In this next Episode, I was lucky to be joined by Andrew Owlett, an experienced security leader who also makes a project out of coaching aspiring practitioners. He is currently a Supply Chain Security Leader for one of the biggest tech companies on the planet. He’s got nearly 20 years’ experience working in diverse emergency management and business continuity related roles. And he’s earned his MS in Homeland Security from the University of Maryland.
During our chat, Andrew shared some insights around how he went from being an EMT to leading teams globally in Business Continuity and Supply Chain Security, characteristics that make someone successful in his line of work, bad career advice (to avoid), and so much more!
Use CONTROL + F to search the transcript below if you want to learn more!
Transcript from this episode (#15)
*Note: this transcript was generated using automated software, and my not be a perfect transcription. But I hope you find it useful.
Travis 0:00 Andrew, I'm really happy to have you on the podcast today, you have some really cool knowledge that you could share with the audience here when it comes to supply chain security, information security, business resilience. And then it's also really cool that you've been engaging in projects around career career coaching, and helping those people that are transitioning from the public sector or even those currently in the private sector on to some of their ideal and some of their dream security roles. So I'm excited to have you and thank you for joining Andrew. Andrew 1:43 Thanks for the invitation today, Travis. And by the way, I'm not as caffeinated as you're so like I was saying earlier, like definitely boost my energy levels today. Travis 1:55 I will try I'll try not to make you any more nervous. Andrew 1:59 During over here. I'm jittering. Travis 2:02 Alright, so one question that I like to open up the podcast with so that guests could understand a little bit more about where you're coming from is to throw this hypothetical your way. So imagine that you have a magic wand. And this wand gives you the power to change. Any one thing about the security and risk industry? If you have this magic magic wand, what would you change? And Why Does anything come to mind, Andrew 2:30 there are two elements that come to mind, both on different sides of the spectrum, one has to do with like the practice day in and day out, like a little bit more tactically, and then when asked to do it a little bit more strategically. So day in and day out. I think the decentralized tooling that we as an industry use complicates things, I think, bringing decentralized tooling together, bringing all those data insights together from like the 510 Plus tools that as security professionals we use could help things and I'd love to wave a magic wand and just make that happen. Number two, bonus bonus hour with Travis and Andrew today is I think sometimes the the barrier to entry into the profession can be a little bit too high. And what we may look for in a security professional may be very, very specific. I'd like to challenge us to to look a little bit more broadly. And focus a little bit more on the soft skills, the cross functional skills that people have, and then encapsulate the the energy levels from people to help train them on the job to be able to do a security discipline, which of course is really broad. But those those are kind of my two magic one elements that I I'd like to kind of fix. Travis 4:21 Yeah, I really liked the second one that you mentioned around the barriers to entry and security. There was a funny meme that I stumbled across recently. It's a picture of like a fossilized inSec in like Amber and like some kind of ambery like sapphire type thing. And it says like this insect is over 10,000 years old, almost enough time for an entry level position for information security. So I completely understand that and I could kind of see that going around nearly all security roles because in so many roles, really you just need like a fence foundational level of experience. And then so much of it is going to be highly specific to that organization and the way that they do things. So it's kind of like the saying that you hire for attitude and train for skill. So I really, I really do like that point that you make. Andrew 5:18 Well, thanks. And, you know, I'm just, you know, thinking that, as an example, when, when I formed my team and my current role, the folks I have on my team, they range from less than three months experience to over 15 years of experience. And one of the things I learned is that you can take somebody that just has, to your point, a really good attitude, and you can mold help mold them into who they want to be. And that that element of who they may want to be, may not be the same over time, as they discover more about themselves and about the profession. And for me, as a leader, I love that. I love taking somebody's interests in allowing them to run with those interests when they just have the foundational cross functional skills. And just for clarity, when I talk about cross functional skills, I'm talking about the basics of data analysis, the basics of program management, the basics of stakeholder engagement, like, give me the basics, you can learn that technical aptitude with good mentorship and good career development. Travis 6:44 Yeah, I love that advice. And it's like, there's a handful of really important skills that kind of span across all the work that we do. It's delivering information presenting information, it's writing, it's communicating, it's working well, as a team. It's managing projects across time. So yeah, I think those are, those are great points. Andrew 7:07 Well, we're problem solvers at the end of the day. And if you can identify a problem, and then it least foundationally, learn who you need to work with. To fix that problem. Like that. Right, there is a recipe for success. Travis 7:27 Yeah, that's, that's a great point. And now I wanted to learn a little bit more about yourself. So could you share a little bit about the role that you play within your organization today? Andrew 7:42 Sure. So um, when when I was originally hired into my position, I was told, you're leading the stand up of a rapidly growing element within the company that that's going to exceed 18,000 people. And you're going to be in a leading business continuity and crisis management work as the single threaded leader as the one and only leader for the organization, go stand that up. And when I came in, what I realized is that there was even more of an emergent need, and that was in the supply chain security space. So when I say supply chain security, I'm talking