Transcript

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellish truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and laura chavez
hello and welcome to the cyber ants podcast
this is your co host
zach fuller
joined by mike rotado and laro chavez
and today we have a special guest ed vasco
who we're going to talk with in just a moment here
after our usual process
ed thanks for jumping on and joining us
great to have you
yeah glad to be here
really really glad
thanks zach
and thank morrow and mike well hey
we're looking forward to this conversation today
first we're going to kick it off in the usual fashion
with the news and our newly branded laros corner
so mike you want to take us from here good day
and welcome to the last news podcast of the year
started out with
rack space warns of fishing attempts post ransomware
in case you haven't been living under a rock
or fortunate enough to be on a beach
for the last couple weeks
rack space is warning customers
about the increasing risk of fishing attacks
following a ransomware attack
causing ongoing outages
to its hosted exchange environment
rackspace warns about scammers and cybercriminals
who may take advantage of the current situation
by pretending to be the support staff of rackspace
offering help in transitioning to
microsoft three sixty five
and getting your email back up and running
emails from rack space will only have the domain
at rackspace com
without any special characters or numbers
and phone interactions with rack space
report will not include requests for login credentials
personal information
so security numbers
or a driver's license
corner of the company
rack space said
if you haven't heard
experience disruption
its email service
that is first described as security incident
later the company said
in an update that it now believes
its specific activity was a result of ransomware
the company is currently engaged with cybersecurity
from crowdstrike
to investigate and put remediation measures in place
and none of their other services were affected
according to the recent update
just for those of you who ask about the cost
of a breach
in a filing with securities exchange commission
the company said the ongoing service disruption
will likely create a financial loss
which hosted exchange businesses
which generate approximately thirty million annually
in revenue last year
so there is a cost
business email compromises
attacks going mobile
via sms and social media apps
researchers reported that while fishing scams
are prevalent in the sms threat landscape
business email compromises
or bec attacks are now going mobile
the researchers said
attackers make a legitimate request
such as asking for a wire transfer
sending a copy of an aging report
or changing a payroll account
the anti fishing working group
reports that
among these requests
gift card fraud
was the most common scheme
in the second quarter of
twenty twenty
bbcs remain
one of the biggest cyber security threats today
and the fbi has reported
that losses from bbcs
have surpassed
forty three billion globally
linux targeting malware
just got more powerful
this is kind of an interesting one
especially for those again that
that don't think there's a cost to hacking
the mining malware campaign
that targets systems
and cloud computing
since instances
running on linux
has added trojan malware to its capabilities
something that could make attacks more dangerous
detailed by cybersecurity researchers
that trend micro
such as other crypto
mining campaigns
this one is secretly compromising linux systems
using their computing power
to mine from an arrow
the attacks often go undetected
because unless the machine is squished too far
the likelihood that compromise usual
notice the drop
performance of their system
large networks of compromise systems
mining for cryptocurrency
can that produce a strategy
stream of income
cybercriminals
which is why the technique
has become such a popular
form of malware
and of course
you're picking up the electric bill for that
so just keep that in mind
rash of new ransomware variants springs up in the wild
just in time for christmas
enterprise security teams
can add three more ransomware variants
that are constantly growing
a list of ransomware threats
for which they need to monitor
three variants
val huck scarecrow
and asserts
target windows systems
and appear to be
proliferating relatively rapidly
on systems belonging to users in multiple countries
ordinettes analysis
of the three threats showed them to be standard
ransomware tools that have been very effective
at encrypting data or compromise systems
horton has alert did not identify
how the operators of the new ransomware samples
are distributing their malware
but it noted that fishing email
has typically been the most common vector
for ransom or infections
keep that in mind
fishing emails becoming is a big and big big
big problem
you train your users
uber says third party responsible for latest breach
uber says internal data apparently
available for download on hacking form
as a result of a data breach at a third party provider
not the consequences of a september security incident
at the hands of teenage extortion gang lapses
an actor going by the name uber leak on saturday
posted online a number of files available free download
according to originate from inside the ride
hailing company
believing computer and restore privacy
each record the news
although uber leak referenced lapsis the files
are unrelated to our security incidents in september
and an overspoken told information security media group
