With one simple training course, in just 8 weeks, you could have a good-paying job working in cybersecurity. Too good to be true? Well, it might be true, but very rare. So, how does it happen? And is a fast track into cybersecurity even possible?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is David Cross, CISO, Atlassian.
Got feedback? Join the conversation on LinkedIn.
A huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] With one simple training course, in just eight weeks, you could have a good paying job working in cybersecurity. Is that too good to be true? Well, it might be true, but it’s rather rare. How do we make the fast track into cybersecurity more common?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO series. And joining me as my co-host, who you will hear a lot more, it’s none other than Eddy Contreras, senior EVP and CISO over at Frost Bank. Eddy, say hello to the audience.
[Eddy Contreras] Hello, audience, and David, thanks for having me back.
[David Spark] We love having you back. Our sponsor for today’s episode, a phenomenal sponsor with the CISO series, it is ThreatLocker, Zero Trust Endpoint Protection Platform. And we’ll be talking about that a little bit later in the show. But let’s get to the topic at hand.
Now, we’ve talked a lot on all our programming about how to get into cybersecurity. Online influencers will be quick to tell you you’re a boot camp away from getting into the industry, something both Ira Winkler and I actually questioned recently on LinkedIn.
Now, there are some boot camp success stories out there, but is the backlash against influencer promises, like, you know, “I’ll get you a job soon,” just that they are selling snake oil? Or is the industry itself just hard to get into? My question to you, Eddy, and what we’re going to be talking about throughout the show, is there a way to make fast tracking into cybersecurity possible? And do we want it?
[Eddy Contreras] You know, fast tracking hits every industry. And think about cooks. At some point in time, the flame, it was the way that you cook things. And then, when you moved the flame off of an outside pit into a stove, and then you went electrical. And then we introduced microwaves, and then we introduced air fryers. And all of a sudden, things just about quicker and quicker.
But then people started talking about quality. Well, what’s the difference of the food depending on how you actually cook the meal? And I think that’s something that’s going on here, right? Yes, there’s ways you can get into the industry quick. There are ways that you can arrive with enough information to be successful. But there’s also quality and there’s things that can happen that would maybe challenge your ability to be successful. But there’s also things that could happen to make you be successful.
So I think it’s not an easy cut and dry answer that fast is not an answer for most people, but it is an answer for some. And so I think there are ways to arrive on the bullet train, but you have to understand where your end destination is, what type of flavors you want with your meal, and if you’re okay with those types of flavors. So I think you just really have to understand your ecosystem to know is fast for you?
[David Spark] This is a great setup for our discussion. Thank you for sort of isolating like that. And we have a great guest who we’ve had on many times before, one of our favorites. He is now the CISO over at Atlassian, none other than David Cross. David, thank you for joining us again.
[David Cross] Well, it’s great to be back, and I’m working on being the five times at Defense in Depth so I can get my Defense in Depth kind of hoodie. So working hard on that.
[David Spark] We need to get one ourselves.
[David Cross] Exactly.
What are they looking for?
3:29.663
[David Spark] Bill Schneller of Geffen Mesher said, quote, “I don’t think security is an entry-level job.” And we’ve heard this a lot. Bill goes on to say, “There are too many prerequisites you need to know to be good at security, and a boot camp can’t teach you enough of those basic skills in a short period of time. The people I know who got jobs generally spent a lot of time on their own, outside of the boot camp or a program, developing their skills. They weren’t depending solely on the boot camp to learn things.”
And Peter Gregory of Akylade said, “I made my pivot into cybersecurity after a 20-year IT career. I cannot imagine being successful in cybersecurity without that 20 years of real-world IT experience in private industry. Entry-level cyber jobs aren’t in cyber—they are in IT.”
All right. We have heard a lot of this before, but they’re just arguing. And these are usually veterans of the industry, just say, “You got to do it like I did, the school of hard knocks of working through the trenches to get here.” Eddy, do you believe this?
[Eddy Contreras] I believe that if you’re the veteran, if you come from a certain mold, and you’re somebody that says, “Enjoy the pain that I’ve been through,” I don’t believe that if you’re hiring a different mold, you’re looking from a different lens and you’re okay with people entering the market with a different experience. And I think it’s okay to think differently.
So I think personally, my belief would be, no, you don’t need to think like the old-school days. I don’t think you need to earn the right of passage, so to say. I don’t think all jobs are created equal. And even that last part of the quote, “Entry-level jobs are in IT,” there’s so many jobs inside of security.