about specifically it supply chain security. So I'm talking about investigations, really supplier investigations, I'm talking about real time threat intelligence in the supply chain space, I'm talking about business continuity and crisis management, I'm talking about third party cyber risk. So it's a blend between a little bit of physical security and a little bit of cyber security, kind of bringing those two elements together, and learning how to work with the right people day in and day out to decrease risk to the company. So it's a little bit about what I do. Yeah, that's Travis 9:09 really fascinating that you get to work across so many different areas. Like could you share any, any broad examples of the types of projects or tasks that you might find yourself involved in day to day? Andrew 9:23 Yeah, so I'll talk about one of my my biggest projects slash accomplishments that really foot stomped the need for for this, this work? Actually, there's a couple different instances. One is we've been experiencing a lot of semiconductor constraints over the last couple of years. COVID really pushed us to buy more electronics that put a strain on manufacturers all throughout the world to produce those IT components and the company I work for is not me. you into that by any and navigating through that, at the scale and complexity that that we operate in is really, really complicated. So, within the early days of the semiconductor shortage becoming a thing, and as it kept elevating and bubbling up, I was tasked to lead the executive level effort around how do we manage this within the IT category at our company? How do we, how do we pivot? How do we engage with our suppliers faster and better, stuff like that. So I had to pull from my crisis management background, pull that in, I had to pull in my business continuity background, I had to pull in my, like governance Risk and Compliance background, it was like a whole bunch of stuff, I had to pull in my, my, my appetite for my background in it, and how to navigate like that side of things. So it was bringing all these different pieces together to manage very complex crisis at the end of the day, something that could bring anybody to their knees. So I did that for about nine months. And in that was, and then eventually turn that effort over onto into another team, so they could manage the steady state. But the initial nine months were extremely hectic, stressful, and exhausting. That's one example. Another one is just having foresight or visibility into strategic policy changes that could impact the ability of our company to import export products into different regions worldwide. And that's on the complete other side of the spectrum. Like, one is super reactionary in nature, in some cases, and one is very much strategic and kind of like horizon scanning like a radar to see like, what's the next policy that's going to drop that could impact operations at the end of the day. So there's definitely different different elements. I mean, it goes from tactical to strategic and back and forth. Travis 12:17 Yeah, that's so interesting. That seems like a pretty awesome experience to have at a time in the world where there's so much uncertainty when it comes to different economies and interacting with all these different nations where we're getting materials and we're getting technologies from so that sounds like awesome experience to that'll be great for you as well, in the future. Hopefully, I Andrew 12:41 mean, at the end of the day, like the geopolitical climate is not going to change, it's only going to increasingly become more complex. And in turn, it impacts the supply chain and impacts how you source procure, deploy electronics, specifically in the area that I'm in. And if you if you can't get that stuff you can operate. We're technology technologically dependent, and everything we do. And yeah, so it's definitely an interesting world to live in. Travis 13:16 Yeah, that's such a critical role. And also, I wanted to ask you, like, could you paint a picture for us for what your career looked like leading up to the role that you're in today? Like, how did that? How did that journey start? And how did it bring you to where you are today. Andrew 13:34 So I want those that are sitting at their computer, or if they're on their phone to pull up a note, or to pull up some sort of sketch pad, and I want you to start at the bottom left corner, go straight up, and then zigzag all the way up to the right. Just keep going back and forth. And drawing like the most obscure diagram. That's how my career has been. It hasn't been linear by any means. When, when there's been opportunity, I'm extremely curious. And I raised my hand and I jump on it. I've never been the type of person to say, No, I can't do it. And I can't figure it out. It's more along the lines of, I want to know more about this. And I'm going to dig into it and I'm going to pull in the right people. And I've never been the type of person to be too good to raise their hand or to be too good to be really tactically in the day to day to be too good to you know, talk to anybody. And it's really, really paid off because it's allowed me to zigzag and learn more and more. I'm also the type of person not willing to just settle for the status quo. I do things different I, I place a very, very big emphasis on development of People First over anything, and then everything else is secondary to Do that on the day to day. So. And that's one thing that I learned early on is, you know, through the leaders that I've had throughout my career, you invest in your people, and you really spend a lot of time with them. And, and that's, that's what makes it worth going to work every day and doing everything. So I'm not linear, it's been a zigzag is kind of the moral of the story. And that's okay. Travis 15:28 Yeah, I like your advice, because, like, it's very hard to add some kind of like tangible number when it comes to like retaining talent and building people up over time. But it's so valuable to the organization, when we have people with all of that really deep institutional knowledge that have been there, for example, at maybe the start of a particular program and saw sauce or saw, like any particular project and from start to finish, because that institutional knowledge is so critical to retain over time, it just want it, it's highly efficient, saves us a ton of time, too, it's great to have those team members that have stuck around for so long, that have all that knowledge, and it kind of empowers and like inspires the rest of the team to realize, hey, this is a team that I could stick around with for 357 years, because I could see how much everyone