that you use on a daily basis, whether that's applied psychology and MBA and MS in computer science, you know, an MS in cybersecurity, whatever it may be, make sure that whatever you embark on is going to be something you're passionate about, that you're going to want to learn about. And luckily for me, when I went to back to undergrad, Cyberdust happened to be that I didn't know when I started my journey, if I was going to even like cyber, it was kind of out of that necessity of I don't want to completely start over from zero again, what can I go utilize my current skill set in, that I could possibly be employed in, down the road, and cyber kind of fit that mold, the definitely I impart to anyone like thinking about continuing education and keep it in the frame of be passionate about it. Make sure that if you're investing the money, and more importantly the time, right, as you get older, you have a family, you are working full time, I've been working full time basically through both by degrees, you know, make sure that you're passionate about it, that you're going to stick with it. Yeah, that's a very good point to like, making sure that you're passionate about it. Because if you're like I was doing the same thing, I was working full time. And then every single day after work, it was like, well, guess what, I'm gonna stay here at work. Or actually, I'm going to take like a one hour break, go get some food. And then I'm going to work on homework for about the next two or three hours. And then I'll go home at like nine or 10pm at night. And I'm just going to do this Monday through Thursday or Friday, maybe Saturday, take like a little break. And then Sunday, pretty much work pretty much do schoolwork all day. So if you're not passionate about it, you probably will not succeed. It's like it's like, what's the quote from Nisha? Like he who has a why can bear almost anyhow, like, really you have to think about what you're passionate about. So that when it's when it's I don't know, seven p out we're getting esoteric, that we're gonna get

Unknown Speaker  47:33  
out the nice on me, man. Love it. Oh, one of my favorite quotes.

Unknown Speaker  47:38  
Let's see. So another thing I wanted to connect back with this. So I'm starting this CISSP study, right? Yep. coming up in January. And we've chatted a little bit about this already. But for some of the other people out there. I wanted to throw a couple of questions at you. So one, so I'm planning on doing security plus, and, and CISSP. First, like, Who Who out there should consider Security Plus and CISSP. Just so people can understand like, is that for me? Or should I be doing something totally different? Yeah, so the CISSP?

Unknown Speaker  48:19  
I'll explain this one first, right. So a lot of people hear about it. And a lot of people in physical security that are, you know, manager or director level might have it you might be thinking, you know, how does this apply to our industry, you know, the CISSP is split into what I think is eight domains now, or it might have been eight, and they've transferred it to seven. But to be able to qualify for it, you have to have five years of quantifiable experience in one of those domains, and someone that has a CISSP has to sign off for you, right. But one of those domains is risk management, right? And what do we do as physical security practitioners risk management, right. So it is a cert that a lot of people that have, you know, some 10 year experience in our industry could could gravitate to, I can assist Peter this. It's an inch deep and a mile wide across a broad scope of information security domains. And it's gonna give you really a more managerial understanding of cybersecurity. It is not a technical cert by any means. There are some technical aspects to it, and you'll get some questions about why encryption ciphers and whatnot. But, you know, it's more of a managerial cert, and you have to think about it and frame it from, you know, what would a manager do in this situation?

Unknown Speaker  49:37  
Definitely a great cert from that and it I would recommend, I guess, you know, if you can study for it and knock it out and do it, yes, it's a $700 cert. It might have a cost barrier for some people, but I would recommend before you even look into that, right if you are starting from somewhere where you have

Unknown Speaker  50:00  
little to no experience from a Information Security cybersecurity network security don't whatever domain you're thinking of entering into. Or even if you just want the cert to show that you have a broad skill set, and you're willing to learn, right, security plus is the better entry point. I think it's like a $300 cert, all in with like your tasks. and whatnot, there's tons of free resources, both for CISSP. And for, you know, any CompTIA exam. But I think security plus encompasses a lot of the high level things that are also covered in CISSP, and a more granular level. But security plus I think, is a lot more adjustable for most physical security professionals, and just general entry level information security people looking to break in. And it's one that almost any employer within the space is going to be looking for, from like a technical perspective, and it's DoD 8570 compliance to right.