the spokesman point to a breach notification
statement from tech activity
acknowledging that a malicious
third party gained unauthorized access to its systems
stating that the thread actor
was able to gain access to tectivities
aws backup server
that has their code and data on their customers
the exposed data includes device information
make model and a serial number
names work email addresses etc
all right so that's it for the news
there's a couple critical headlines
there's an interesting one for those of you on a geek
a little bit
air gap pcs won't
you want to look into that one
there's sixty three zero days that were discovered late
as pound own fort in
that is still urging its customers to fix
actively exploited for less successes
lvp and bugs
come on people
there is a brand new undetected me and where
esx i backdoor
that's out there
so look into that one
um and state sponsored attackers
actively exploiting rce and citrix devices patch asap
so look into all that
and with that
we're gonna migrate over to laurels corner
we're gonna learn to love and laugh
and learn about cybersecurity
thanks laura
thank you mike for that
that beautiful and very solitary
introduction into my corner
thank you everybody
today i want to talk a little bit about
separating your business emails
from your contact emails
now there are a lot of us out there
that we have a hobby
where we're using social media to push that medium
or that product
so whether you have facebook
or an instagram for business
or you're using TikTok for business
however you're doing it
even on youtube
you want to make sure that your contact email
is separate
from the email that you're using to access the account
typically take an instagram for an example
they're going to ask for the email
for you to log in into your business account
that's the account associated with the password piece
that needs to be known to get into your account
so when you publish that as a contact me email
everybody's able to see that email address
and your cybercriminals now only have
one piece of information to guess
in order to get access to your account
there's a lot of slow and low brute forcing that occurs
like we've seen in the microsoft three sixty five world
that also happens with instagram and facebook
so if you are using these platforms in any capacity
to to showcase your business products
or your hobby products
or your art
anything in general
make sure that you've changed that contact email
to something other than the email
that is being used to access your account
so there's lots of platforms that are free
proton mail gmail
there's a lot out there
you can just get a small info at whatever gmail com
and then you can add that to the contact email
that way if you get sent fishing
or if somebody attempts to break into your account
well they're using the wrong email address now
aren't they
so stay tuned for more tips as we progress
i hope you have a wonderful
happy holiday
zach we have a pretty awesome guest to talk to today
we've got ed vasco here
we sure do we sure do
and last episode of the year
so i'm excited
and don't worry for those listeners
i know we might be missed
but it's only a couple weeks
we'll be back with more awesome
cybersecurity information
and with that said
we'll be right back after a quick commercial break
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling book
cyber rants
on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs for bin
market and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silent sector com and contact us today
and we're back with the cyber ants podcast
this is zach fuller here
and i want to introduce our special guest today
ed vasco ed
it is an honor to have you on the show
excited about what we're going to dive into
and just hearing your wisdom
and for those listeners
that don't know ed
or haven't don't know about ed he is
incredibly successful in the cybersecurity industry
built a highly
highly esteemed cybersecurity firm
and just an overall wealth of knowledge
and doing some really
really cool stuff in the education sector now
so i don't want to steal the thunder
ed welcome to the show
and thanks again for coming zach
it's a real pleasure
i really really can't
say thank you enough
it's great to be here
looking forward to the conversation
hey likewise
do you mind starting out
by just sharing with the listeners
a bit about your background
how you got into cybersecurity
the path that you took through
into entrepreneurship
and then what you're up to now
yeah no i appreciate that
i always like to
when thinking about this kind of journey
that i've been on for
as a career
for thirty years
or actually
a little bit over now
i always like to start off by saying
i was a war games baby
i saw the movie war games in the theaters
and you know
my first personal computer was a vic twenty
commodore vic twenty
had a whole whopping four k of ram
and and this
this was in the early eighties
and upgraded very quickly to a commodore sixty four
with sixty four k of ram who
and the other thing that we had
my father was
smart enough i think
to get me an rs two
thirty two interface board for the common or sixty four
so that was the game changer
we had a chance to hook up an old haze modem to that
and started dialing on out from there
in the early eighties
and really starting to you know
learn and understand what could be done with computers
so rather than taking you through a forty year
run through of history
i'll quickly run forward
i started my first company before i left