here is continuing to grow. And they've grown so much since day one with the organization. I like your point. Andrew 16:27 Yeah, and right there, it's like the biggest thing, like you have to give your team members those development opportunities. And if they don't have them, then you know, don't don't hold them back from leaving and going to do something else encourage them to and support them too. As much as that hurts as a leader. If you just can't give them those growth opportunities in place, that's one of the things that that I know I have had to learn over time is in some positions, like, you're you're capped out where you are, and you you can't go up any further. And that's, that's like one of the biggest things like as a leader, those need to know, because when they just kind of say like, let me help you out with something else. That's okay. Travis 17:15 I like that point. And I could definitely relate to instances that I've seen over the course of my career, where maybe a manager kind of won't call out the elephant in the room, which is that certain team members have grown up to a certain point. And maybe there's nothing for them to continue to continue their growth, and to continue gaining more responsibilities. So I really think it's kind of an ideal for security leaders. And for managers to call something out, call something like that out so that you could initiate those conversations with your team members and help them grow, whether it's moving into another program or a mother or another department, or maybe that's them moving into another organization where they can continue to grow and not necessarily like reach a plateau wish point. Andrew 18:05 Yeah. And it's, you know, it's not fair to them, either, right? If you just lead them along, and you're not honest and transparent, and you don't try to, you know, help them out to develop them. So yeah, good point. Travis 18:21 Thank you. And next, so I wanted to ask you a little bit about was there anything that inspired you and kind of got you initially on the track to working in the security industry, Andrew 18:34 you know, one of the biggest things so I never viewed myself as a security professional. At the end of the day. I, it wasn't up until about a year and a half to two years ago, that I started viewing myself that way more and more, I just viewed myself as like an ordinary program manager, people manager, like nothing other than that, and that was where I went wrong. So I started my career as a firefighter EMT, I was doing Emergency Management slash crisis management planning a little bit of business continuity planning, got exposure and emergency operations, and like in Emergency Operations Center, or security operations center type of format, and really got exposure within my first couple of years into like, Okay, this is how, like security incidents funnel, and these are the stakeholders you need to work with when the ball drops, and you need to go do something that's urgent or critical or, you know, any sort of crisis event. So it's really like a sock, like or a G sock type of element early on, but at a much smaller scale, like local state type of scale. And then over time, I learned about the other security elements, whether it's on the physical security side or the information security side I'm got my hand into secure satellite communications type of work, got my hands into more crisis management and business continuity work, and then started to venture into like, How can I work with more technical products and programs to develop next gen type of security capabilities. So got my hand into like mobile app development with with a security type of function like flair, got my hand into big data analytics and Geospatial Data Analysis got my hand into working with AI ml. A lot of different SaaS products and really like, became like, who, who I think I am today is more of a risk tech strategist, mixed with a large like people leader component. But just I'm just kind of kind of like learned about the different elements, got my start in local fire department, running into burning buildings, and then just kept raising the hand, like I said earlier, like, that's been like instrumental for me. Travis 21:05 Wow, that's such an interesting journey. So you started out as an EMT, supporting fire and then working in an operation center, doing crisis communications, business continuity, then jumping into analytics, app development. It's really cool how your career has progressed and touched so many different areas of security. I just think that's, that's really cool. Andrew 21:29 Yeah, well, it's been a it's been a journey in the last two years touching, touching the, the third party cyber, like space as well like, and just getting exposure into that. And along the way, like learning about data centers, and like, security of data centers, security of just comms communications in general. I mean, it's, I'm probably forgetting about a dozen other elements. But like it, it really has opened my eyes into, like, security as a profession is so so incredibly broad. Like there are so many different players that have to come together, learn how to work together, learn how to, you know, just just have those basic columns to share information, like as a foundational element. And like, everybody is just in a completely different like lane. So like, my view would have now in the view, I've been taking us like, how do I take all those lanes and make sure they're talking? Like, make sure that they're exchanging the right type of information at the right time? Like that's, that's an area where I'm really interested in now, after I've gotten exposure into all these different areas. Does it make sense to do that, like, that's the other question. Just like things that go through my head. Travis 22:54 Yeah, and if there's one big thing that I hope people take away from this conversation, it's also seeing, maybe like being inspired to explore other aspects of security, because so many of us, in our day to day, whether we're working for small organizations or large organizations, we tend to be focused on pretty narrow, narrow projects. Maybe it's doing a physical security assessment, maybe it's conducting Threat Assessment investigations, maybe it's a number of things. But I hope people can get a little bit of inspiration to go outside of their comfort zone, and learn a little bit about some of the different diverse, like subfields insecurity, so that as they continue to develop and progress in their careers, they can be that much more valuable when business executives come to them with security issues, because they'll understand how different departments interact with