Unknown Speaker  50:58  
If you're gonna go for like a sock analyst job or network job within the government, you have to meet DoD 8570, which I think it's actually changed to something else. Now, I think the new ruling is a different subset than 8570. But what else is familiar with the 8570? You have to have like a security plus to be able to be compliant with that to work in the government space, right? So there's a number of different reasons why you would get SEC plus. But it will open more doors just in general not only from a general like learning standpoint and understanding certain concepts within a lot of different domains. But it will open those doors federally as well, if that's, you know, more your game, but both certs are incredibly valuable. But I think that if you're starting from zero, that security plus should be the like one of the first ones you look into. Okay, awesome. Yeah, that's very helpful for just helping me and helping others just kind of think through think through how these fit together. And then actually, another thing that came to mind while you were talking, I've talked to a number of people out there who have mentioned some of the different,

Unknown Speaker  52:09  
like vocational programs out there for veterans working in cybersecurity. So I just wanted to drop that. So if you're a veteran trying to get into cybersecurity, there's a ton of like interesting vocational programs out there. So that might be something just to do some research on VR, and AI is a huge one. That's what I use to fund my undergrad, a lot of people that might have already used the GI Bill,

Unknown Speaker  52:34  
chapter 31. If you're over 30%, disabled, it's made for exactly what it sounds like. It's vocational readiness and education. And if you're trying to pivot into a different industry as a veteran 100%, look into chapter 31, it covers 100% of all expenses. No matter what school you go to, you get a smaller stipend. But if you still have some GI left, you can get the living stipend at the BH rate. So it's extremely lucrative in that sense as well. To do so I'd highly recommend looking into chapter 31, if you're looking to pivot or you know, do a master's in cyber, if you already have like a undergraduate degree, but maybe you're looking to enhance your skill set and cyber look that way. But when I mentioned 8570, CISSP also fit the bullet for that, too. So if you're looking to maybe go federal side, even in physical security, you know, you'll you'll be compliant in that realm as well.

Unknown Speaker  53:30  
Very cool. I'm glad I asked. And yeah, I have the eight domains in front of me. And here are some of the domains, right, I'm going to name all eight security and risk management, right? That's going to be a lot of the ones that physical security practitioners have asset security. Again, what do we four to five most physical security practitioners assets? What are those assets, sometimes people, right? You have security, architecture and engineering, communication and network security, identity access, management, security, Assessment and Testing. That's another domain. I think a lot of people might have, especially if you're talking about physical penetration testing or threat assessment or you know, risk audits, things like that. Security Operations is domain seven. And then software development, security is domain name. So, you know, domain seven being security operations, extremely broad, but it's going to be one of those domains as well, that you can easily slide into as a physical security practitioner. Cool. Yeah, that shows like very direct transference of the skills that a lot of physical practitioners are doing today, risk management and the assessments that they're doing. I mean, I'm sure even some of them also crossover and have like some overlap between some of the some of the other more technical aspects to potentially.

Unknown Speaker  54:49  
And then so we've talked a little bit about CISSP. We've talked about how it's super broad and just one inch deep, mostly kind of from a managerial perspective.

Unknown Speaker  55:01  
So thinking about the study group that we're starting in, or that I'm starting in January, and I've got a lot of interest in that. So far, I've been thinking about how to generally structure that or how to go about it. I wanted to get some of your advice, because you had mentioned, yeah, if you're gonna do CISSP is probably, especially for physical security practitioners who are less technical, maybe not super gifted nerds that have been building computers, probably better to start with security plus, and then build from there and then move on to the CISSP. Is that right? Right, 100%, it'll give you a better understanding of some of the concepts too, right. And I know that like, from a time a time perspective, like, you know, like a time cost perspective, that maybe just knocking out the CISSP, for the sake of CISSP, even if you're not interested in the content, would be better than spending, you know, the extra 300 on the SEC plus studying for that. And I know everyone's not the same, right, like I studied for sec, plus for two weeks, and I took the test and passed it right. Other people might need two months, three months, right. And for CISSP, it could be even longer. I've heard of people studying for six months to a year. But

Unknown Speaker  56:21  
I think just as a good practice, you know, having both the SEC plus and the CISSP would show that, you know, you definitely wanted to dive more into those concepts. And it might show a better acumen. But