And security domains have changed. If you look across all of these programs today, they’re not the traditional programs that were here yesterday. Programs now have identity, they have UI teams, they have mobile teams, they have marketing and training. And all of those things, yes, you can have entry-level jobs. So I like the comment because it’s provocative, but I don’t think the comment is realistic anymore.
[David Spark] Really good point. All right. David, I throw this to you.
[David Cross] Yeah, certainly. I first want to say that I agree with Ira Winkler is that you first get your foot in the door, learn the business, learn the organization, do what it takes to kind of understand it. Because then you know how to work on security for that audience, for that context, that environment, for those type of things.
I think one important point here is that security today is much more complex than it was 20 years ago. I think that’s what you’re saying, Eddy. It’s sort of before, what we had to do for security 20 years ago, much simpler, much easier to get into. Now, can you just say, “Hey, I took a one-week Coursera course on how to look at alerts in the Splunk scene, and now I can take on a SOC role”? It’s much more than that.
[David Spark] So it’s really the complexity of the role, David, that has changed our answer to this question. Back when the two of you got into cybersecurity, it wasn’t as popular as it is now, was it, David?
[David Cross] I think the need was not as clear back then. And if I go back how many years ago, and it’s like, “Yeah, my first certification was a Microsoft Windows NT workstation 3.5 kind of certification,” there was security there, but it’s far simpler and the challenges didn’t exist back then that they do today. So a lot has changed.
[Eddy Contreras] Yeah. And I would also add when this industry came about, they were looking for experts in technology. “Oh, you know how to design a token ring network? You understand about Novell IPX /SPX routing? Perfect. Let me bring you in and you can help us secure this.”
And so you really had to be kind of a domain expert to figure out how to secure the environment. So I think that’s how it originated. And I think that’s probably where you get some of these comments where you do really need to understand the environment. And I think for some positions, that still holds true. But that’s how we cut the ground from origination to today, right? That’s one of those areas where originally you did have to be an expert to get into the field.
Would this work?
7:49.522
[David Spark] So I just want to set up that I had about 15 people comment on my post. Ira Winkler also had his post that addressed this subject as well. And 15 people got a job directly out of taking a boot camp, or knew someone who did. So one common theme that came up was people saying that things have changed, kind of like what you were referencing, both of you, and it might not be possible anymore, possibly given the glut of candidates.
So here are a few examples. Jim Spignardo of ProArch said, quote, “I am an example of said path to IT. Although I had very minimal experience, I was extremely ambitious, invest in myself, and took courses and certifications, and was willing to work for peanuts first to prove my worth. It happens, and it’s what I love about the industry. You can parlay an interest into a career and not have to follow a traditional path,” so like the BS InfoSec, etc.
Stephen Dye, Uplift Cyber, said, “Me! In around 2010-2011, I went from RF/SatCom/SatNav engineer with no IT background to Cyber. I self studied and took the Sec+ exam—highly recommended in about four to six weeks. An AJ Moir of Army National Guard said, quote, “I know a handful who did take courses and got jobs as Cybersecurity Analysts. Although that worked for a period of time, I believe that window has closed.”
All right. So David, it’s sort of a varying mishmash, but I guess maybe someone who didn’t have a traditional background, and just did a boot camp and approached you about a job, what would attract you?
[David Cross] Well, actually here’s what I’ve been talking about, and kind of the guidance I give a lot of my mentees, kind of asking, like, “How do I break into the space?” So the analogy I like to use, it says, “Hey, let’s say you’re an actor or a model. And so how do you get a job? Well, you show them your portfolio of pictures and work, right?” So I’m saying that, “Okay, you want in to be a pen tester? Show me your portfolio, show me your work. Where’s your GitHub repo? Where’s your blog?”
So I think there’s an element… And I can go back to my own history of, I don’t know, 30 years ago, I’m about to leave the Navy and active duty service, I want to get to cybersecurity or get to the IT space, what am I doing? Am I just going to abracadabra, I’m going to join and get in? No, I’m writing code on a side job in the evenings to get my experience and ready to go so that the moment I leave my active duty, I can get a job.
[David Spark] That is a great example. And one of the things that I say, Eddy, to people trying to find a job, I go, “Hiring somebody is a risk. Prove to them that you are a low risk.” How do you see that, Eddy?
[Eddy Contreras] I love what David said, right? And I think what people do incorrectly is assume that your work experience is a paying job or that your professional experience is a paying job. David said it absolutely correctly, is, “Did you stand up a lab? Are you a part of an open source community? Are you contributing to something? Do you have white papers published?”
You can be invested and have a persona on the web where a hiring manager can go look at your work efforts and say, “Wow, you do care about this.” And I know we’ve talked about this in the past in other episodes, but you have to be committed.