each other. And some of the minutia between the tasks that the tasks that get carried out to solve security problems. So I hope people can really take that away from our conversation today as well. Andrew 24:01 It makes you more marketable, makes you more understanding, like, as the biggest piece like I'm more understanding today, then I was 17 years ago when I started my career. And what I mean by that is like, having seen a lot of the different working elements and at being being exposed to fortunately, like a lot of different leaders in different like industries, like I can start to put on their shoes and understand like, if this thing happens, this is what they're doing. And this is their main priority. Just understand and trust that they're doing that and engage at this point, to get those updates to share information or to get involved like it's just it's such a massively orchestrated type of element, like security as a function across a room. really big enterprise like, and you don't want to slow things down either, like, security is mission critical. Like we would use that terminology in the government, like something's mission critical. Like there any military, you know, any, any ex government people out there, though, will understand, but you don't want to get in the way of that, especially when lives and customers and people are like going to be impacted. So, like, how do you work fast? I'd say, you know, you get to know who your people are that you're working with every day, put yourself in their shoes, and that helps you be more empathetic when something bad happens. Travis 25:39 Yeah, it's so important to develop that broad security knowledge. And next, so now we'll get into more of the fun part. So I wanted to ask you, how has a failure or an apparent failure throughout your career helped you has set you up for later success? Like have you had a favorite failure that you've ever encountered that made you more successful somewhere down the line? Andrew 26:06 I probably have a we could spend two hours on this. I have failed. So many times. It's it's my proudest thing to talk about failures after they happen while they're happening. Because you learn so much when you're when you don't do something, right. Like I mean, you'll learn how to not make the same mistake twice. And I'm going to talk right now about something that may sound really silly to some. But it really, really provided a perspective to me, that that I've carried throughout my career now. So I was I was working for the US Army as a contractor in an emergency operation center and the leader of the part of the army that the command we were in was was a two star general and I had the fortunate interaction with him at least three to six times a week in the operation center that I worked in. And anyway, we supported we supported the warfighter day in and day out, we got updates from across the army, and they were critical updates that we would have to relay. And I mislabeled, one of those critical updates. And I also completely typed out the wrong type of information in the update and send it sent it out to to the two star general. And within about 10 minutes, the chief of the operations center comes running in this like Andrew, what did you title that email? What did you put in there? Like, did you even see what you sent out? spelling errors, wrong title wrong distribution lists, like so many wrong elements. And I learned that was, let's see, I've been in my career. 17 years. That was about 12 years ago. So it was like five years in and my first like, big exposure and Emergency Operations Center. And I said, Oh, no, I, I just completely messed up. And I tried to recall the email from Outlook. And I tried to clean up the mess, but I couldn't. And I just fell on the sword. And I said, You know what I messed up and tried my hardest to fix it. But the critical lesson that I learned is that the stakes are high. And time is of the essence, the one of the most critical details, the most foundational critical detail is communications. And if you don't communicate the right things to the right people in the right way, things can just go down the drain. And I learned that really, really quickly. And what that forced me to do is learn how to write SOPs or standard operating procedures learn how to create like templates that weren't previously created to the next time we can move faster and better to situations like that. And they were more templated so I mean, what came out of that was a great learning lesson, great additional experience that I didn't have before. But it was also extremely embarrassing. So that's one of the failures that I had Yeah, no Travis 29:39 pressure at all sending emails to the two star general Andrew 29:45 it was it was a no as as the young I mean, goodness I'm not that old now. But I mean, as a as a young like person in their career and like it was it was like devastating like to send me but at the end of the day, I mean, what's pretty cool is that bout to two years ago, I was a DOD civilian in the intelligence community. And I worked with a four star general. And I never made that mistake again, all my stuff was polished because I learned that foundational lesson of like, make sure things are polished in place, make sure you know how to develop procedures and communications and you know, how to talk to people and work with people and all of that. So that was even more stressful, even though I had the experience, it was one of those things that you just kind of learn and you don't forget. So anyway, Travis 30:45 yeah, I can think of a similar mishap that I did early in my career, too. And it was around. So we were having some kind of technical issue with devices that we're using, and I had to send an email to one of the chief technology dudes, and required me to capture a screenshot of what the issue was. And when I took the screenshot, it had a little, like, in one of the corners, if you looked at it really closely, it had some info that maybe his department didn't need to know about. And then the manager emailed me like to like, probably, like 60 seconds later, and was like, Hey, I saw on that screenshot it had it included information about blah, blah, blah, blah, blah, can you be a little more careful? If you send anyone a screenshot from this computer in the future? I was like, Yes, I will. And I've not made that mistake in the past five years. So I'm doing much better now with my screenshots. Andrew 31:42 You know, I think one of the things that when you work in a sock, or a G sock or any sort of operations that are And granted, like, like, let me let me even walk this back a little bit. Like, if you're like a boots on the