Unknown Speaker  56:34  
it's not to say that you couldn't study for CISSP in a rigorous manner and still pass it without the SEC plus, I would just recommend doing both from the technical perspective, and just getting like the broader information across like multiple domain. Right? Yeah. And then even me just thinking about it. Yeah, from a psychological perspective, like being able to get like a quick win and some momentum by doing security plus early. I feel like that's also huge. And just kind of like, probably just builds more confidence also going along the way. So I think that's a fantastic way to go about it. And then so with the CISSP. So this is one that you're studying for, I think you're taking it in like the very near future. Do you have any advice for, I don't know study habits, or any general advice for people that are going to be studying for it in the near future? Definitely block off time. Like I find the way that I prevent, letting it slip is to literally chunk out time almost like a meeting on my calendar that I'm going to have an hour where I just study CISSP. For me, personally, I like practice tests and like huge practice tests proponent. I'm on Udemy, and Coursera. And I'm doing a couple of courses through there. And I actually purchased a couple of practice tests through Udemy that were on sale recently. And that's what I died, can I go through them. And CISSP is very, very beholden to ISC squared like methodology on how they ask questions. So understanding how they're going to how the questions are formed, and how they're, how they're worded is important, and succeeding in the test and understanding and gaining an understanding of the cadence that you need to go through all the questions. I think the test itself have 175 question. So it's pretty long. And you know, if you get hung up and spend too much time, you might run out of time before answering the question. So takes a certain kind of cadence that, you know, a practice test is going to kind of give you an idea about and it gives you some like real world practice on taking the exam gives you an idea of what kind of content is going to be there and where you're weak at, right? So if you understand like, Hey, I'm really lacking in network security, but you know, risk management, I'm crushing and security operations, I'm crushing, but everything else I'm lacking and then it then it tells you Okay, now I need to know what I need to study and even just taking a practice test right off the bat with no studying, right? You understand how far behind the curve you are just any event intuitive, right? And that's for me, where I start, is I'll take a practice exam and be like, Wow, I knew 25% of that. I am not prepared for this, or, wow, I got a 62% I'm really not that far off. Right. It just depends.

Unknown Speaker  59:38  
Okay, yeah, these are some great ideas. And then yeah, also just comparing cyber physical one more time. Like when I think about a lot of the physical security certs. There just isn't the same level of educational content out there for practice exams for tutorials for educational videos. So like one interest

Unknown Speaker  1:00:00  
Same thing as we talked about security plus CISSP compared to something like some of the ASIS certs, like there's no, at least I have my own opinion about those certs. Same, same.

Unknown Speaker  1:00:14  
But even just thinking about, like, the educational content that's out there and available. Like, we're really lucky that for Siri, Security Plus and CISSP, there's tons of practice exams educational content out there, because for some of those physical, physical certs, there's, you have to buy the stuff from Ace. Yeah, you have to buy the stuff from them. All the reviews that I've heard so far are that their practice tests are awful. It's nothing like the actual test doesn't cover the right content, you're kind of just blowing a bunch of money. So

Unknown Speaker  1:00:48  
yeah, sounds about right. That's pretty much right on the nose with that. And I'll just say this, without you know, disparaging Asus, or all the CPP holders that might be listening, but of all the certs that I've garnered as a professional of all the jobs I've done. The one thing I've never been asked is what my AP P even is, I'll just leave it at that I got the AP because at the time, I didn't qualify for the CPP. But, you know, while I've seen it on job descriptions, while people talk about it, not one time as an interviewer even asked me what it is. So let's leave it at that for any younger professionals looking into it. Well, I'll break it down and tell you what it is. It's basically a money grab.

Unknown Speaker  1:01:34  
And I remember when I originally applied for CPP, I had posed the question to one of the one of the Asus certification, I don't know, it's just like an email that you send to it's enough, it's a real person that asked them if reserve time in the Marine Corps counted as full time security management experience. And they said, Well, I can't really tell you the answer to that you'll just have to apply to find out, it's like, you have to pass the bill to find out what's in it. So I did pay the fee, I applied. It turns out reserve experience does count as full time security management experience. So a lot of people out there that may be settling for a PP, it's very possible that you probably meet the CPP experience requirement. So just putting that out there.

Unknown Speaker  1:02:23  
Okay, so we've talked about certifications. Now you gave us some good advice for how to go about studying even thinking about security plus versus CISSP.

Unknown Speaker  1:02:36  
Yeah, before we wrap up our session, were there any other topics that you had a burning desire to talk about? Anything we might have skipped over? I feel like we covered a lot of really cool useful stuff here for listeners. Yeah, I think we hit on a lot of good topics. And I think that I kind of want to gain like your perspective on what made you want to chase the CISSP from someone who is, you know, far into their career in physical security and like, why I guess from like, my perspective, like, I know why I need the CISSP. Right. But I guess for you, and maybe others in your study group, like what is it about the CISSP? That was a luring? And why do you think it would help you in your career is like a late security professional, right? Like, what what can other listeners glean from you wanting to do that? So I think what really has drawn me to it is kind of the same thing that's drawn me to so many other security and educational programs, it's two things. One, it's that I just enjoy learning. Like, I just want to learn something new, just so I could be more knowledgeable generally, because if I have any professional goal, it's just to be someone that a CEO could walk up to, with some type of security challenge. And if I don't have the solution for it, I at least have a broad understanding of what the challenge is how we could potentially go about solving it, and then have the network that I could dive into, or I could call up Kyle or Chris and be like, Hey, here's the problem that we're facing. How do you think I should go about this? So one, it was just general curiosity and wanting to continue develop myself towards that goal. And I think the second one, which has brought me to a lot of different educational programs, too, is just trying to demystify these areas where I know I'm ignorant. So like, even for physical security, like just being able to do some educational programs, just blocking out the time to read a thick book, to dog your all the pages to highlight everything and just demystify something that I was previously ignorant about. For me, that's just something really interesting. So that and also just gives you more confidence as a practitioner, where you could walk into a room with other people who are in US