with my bachelor's degree from arizona state
and that company we focused in on telephony security
you know helping banks
helping universities secure their bank iphone
and registration iphone systems
and then pivoted that to
working with an international company
right near right as the dot com era was kicking off
and so i got a chance to travel around the world
working with you know different financial institutions
different technology companies throughout the
throughout the world
and then came back into phoenix
we my wife and i at the time
we had a chance to move to boston
and i got my dot com badge of honor
was join to start up
and burn through a lot of money at the time
moved back to phoenix
and started working for a well known organization
that focused on helping
helping companies around the country
deal with sarbane's oxley
which was the new big compliance way
that occurred right around the two thousand one
right around nine eleven
and that that time frame
left there after about four years
and started a company called terra verde
and territory
we started in
right around two thousand eight ish
and grew that into one of the nation's largest
managed security service provider
and professional service providers in the country
and in twenty eighteen
private equity came along and said hey
we like what you're doing
and we like where you're growing
and we had by that time
had about two thousand customers around the world
we had very large brands like
choice hotels
international
massage envy paypal
we are working with a large
number of different organizations around the world
and so we had a chance to
go through the acquisition buyout in twenty eighteen
stuck around there for about
twenty fourish months
and did three additional m amp a efforts
with the private equity firm
and that that effort became what's
now the company called the verdium
and so they
they continue to do wonderful things in the
in this space
and i decided that
that right around covid
actually the february before covid really took off
in march of twenty twenty
i decided that i wanted to tackle a new thesis
and that thesis was
is there a way to build a better cyber workforce
and as we were building terra verde
we realized that there was a need to really
hone and examine
how we were making use of early career professionals
coming out of college or coming out of universities
and how could we really engage them differently
and and so we had set up a lot of different pathways
at terreverty
with different universities and colleges
and found some really good
solid success there
and i wanted to see if there was a way
that i could move from being a consumer of product
a consumer of workforce
coming out of university
to actually trying to help change
the way that the model works
and the actual workforce development effort
so join boise state
in full time in july
first of twenty twenty
and i've been here ever since
and we've been growing a lot of different programs
and a lot of different platforms
and really proving out the thesis
that it is possible
to change how we're developing a workforce
what that value is to employers
and ultimately
how can we better address
the massive workforce gaps that we have in cyber
to better support and better secure the country
both from a data and infrastructure standpoint
that's a long way of me telling you
i'm really really old
oh that's excellent
i appreciate that
and speaking of gaps in the workforce
i mean what can you share with us
some of your thoughts on that
what can we do differently as a nation
or even just at the university level
specifically
how do we fix this
yeah well i'll start that
that's a great question
i'll start that off by saying
maybe telling a little bit of a story is running
running the tarot verity
and establishing all these different pathways
with universities and colleges across the country
what became clear was even the best is out there
we were getting students who still you know
they made the transition and graduated and became
you know they moved from being a student
to being a worker
and they would come into our art company
and i actually confirmed this
with a lot of our competitors
and partners around the country
is that there was still a gap
there was what i've dubbed the activation gap
meaning that in order to actually get a full
fully effective fully capable worker
after hiring them out of university or college
you take about six to nine months
to move that new worker into a place where
they're actually giving you a return on investment
meaning that they actually know the platforms
they know the processes
they understand the nomenclature
they haven't run off screaming
after seeing logs day in and day out for months on end
they can begin to handle the pressure
of what an incident actually looks like
and that activation gap is real dollars
that employers are putting down on the table
every single time they bring in a new employee
and to a large extent
that's one of the reasons i think
that we see this real weird dichotomy
in our industry right now
where organizations
you know promote or
or publish positions
that are looking for entry level cyber
but they need three to five years experience
or they want entry level cyber
with a ciss p
it doesn't make sense right
but it begins to make sense
when you start digging into the details
to say well
i just hired this young lean
so to speak
out of university or college
and it took me nine months to get them to a point
where they could actually start working
and after nine months worth of internal training
and this activation process