ground, like security professional, whether you're doing executive protection, whether you're doing like active threat assessments, whether you're an armed guard, or whether you're a first responder, whether some anyway, like the stakes, when you're on the ground are completely different, of course, but like learning that firsthand, really allowed me to kind of find my, my Musa, like my, my, my like center, and everything, because you learn about what stress is, and what to get worked up on and what not to get worked up on. And I say that to everybody. Because like it, you get a very wide view, you're very tactical, you're very, you're very like involved in like incident response, emergency response and stuff. But at the same time, like when you leave those environments, and you're doing something different, whether it's a planning function and investigations function, Intel function, maybe something else, like it's just it's a different environment, when you're not in like an operation center, and you really learn, like what to get stressed out what not to like, if an email goes out, and like it doesn't have one person on it, and like people are blowing smoke, you're like, come on, like, look, what we deal dealt with before, like that was life or death that was critical, like, not including somebody on like a day to day, like the status update thing that's not like life or death. And you kind of just brush it off. But anyway. Travis 33:30 Yeah, that's a very good point when it comes to, like maintaining perspective when it comes to different issues that we encounter. And yeah, not not a, you know, having a short memory when, when it requires it so that we could get back to the job and not just continue having anxiety over some small issue. And then next, so I wanted to ask you this. So in working in resilience and business continuity and supply chain, are there any particular competencies that make someone more or less successful, for example, like if someone's out there, and they have an interest in in resilience? Like are there any particular skills that they might want to write down and start pursuing? Andrew 34:17 Yeah, so I think we've kind of danced around this one a little bit. But I'm just going to come out and say, like, learning how to communicate with people, like it's a soft skill, but it's so incredibly important. Like, I can't like jump up and down on this enough. Like, be respectful of people and people's time, and learn how to ask the right questions to people. That's number one. Number two is learning how to manage time learning how to manage a program, and that does tie into coming indication. But it also ties in the time management and also like requirements gathering, understanding, like what goes into a program or a project and breaking that down into feasible, like elements of timeline and level of effort and stuff like that. And then number three is learning how to take data and interpret it, visualize it, and then communicate it. Like, it's so incredibly important to number one, establish metrics and KPIs and then learn how to kind of communicate them out and tie them together, I'd say, is really, really important. Sorry, I have a fourth and this is a bonus one, I'd say, become tech, curious. Like, if you're doing something day to day, and it's the same thing day to day, chances are tech can be able to do that for you. So you can focus on something more exciting. And it doesn't have to be, you know, like $100,000 a month solutions, like they have to like find all this money for it can be something like super simple using macros using automation tools, and Outlook or like whatever. But like, like just just become like tech aware of like, what the different tech is that's out there, how can make your life easier. So you can do cooler things at the end of the day. So those are, those are the three plus one for a bonus for Travis 36:39 you. Nice. Yeah, I like the bonus there. So being tech curious, this is something that I've kind of experimented with a little bit this summer, so on Coursera. on Coursera, Google has an entire course that's, I think it's called a crash course and learning like basic Python programming. And I still haven't finished it. But I did like the first five or first four or five weeks of content. And it was really cool to learn about like all these really basic menial tasks that we tend to do day to day, maybe it's interacting with spreadsheets, or doing like other mundane tasks, that could all basically be automated or that could be facilitated and save you a lot of time with just some really basic scripting with Python. So I think that's a really cool idea. And there's so many free or almost free courses out there. Like I think Coursera is something like, I don't know, maybe like 30 bucks a month, if you want to get the certificate at the end instead of just getting getting the information for free. So yeah, I really encourage people to check out Coursera or some of the other open online learning platforms, because there's really unlimited content out there when it comes to being tech curious. I really liked that point. Andrew 37:56 Cool. That's awesome. Yeah. And then Travis 37:59 also, you mentioned requirements gathering, I think that's another really important one, too, because I feel like there's some times where like, someone will come to you with a task. And they'll tell you that it's super urgent and this and this and that. But then when you actually when you finally sit down with them and begin your intelligence, your your requirements gathering. So understanding what the problem actually is, what the deliverable is supposed to be, and all the different elements that are involved in in, in the project that they're doing. I feel like there's so many times in my career where I've sat down to do those requirements, gathering tasks, and then you you end up learning that, oh, this project actually isn't that urgent, because the stakeholder doesn't even know what they need. Or so I feel like that's a really important point, because so many times someone might have some kind of almost emergency or wannabe emergency because they got a task from their boss. But then when you get down to it, you find out, Oh, the stakeholder doesn't really understand what they actually need. So then you could prioritize your other projects that really are emergencies. So that's just one point when it comes to requirements gathering. Andrew 39:11 Well, it allows you to not over commit and under deliver to because you really learn about the ins and outs to your point, like if you're dependent on a stakeholder and they don't know what they're supposed to do, how they're supposed to do it