And to demonstrate that you don’t have to show three years of experience, five years of experience at a paid location. You could show, again, these ancillary areas where you’ve devoted some of your off-hour time to some really good projects. And so I think those are areas where if you went to a boot camp and that’s all you have is a certification, but you can point to some of these efforts, it really does pay its dividends.
[David Spark] David Cross here is nodding his head. And I wanted to sort of bring it back to this risk thing that I was bringing up earlier. It’s like when you see these things, you’re realizing this person can do the job, they can do it professionally, they want to do it, they’re eager to do it. Kind of all the things that were mentioned here, these are the things that you want to communicate to the person. Those stories weigh a lot in terms of you feeling secure. David?
[David Cross] Oh, absolutely. Because I think there’s an element is that it’s all about, [Inaudible 00:12:05] say the evidence, but it’s really [Inaudible 00:12:07] that. How much can you tell just from an interview or a talk in a short period of time versus be data-driven, show me the money, right?
Hey, take five minutes, go look at my GitHub repo, go look at my blog, and then you’re going to know exactly what I can do, right? How many hiring managers will turn that down? Because very quickly, they’re going to make an assessment versus what’s written on a resume, which is probably written by AI nowadays, versus go look at GitHub, go look at their blogs, etc., go look at their video logs as well. It changes the game.
Sponsor – ThreatLocker
12:36.549
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that would be ThreatLocker. As we all know, in cybersecurity seconds matter, precision matters. And that’s why ThreatLocker is upping the game again. The company just launched a new set of solutions built for teams who need to move fast without compromising security.
Okay. I got a lot here to tell you about and you’re going to want to listen in. So it’s zero trust, but without complexity. You’re going to like this. First, with ThreatLocker insights, you get real-time intelligence from millions of endpoints worldwide to empower you to make the best, swift cybersecurity decisions on what applications to allow and what controls to put in place in your environment.
Patch Management? Well, instead of chasing updates and manually approving patches at 2:00 a.m., ThreatLocker takes care of it for you. With the rigorous research and testing you need to stay compliant and secure. Cloud Control? That adds an essential layer of defense, further closing the gaps that phishing and token theft campaigns love to exploit.
They’re also making life easier for IT and security teams with the new User Store, a smart way to give users instant access to pre-approved software while maintaining the strong security of your environment. And for web threats, Web Control lets you block sites you don’t trust or users should not access from the workplace. It blocks unapproved content by category, not URL by URL.
So of course, you still get ThreatLocker’s 24/7, U.S.-based Cyber Hero support. No scripts, no waiting hours for answers, they deliver world-class swift support, responding in about 60 seconds. Now, it’s no accident, that over 50,000 companies now trust ThreatLocker to help them harden their environments against modern threats.
If you’re serious about tightening your defenses and getting a platform that doesn’t slow you down, check out their website. It’s threatlocker.com to learn more. And it’s spelled just the way it sounds, threatlocker.com.
What are they doing wrong?
14:38.442
[David Spark] J. David Christensen, who’s the CISO over at OneSpan, quote, “The lucky ones who managed to land that unicorn of an entry roll without experience end up looking like a fish out of water. In my experience, there is noticeable difference between someone who has had time behind the wheel outside of cybersecurity before moving into it, and someone who has no other experience and is taught theory.”
And Brian Rogers of Aerospike said, quote, “The egos within cybersecurity have a deep culture of ‘paying your dues.'” We heard that in the first segment for sure. “It’s an exploitative culture that fails to recognize that when companies don’t want to have a cybersecurity, that those functions often fall on the SREs and Sysadmins of an organization. I’m sick and tired of picking up the slack of the cybersecurity industry because they see themselves as some form of elite fighting force when in actuality, it’s just deep toxicity and ego.”
By the way, this is not me [Laughs] saying this. Brian goes on to say, “Why would I give up half my income to start over when I’m already doing the work of securing systems and organizations as an SRE? Cybersecurity will forever have a staffing problem, not because of a lack of qualified workers, but because the egos involved in cybersecurity mean you never will be seen as qualified.” All right. Eddy is laughing too. Eddy, I will just sort of hand it to you. How do you want to respond to Brian.
[Eddy Contreras] Well, I think we need to send Brian a new keyboard. There’s a lot of capital letters in that quote.
[David Spark] [Laughs] Yes.
[Eddy Contreras] He really worked that keyboard good. One of the things that I look at, and the first thing that I look at is culture. And I understand where Brian’s coming from. And he’s right. Unfortunately, there’s probably a negative stigma around programs where people look at themselves above others.