Unknown Speaker  1:05:00  
similar discipline or other disciplines, and no, you know what, I'm just as competent as just about every single person in this room. And in fact, since I know that I'm continually learning since I have curiosity, I might even be lightyears ahead of some of these other people. So really, it was just about

Unknown Speaker  1:05:19  
having a passion for learning, wanting to demystify some of these topics that I am or was previously ignorant about. And then really just being like a well rounded security practitioner, because also, I just don't want to be someone. I don't want to pigeonhole myself and just be very good at some niche aspect. Because also, maybe this is like a millennial thing. But there's so much uncertainty in the world, I just feel like I need to be broadly good at many different aspects. Because when that uncertainty hits, let's say, I'm working in ERP, the world stops traveling during COVID. Okay, now, what can I do? It's like that sort of thing. No, 100% I think that it circles back to what I was talking about earlier, right. And like, not only having a business acumen, but a lot of the broader issues we're seeing with, you know, sec compliance, even for, like cybersecurity disclosures is that a lot of these board members, and a lot of the C suite, people do not have cybersecurity experience whatsoever, right. And as someone like you who's climbing the ranks in the physical security world, if you ever were to hold a director position, that CISSP shows, hey, you at least know something about cybersecurity. And someone somewhere can attest that you are 85 70.1 compliant, that you at least you know, have domain knowledge in cybersecurity, you might be able to impart something and even like researching, right, so So you do have a broader security issue that comes up and you're working with your InfoSec team, you're not completely like lost in the sauce, so to speak, right. And I think that that's also pretty valuable as well. Yeah, and I think also, we can't always predict like, where our career is going to lead us to, because I never thought I would have any other I never really thought I would touch on like, governance risk and compliance or IT security in any of my roles. And then, you know, with my last organization, that was a very large chunk of what I was doing, by the time I left, and I had no idea of like, leading up to them that, you know, I would be pushed in, I would kind of like, be pushed in a good way into that type of work. So also, you kind of never really know where your careers going to lead you or where your interests are going to lead you. So I just think always better just to develop those broader skills. And also you may enjoy, it's very possible, you may people may enjoy, like, some new aspect that they're learning about, rather than what they're doing currently or previously. No 100%. And I think, I think something else I want to touch on too, is maybe some aspects of like, what I do for work, right. And people might be wondering, like, what is, you know, a cyber threat intelligence analysts do, you know, like, what, what are some of the things you deal with on like, a daily basis? Right, and I think that one of the coolest parts of the job, and I think that a lot of people who might touch intelligence in some way, in the physical security realm might find interesting is that, you know, as a CTI, a lot of the work that some of us do is, you know, reading research out in the open about, you know, newest strains of malware, how threat actors are happening, and then relating that to your organization and figuring out like, okay, like indicators of compromised, right, or IOC is, as we call them, like every losing return from like a malware perspective, right? Like the if we're talking about a piece of malware, there's going to be parts of that malware that are very easily identifiable, like maybe within the malware, it calls out to a C two or what is known as a command and control that once the malware is on the box, it establishes a connection to an external host. And that is known as a C two that an IP address embedded within the code for that C two is in there and we can identify it right? Then we can take that IP and run it through our sim and try to find if it's in our environment, right? And see if maybe there is a piece of that malware somewhere out there on someone's computer. And you know, being able to like take information from the the wild, essentially bring it into your organization and use it to you know, conduct what's called threat hunting, and then trying to track it down. I mean, that's, that's something that, you know, if you're a security practitioner, I think like we always, you know, not only from a protector standpoint, right? I think a lot of us do it because we have like a protective personality, but a lot of us have always had that itch that you can't scratch to be able to like go actively find things and go, you know, search out some of the