or how they fit into the picture. You're going to spend more time explaining that to that stakeholder later on than if you would upfront and get their buy in and support it. So, I mean, it's one of those things that, you know, it's helpful to break stuff down and be honest with people about like, this is what you're asking for. This is what I see fits into that ask like, is this what you're picturing too? And they're either gonna be like yes or no, and then you become aligned, and then you execute. So Travis 39:56 yeah. Yeah, and it just gets back to your point. went about communicating with people. And in this instance, really, it's more of a skill of interviewing and eliciting information. So it all ties back to your earlier point. Now moving on. So there's many young and aspiring practitioners that are listening today that are working in the security industry, or maybe they're about to begin their career in the security industry. Is there any advice that you would like to share with someone who's in that type of position? Andrew 40:29 Um, I think we've, we've covered it a couple of times. But like, for me, it's been a zigzag of a career. And that is contributed to just raising my hand and being open to change, or opportunity and being open to learning something new. And maybe I don't really fully understand it or know it. Learning and being curious about stuff really goes a long way. And I mean, we talked a lot about that today. So that would be my biggest thing. Like, don't be afraid of those opportunities. Don't be afraid be coming uncomfortable. When you're when you're uncomfortable, it's a great opportunity to lean on your network, to lean on your mentors, to kind of say, like, hey, like, this is total foreign territory, like help me like, where should I go? What should I read? What should I learn? Who should I talk to? And, yeah, that'd be my biggest word of advice, like, just raise your hand, just do it? Travis 41:36 Yeah, that's an excellent point. And I can think of so many times where I've relied or in some of my past roles I've relied on, really like people that I've met over 10 years ago, that we're in different roles, like one of my friends, he's almost like a, he's almost like a virtual CISO for me, where I could call him about any number of different InfoSec challenges or questions or questions about different technologies or software. And he's given me so much awesome advice. And then, likewise, when he comes to me with maybe questions about different investigative challenges, or investigative tools, then I could help him again. So I do love that point about developing those networks, where you're helping others. And then when you need that super niche, help about some skill set that you're less familiar with, they're there to help as well. That's great point, for sure. And now, so Andrew, I wanted to ask you a little bit about your projects when it comes to career coaching and helping security practitioners. So could you share a little bit about some of the projects that you have going on when it comes to coaching? Andrew 42:44 For sure. So there's there's actually quite a bit going on in that space. First and foremost, like I, my side, business, Outlook Career Services is fully dedicated to helping folks career transition, focusing in on a lot of public safety, because that's kind of where I came from, but also helping so many others. And I offer free resources off of my website, resume template, cover letter template, career, soul searching type of template, career journey, templates, like, stuff like that, and I'm looking to add many more. So shout out to those listening, if you see something or that you're like, wow, or if you think of something and you're like, wow, I wish I had that for my career, like hit me up, and I'll create it for free. And like putting it out there for others to use. But the free side is one side. I also have a whole nother side of my business that's paid, paid coaching sessions to help folks career navigate to have that kind of neutral party really push someone really motivate someone, if they're going through an interview, if they're looking for jobs, stuff like that. I have a course coming out later this year, that has self paced videos and like workshop type of elements to help people learn more about what's involved in a career transition from interviewing, to networking, to resumes, cover letters, technical, like interviews, the list goes on and on. Last but not least, here's a couple of things I'm on exploring right now that it's getting pretty serious with two recruiting firms that, you know, you work with me and I have conduit into two recruiting firms that recruit for security professionals that that I can help if you're looking to transition pinpoint you to you know, open jobs that that you can have an in like so. There's some stuff I'm working on there, as well and as an element of that Future. Travis 45:01 That's really cool. I admire that career path, because that's kind of something that I've even considered like maybe down the road. Because one, it's always really cool to interact with younger professionals and help people, like have some kind of breakthrough, whether that's like an actual breakthrough in their career, or just like the way that they think about their career and different aspects of their career. And then to also, I just think that's like the most, like the most rewarding, and like, most empowering thing I think about working in security is really just being able to help other people. Andrew 45:37 Yeah, it's, it's awesome. Like, I think the this month alone, I think I've had like, probably about 20 messages from people that I've been able to help over the last like, couple of weeks with, like, here's a template, like with some instructions, like and they're like, oh my gosh, like, this is so helpful, like, Thank you, or through coaching, like, I have a difficult interview coming up, like, helped me like refine my elevator pitch, or help me with like, these specific questions, and let's map them out. And like, get some bullets together and stuff like that, anyway. Like, it's just been like, a tremendous opportunity to bring humanity back into all of this, like, like, everybody at the end of the day has different motivations for wanting to leave a career or try something new, or navigate into unchartered territory, you know, the list goes on and on. But everybody has a similarity. And that's that were people like, naturally, like we, the people I work with, they all want to do good. They all want to make an impact and positively like, create, like, an environment for their family, the lip, oh, at times, or for themselves to live