But that happens in a lot of industries. It doesn’t matter what industry you’re a part of. There’s always a group that feels, “Oh, I’m the approver, therefore I am above.” Or, “I’m a peer review, therefore I am above.” And so, really it is about culture and understanding that while you’re working in a collaborative environment, you need the entire environment to make the decision.
Security is about open conversation, it’s about transparency, it’s about understanding intent, what looks to be delivered, and then how do you secure it together? Because you can’t make these decisions in a silo. And if you walk into that meeting with a chip on your shoulder, with one of these egos, and you walk in there, you know, “I’m mightier than thou,” then, unfortunately, you’re going to run into these types of headwinds where people just do not want to work with you.
And that’s when you get called to the meeting late. That’s when security is the last person to know. That’s when, hey, you become a checkmark and a checkbox as opposed to a collaborator and a designer. You can kind of see, okay, these are probably the programs that Brian’s been exposed to where those egos have an influence of him.
[David Spark] By the way, I want to sympathize with Brian too for a second there because it does sound like he got dumped on in a big way. I mean, we were laughing a little bit through it, but Brian, don’t take the humor I found in your comment to be anything that we were talking down to. It feels that you’ve been beaten up, and I feel sorry for that.
So I want to toss to you, David. One of the things that I thought is the way Brian talks here, I have seen that, but historically, I don’t see it nearly to the level now. What do you think?
[David Cross] I agree. I don’t see it like we did many years ago. Being the DEF CON clubs and different things like that is like… I don’t see that. But at the same time, I go back to the analogies, like, “I want to be on the Olympic running team.” It’s like, “Okay. Let’s show that you can run and you can meet our expectations to be in the team,” right?
So, if I go to back my time at Microsoft, I wanted to be in the product development team, and they said… But I couldn’t get in. So I got my foot in the door. I’m in Microsoft consulting service just to get my foot in the door. But they said, “Well, program manager’s in the product team. They write white papers, they speak at conferences.”
Okay. So I wrote five white papers, and I went to TechEd and RSA on my own dime and spoke. They say, “Okay, great. You can probably do it. We’ll give you a chance.” But oh, the same element, like giving up money. It’s like, “Yeah,” they said, “David, you’re over-leveled for the skills you have right now in this group.” So guess what? I dropped a level at Microsoft and it took me three and a half years to get it back.
[David Spark] Really? Wow.
[David Cross] I had to go from 64 to 63. Took me three and a half years to get it back in the Windows security product group. Did I regret it one moment? Of course not. I did whatever it takes to get in. And I think I did pretty well.
[David Spark] That is a great story right there. I’m quite impressed.
Does anyone understand what’s going on?
19:28.603
[David Spark] Logan Opalisky of Motion Recruitment said, quote, “To be a sound security professional in any discipline within cybersecurity, you need to understand what it is you’re securing. If you want to be taken seriously as someone who can secure a network, you need to know how the network is built. You want to be taken seriously by the developers and AppSec Engineer? You should know how to code. This philosophy be transcends cybersecurity.”
So I’m going to start with you, David, on this. It’s really just sort of a communications issue. If you want to be taken seriously by whatever role you want, be able to talk in their language. And it sounds like you were trying to do just that.
[David Cross] Well, absolutely. I think there’s two parts. One is really, do you have the credibility and can you speak the vernacular? Right? Now, as I remember my time a little bit at Oracle, it’s like Oracle is a Java shop, and we all know that, right? And so even on the CISO [Inaudible 00:20:28] on security, if I’m really not credible and have the knowledge of the Java language, how can I really integrate and work with my peers with the same vernacular, the same communication? It’s very difficult to do.
I say the same thing now what’s going on in the world with [Inaudible 00:20:42] security, AI. Can you be a CISO and not understand AI, and understand what prompt injection is, and all the different… How to build models? I think it’s unthinkable. You’ve got to be continually learning and adapting and working with the environment that you’re part of.
[Eddy Contreras] I would agree with that, right? When you think about any job that you’re in, the goal is to have that conversation so you can be a part of the conversation. No one wants to be talked to or… And the way that you could solve that is understand, “What conversation am I in?” And that does take a two-way conversation. It takes for you to ask questions; it also takes for you to listen.
And that’s just whatever job you’re in. So I don’t think that’s a cybersecurity challenge. I just think any role that you’re sitting in, you really need to understand, “Where am I at? What position am I filling? And who are my constituents and stakeholders? And am I doing what’s best for the group?” And that does take a conversation. It is conversation.