Unknown Speaker  1:10:00  
that bad stuff. And I think that's the coolest part about CTI is you're able to kind of enable yourself to do that and sock analyst and see, do you have a lot of crossover at that? We're like threat hunting is a big part of the job. And I think that's one of the the better parts of it. And then to pivot into something else that I think really intrigued me about, you know, wanting to be a sock analyst or CTI what I was looking at different verticals of cybersecurity pivot into is like the investigative mindset, right? Like you might get an alert in, and now you're trying to track down whether or not that alerts a false positive or a true positive, right? You want to know, like, what's going on with that computer? Right? If it's telling me that there is, you know, the suspicious attachment on an endpoint? Well, what makes it suspicious? Right? Is it the Sha 256? Hash, it's firing off on what is that attributed to? Does it say that it's attributed to malware? What are other threat intelligence sources saying, right, and being able to like carrying an investigation from nose to tail, and being able to like really run things down, I think, is probably the best part about the job, right? And like that inquisitive nature of security professionals have always knowing kind of what to ask and thinking like a bad guy would,

Unknown Speaker  1:11:15  
is really going to help you in that in that regard, too. So I think that one thing I really wanted to talk about, if people were kind of wondering, you know, what other roles are out there, that they can use, like an investigative mindset to like a lot of us that were an EP did some kind of maybe like moonlighting pie where Lori did surveillance details, right? I know, I did a ton of them out in like, you know, the LA area. But you know, a big part of it is, you know, where we get all this data on the people we might be observing or, you know, possible threats to like a client. And you know, in cyber, it's not much different, right? It's, there's so much information out there, and there's always someone to be tracking, there's always, you know, a looming threat. And there's always ways to fortify yourself against that, and being a proactive security professional, coming from physical into cyber urine, and you're gonna innately have that trait about you, where you're already thinking in a proactive security mindset. And I think that is the biggest thing that a lot of entry people, entry level people try to break into the industry, either don't possess right away, or maybe try to skip over, right. And it goes back to what I said in the beginning, like, understanding the difference of a risk and a threat. What is a vulnerability, right? How do you defend against those things? What is defense in depth or as eighth? It's called ally, right? The concentric layers of security, right? And understanding how to defend yourself from outward inward and making your you know, security operations more resilient. Right. So I think that you know, from if you're trying to pivot from physical to cyber, that having that innate desire of being a proactive security professional, is going to, you know, help you tenfold compared to other candidates, and you shouldn't discount yourself as an entry level professional, because those skills are, you know, I think one for one.

Unknown Speaker  1:13:08  
Yeah, and I think that's the perfect way to wrap up the conversation, like you mentioned, talking about how the mindset of us working in physical security is so transferable to all things InfoSec, because it all comes back to assets, threats, vulnerabilities.

Unknown Speaker  1:13:26  
Understanding the environment.

Unknown Speaker  1:13:30  
I forgot what I was gonna say. But yeah, really just having that mindset and thinking about the adversaries path from point A, to compromising your assets. And there's different layers of security that are going to be layered in between their start point, and that asset.

Unknown Speaker  1:13:46  
Kyle, I really appreciate you sharing your time with me today, we covered some really interesting stuff, everything from it was really cool to hear your perspective on talking about the your career transition, but then also, like your approach to your approach to moving into a new field, and talking about those transferable skills, and then even talking about the interview process and having a little bit of humility, when you're talking to that interviewer and just understanding okay, if I'm not there today, what can I do to get there from that, and then some of your lessons learned some of the challenges that you've had. And then also just hearing about your career path, too, because I know there's so many people out there working in physical security right now. Or maybe they're thinking about a physical security career. But this is just one more option or set of options to kind of lead them down another path if they just happen to be losing interest and the work that they're doing today. Or maybe even they can make a more valuable contribution to security to businesses to the world being in a different

Unknown Speaker  1:15:00  
An aspect of security. So Kyle, I really appreciate you sharing your time with me today. It was awesome chatting, you know. Thanks, Travis. I really appreciate you having me on and given me the chance to speak about some of these things. Absolutely. Thanks. And that concludes today's episode. Remember, show notes from today's chat can be found online at the security student.com which includes a transcript, links to resources mentioned, and a quick summary of big ideas we touched on today. Final note, if you're finding my podcasts useful, and you want to help me in a very meaningful way, please go to the Apple podcast app and write a quick review stating why you love the podcast.
Share this
FacebookXRedditEmail

Menu

Megaphone
Show Notes: Pivoting from Physical Security to INFOSEC with Kyle Croll | Episode #30