in. It's, it's really cool, helping them through that and seeing their success. It's what keeps us motivated every day. Travis 47:01 I like that outlook, because, yeah, we're not robots. So our interests change over time. Our needs change over time, maybe we want to spend more time with family and more income isn't necessarily a thing. So like, there's so many different aspects that change about us as humans that touch back to our career. So I do really like that outlook. And next, so when it comes to your coaching, are there any particular books or like resources that you find yourself recommending the most Does anything come to mind? Andrew 47:36 When it comes to coaching, or security, no, no books really that, that I recommend off the top of my head. But there are three books that as a leader that that I love, learning more about reading, I'll just name them off. So one is the lean startup. I love working in like super lean environments where you can build quick and deploy quick like, that's one of my biggest passions is building something and then turning it over building and turning over. Like, I love that. And the Lean Startup really, really capitalizes on that the second book is seven habits of extremely effective people. Just learning how to have how history has shown, like the effectiveness of people and how they operate it. And it's fascinating. And last but not least, atomic habits, really, micro habits over time how they compound similarly to, if you invest a little bit early on into the stock market, and you you know, continuously invest, you know, that compounds over time if you invest in the right stock. So I find that fascinating, like you could do something so small today, but over time, it will just become the best habit, hopefully, unless it's a bad one. So I mean, those three books not security related, maybe career personal development related on the last one atomic habits, but those are some of my favorite books. But up bonus, I, I love, love, love. Learning about real estate, learning about investing, learning about business like that is just a passion of mine a little guilty pleasure. Like, where I invest a lot of my time and energy outside of work in addition to like learning about security, it's like learning about those disciplines. So like, there's so many books, like in that area that I just love. So Travis 49:39 I gotta ask you one more than Do you have a favorite financial or real estate podcast? They listen to you or something similar? Andrew 49:47 Oh my goodness. So I just I have a whole audible list. It's not really not really a podcast but I am fascinated with the $100 Startup, multifamily millions The Four Hour Workweek and Rich Dad Poor Dad like I, I just love like, like the mentality. I think it's just so incredibly cool. From a podcast perspective, I've listened to something called bigger pockets. It's like, really, really popular podcasts. It's out there, but it's super energizing. are now podcasts that yeah, podcast. Sorry. But there's been some others. But um, I just love like the energy coming out of bigger pockets. So yeah, that's a little bit about that. Travis 50:35 Yeah, I love those recommendations. I've read a handful of these. And some of them are my favorites like, atomic habits by James clear, I've read like, well, I've read, I've listened to so many audible books about habits. Like there's another really popular one. I think habits by Charles his last name starts with a D. Like, he has like a really extensive book about habits too. But I thought it was so dense and like very difficult to relate back to your life. But the way that James clear writes in atomic habits, makes everything so simple, and so relatable back to your everyday life. And then plus, a lot of that relates back to security, because in security for those things that we could make convenient that we can make easy to do. Or maybe, maybe habits that we don't want people to create, and we make things difficult and we make them out of the way. I feel like habits is so central when it comes back to security. And then you mentioned for four hour workweek to for me, that was like probably one of the most important books I ever read, even though I didn't, I probably only did maybe 1% of what he ever wrote in that book. It was more about like getting you to think in a different way about work. And I have a feeling if I probably didn't read that or if I never listened to whatever Gary V's first book was, if I kind of hadn't gone down this ridiculous rabbit hole of like, unusual entrepreneurial type books, I probably would have never started this podcast never started a blog, or any of that. So yeah, I highly recommend four hour workweek even though Hackett's probably reached, like its 10 year anniversary by now. Andrew 52:16 Yeah, well, what? So two quick things, man, let me just say, like, atomic habits, I never drew the line to security until today, when you connect to that dot, like it, but it's so true. And everything that everything that my team does, we try to weave in a security element into the DNA of the business like, it's, and we want to do it with the least amount of resistance possible, but still maintaining, you know, that really high degree of security posture. And like if you start small, and do like little change management related things over time, like little elements with people, like it really goes a long way. And you probably go further than trying to shake up the entire like company or the entire work. Sometimes you may need to do that like, but, you know, oftentimes, like in preventative like type of security measures you may not need to so, ya know, I love the correlation you drew there and four hour workweek forced me to rethink a lot of things and like you, I probably, you know, implemented 1% On my side, but like, the biggest thing I learned with my side business is like instituting mechanisms, like really early on, and it has been incredible, like the outsourcing piece of certain tasks that Tim Ferriss teaches, has allowed me to really balance having a full time job, having a side hustle, starting a family, like I wouldn't be able to do and that's not in the right order. Of course, it's starting a family having a full time job. Just to be clear, in case my wife, you know, lessons and everything I don't want to get yelled at. But you know, it's it's, yeah, it's one of those things that mechanisms and like process and outsourcing is just so incredibly important to learn. So yeah, Travis 54:12 yeah, we definitely have a lot in common when it comes to that aspect. And then, next, so I wanted to ask you getting back a little bit more to career coaching and some of your projects in helping