[David Spark] I want to bring up one other issue that we’ve kind of all touched upon. and this is something that Mike Johnson, who is the co-host of our other shows, CISO of Rivian… And he’s a little sensitive to the need for someone to have a lab or someone who’s flying to conferences because that requires some finances, and not everybody is capable of doing that.
But there are things you can do for free. Tons of free training online, tons of non-profit groups that are security groups that you can be a part of. Are you sort of sensitive to that concern? Because there are people who want to break in who just don’t have the wherewithal to spend the sort of time and money, and spend it for these expensive boot camps for that matter. Eddy?
[Eddy Contreras] I know where Mike’s coming from, right? You want to be as inclusive as possible, and you don’t want to have a restriction such as funding. But being resourceful is another thing you want. And if somebody can understand that there are resources at your fingertips, it just takes for you to go and look. There are so many free resources on the internet. Conferences are free and they’re all over the place.
[David Spark] And many of them have student discounts too.
[Eddy Contreras] And honestly, all of these conferences, if you go and say, “I don’t have money, but I would like to be here.”
[David Spark] And volunteer too also.
[Eddy Contreras] Exactly. And they’ll say, “Perfect. You want to come in? This is how you come in for free.” And so it takes some humility, it takes to be able to ask, it takes some drive. But I agree with Mike. You don’t want to limit your audience by forcing them to come out of pocket or make some of those significant sacrifices.
But you do want them to think out of the box. “How can I be a part of this community and be a contributor without having to sacrifice my own funds? Let me see what I can do.” And I think that shows some type of innovation. It show some type of creativity.
[David Spark] Geoff Belknap, who’s the other host of this show, said, “Hack the job hiring process.” Just what you said. David, I’m going to let you have the last word on this. Your thought?
[David Cross] Well, absolutely. I think it’s about, if you look at people, who do you want? And this is where I love veterans, especially in our space, right? It’s all about commitment. It’s about persistence. It’s about drive. It’s about finding a way to get there, and that’s what it takes.
So when you see that, you know that person has the passion and finds a way to do it, those are the people you want because they’re going to eclipse you and go past you faster than you could ever imagine.
Closing
23:53.194
[David Spark] Well, that brings us to the portion of the show, and I’m going to start with you, David Cross, tell me which quote was your favorite and why. So do you have a favorite quote?
[David Cross] I did. I [Inaudible 00:24:02] Logan here, it’s really about understanding what you’re securing. I’m going to use the analogy again of how the attackers live off the land. We want the cybersecurity professionals to also be living off the land. And that’s how you can be best in your environment.
[David Spark] I like that. All right, Eddy, your favorite quote [Inaudible 00:24:21].
[Eddy Contreras] So I’m going to go with Bill Schneller. And it’s not for the reason that you think. I look at that quote as a challenge.
[David Spark] He said, “I don’t think security is an entry-level job.” He was challenging it.
[Eddy Contreras] Correct, yeah. I love the quote because if you’re reading that quote, and you’re saying, “I actually think it is, and I can do that, and there’s ways that I can do that. Looking at what jobs that are out there, what positions are fit for, what are ways that I can land in those positions, I think it’s just a really creative way to find an entry-level spot for me.” I’m always somebody that’s up for a challenge, and that looks like a really challenging quote, so I love the challenge.
[David Spark] I’m going to honestly say Brian Rogers’ quote is my favorite. Because that guy is angry, he’s pissed, and I love it. And I sympathize with you, Brian. So that’s my favorite quote.
[Eddy Contreras] So David, I can’t resist. Then maybe you should have Brian on the show. It’d be quite an interesting one.
[Laughter]
[David Spark] Complaining about [Inaudible 00:25:11].
[Eddy Contreras] He needs a CISO series keyboard. That’s what he needs.
[David Spark] That’s a great idea. We’ve been looking for new giveaways. Maybe we could do a branded CISO series keyboard. All right. Thank you very much, David Cross. Let me ask you this question, David. Are you hiring over at Atlassian?
[David Cross] Of course we are. Yes, we are. And we’re a fully remote company. And so, follow me on LinkedIn or other places, and certainly look at our career site. So we do have some great openings, especially in cybersecurity.
[David Spark] And if they say they heard you on the show, that might help in some way. By the way, hack the experience. Prove to David that you’re really eager to do this job. Show him. Don’t just say, “I want to do it.” Thank you also to our sponsor. That would be ThreatLocker. Remember, go to their website, threatlocker.com. Tons of great products they have. They are the Zero Trust Endpoint Protection Platform.
Huge thanks to my co-host. That is Eddy Contreras, the senior EVP and CISO over at Frost Bank, and David Cross, the CISO over at Atlassian. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.