people in their security careers. Is there any bad advice that you hear people using or or kind of spreading when it comes to careers? Like I don't know, maybe could be any number of things about like, the way that they approach interviews, or the way that they design resumes or the way that they I don't know go about applying like, is there any bad recommendations that you see that are common that maybe people should try to avoid? Andrew 54:50 So couple of things. I think of two right off the top of my head it made me mature into three may get that bonus third one I'm like he'd been getting today. Um, but number one, if you don't like something, find a way out of it. Don't don't stay, don't stay where you are for 10 years if you're if you're not loving what you're doing, like, say, figure out a path and do something else. Like, if it's where you are great. If it's not, then you know, find that path. I say that because some people say like, you have to be in your position for X amount of time. And you have to do this for x amount. And no, you don't like, at the end of the day, if your well being is suffering from not liking what you're doing, don't keep doing it, figure out a path to leave. Don't bring everybody down with you when you're miserable. That's not good. But figure out a path to leave. Now, number two, is some people, you know, have different styles of like preparing for an interview. One of my biggest things that I tell people is you need to invest the time you need to prep your first impression, whether it's how you look or what you say. You need to have that intro like really, really solid. It's your elevator pitch. It's your it's your demeanor, it's your energy. Bring it to the table. Some people are like X Wing it you'll figure it out. Nope. Don't do that. Nope. In your elevator pitch, don't tell me about your family. Don't tell me about your you know, long lost cousins. Don't tell me about what your favorite food is. And like, go down the whole list of restaurants that you love. Trust me, those are things that I've heard being an interviewer. Tell me, you know Who who are you personally and professionally in 30 seconds or less. And that's a lot harder to do than one thinks it takes practice. And a good interviewer can read between the lines if somebody knows who they are personally and professionally in 30 seconds or less and who doesn't? So practice that first impressions really do matter. Travis 57:02 Yeah, I love that advice. Like I could think back to some interviewing some interviews that I was doing about four or five, six months ago. And like, the great thing about doing some of these virtual interviews is that during the interview, I have my notepad right next to me where I have some handwritten notes. I have one of those giant post it notes that they sell at, like Staples, I'm sure it's like 30 bucks for a pack. It's like a foot by a foot wide. I have a giant post a note that kind of like, walks me through a logical flow of something that I know I'm going to have to explain when they start jumping into like more detailed questions, especially around like, technical aspects. So yeah, I think that's awesome advice when it comes to walking yourself through all of the steps and all the details that you're going to have to go over during the interview. Because yeah, you're not just going to wing it and come off as someone presentable that they that they want representing the company later on. And then next, you also mentioned about like, how being thoughtful and having a path for leaving an organization and not staying there for too long. I love that point. And I could think of two times in my career where I was at an organization for three years, four years, five years plus, and then really just like, gave them my two weeks or maybe even more and then took a sabbatical for several months. And you know what, like, when I found when I found new roles at the end of my sabbatical, it actually wasn't that difficult to explain to the new company that I was going into that. Yeah, it was time to leave this organization. And yet during my sabbatical for the last three months, four months, five months, here's what I did. I earned this certification. I read these books, and then I took off some time to myself just to travel and kind of unwind. So I think people should also consider something like that. Maybe that's not for everyone. And maybe, I don't know, if you're less disciplined, maybe that's not the ideal route to go. But I do think that is something for people to think about when you talk about that path to leaving an organization. Unknown Speaker 59:10 It's a great point. Yeah. Travis 59:13 So let's see, as we wrap up our session here, Andrew, are there any final thoughts that you want to want to share with security students and practitioners out there? Andrew 59:25 Um, no, no thoughts. Besides, if you're listening today, connect with me on LinkedIn, let's talk shoot me a message. Let me know that you listen to the podcast and say, Hi, I'm open to connect with literally anybody in the world unless the first word you say is I want you to buy my product. So wait till like the third or fourth message to say that. But yeah, just, you know, shoot me a message and say, Hi, I love meeting new people and that's how we learn and grow together. Travis 59:56 Yeah, that is excellent advice. And Andrew, I really agree. shake you sharing your time with me today we covered a number of really cool topics. When it comes to some cool books that you recommended. You talked about the importance of being a really like people skills when it comes to communicating when it comes to understanding stakeholders, desires, the things that they're trying to accomplish. And then also really kind of helping people understand that their career path could go any number of ways. They might be an EMT, they might be working in fire service today. And then next thing they know, 17 years later, they're leading programs in it resilience and supply chain. So I think that's just a really cool thing for all of us to think about. And Andrew, I really appreciate your time. So thank you for joining me today. Andrew 1:00:48 No problem. Thanks for awesome opportunity, and it was great to talk with you. And Travis 1:00:55 that concludes today's episode. Remember, show notes from today's chat can be found online at the security student.com which includes a transcript, links to resources mentioned, and a quick summary of big ideas we touched on today. Final note, if you're finding my podcasts useful, and you want to help me in a very meaningful way, please go to the Apple podcasts app and write a quick review stating why you'd love the podcast.