they suddenly jump ship
and they double their salaries somewhere else
so we have this real interesting problem as an industry
and both on the higher ed
side as well as on the industry side
and so taking that knowledge
from an industry perspective into the academic sphere
i again came back to the thesis of
can we create a better workforce
and one of the ways that we're
really trying to tackle that
and improving this model correct
is shifting what i call competency development
if you break competency into things that you know
knowledge and things that you can do like skills
and you say knowledge and skills equal competency
at a very kind of ceo ish high level boxy kind of way
i want to take competency development and shift it left
to kind of borrow the devops the devsec ops term
i want to shift it left back into the academic sphere
in that what i really want to be able to do
and this is what we're doing at boise state
is we're actually
enabling our students to get real world
skill development
real world knowledge development
and therefore be able to say on their resume
to an employer
i actually have worked in an operation center
i've actually worked incidents
i understand
the tools that you may be using
maybe not the same tools you have deployed
but i understand the tool set that you
are gonna expose me to
i understand the pain and agony
that can come from working in an incident
i understand the hours on end of
tedium that comes with being an entry level analyst
i also understand that i may not be looking
or able to get out of the box
coming with my degree in hand
i mean not people get six figures
the way we as an industry
have kind of propagated this message to students that
you know go be the cool sexy
fun pen tester and you'll make six figures
none of that's true
so we're actually setting our kids up for failure
with this current messaging
and so what we're doing is changing a lot of that
and i'll give you a quick kind of sidebar metaphor
i think because this resonates with audiences
if we said the same process of development
for cyber security workforce was taken
our current workforce process was taken in
let's say the medical field
what would happen is a nurse or doctor
would essentially go through some classes
let's say an anatomy class
they go to an anatomy class
they learn maybe you know
at a textbook level
what the body is and the different parts and so forth
they may go into a lab
and in that lab they may be exposed
let's say to a cadaver
and there's a teacher up there you know
and they hand
they hand the students a scalpel
and the student then learns how to use a scalpel to
cut into the cadaver
and by doing so
can be exposed to some muscle and tissue and so forth
and then literally
at the end of the anatomy class
that nurse or doctor is taken
and so now go
go do good in the world and go be a doctor or a nurse
with that in mind
would you really want to go into an urgent care with
let's say a shoulder pain
and that's all that the doctor or nurse knows how to do
is take a scalpel and cut open a cadaver
let's think about that for a second
let's stop and consider that
you know i walk in
i say i've got shoulder pain
the doctor walks on in all happy
i know what i'm doing
i know i'm supposed to do hold on a scalpel
and comes on over and cuts me open
and then the doctor begins to wonder why
why am i screaming
you know why is my patient screaming
and what's all this stuff that's now all over the floor
that's coming out of them
and that didn't happen in the lab
and it's this gap that we now suddenly have
i think with that kind of metaphor
it becomes really clear
this cyber security
workforce gap that we have as students
move through academia
and they get ready to jump on into
a workforce environment and become workers to defend
our nation and our critical data
they're only armed up
with a portion of the skills that they need
so our goal
cutting into boise state
really myself and my team
has been how can we enhance
how can we add skills
how can we add this competency development
back into the academic sphere
so that students
as they're leaving our programs
they don't just have a degree
but they also have the knowledge from a classroom
they have the skills from a lab
as well as from a real world environment
and by doing that
we're producing a workforce that
is more ready and capable to work
our employer partners are seeing a better value
and they're seeing a higher degree of loyalty
because the students can come in
ready to go
nearly on day one
you know there's still some activation
as any employer knows
there's still some activation
i got to teach this new person about my company
about my culture
about the platforms i use
the environment
how to fill out a travel rep
or how to fill out an expense report
or how to put your time in
all those things have to be done
but at the end of the day
knowing that i can take a student from boys's date
that goes through our program
put them into an operation center
and they can actually understand the tools
understand the processes
and they're not going to run off screaming
after weeks worth of time reviewing logs
or nor they're not necessarily going to jump ship
because they know
what's going to be entailed
and how to do the things that you
as an employer
need them to do
that's a really long way of me answering that question
zach but i think
i hope it gives you all a really great
perspective
with maybe a
you know a pretty intense metaphor there
but i truly think
the challenge we have right now
in the workforce development effort around cyber
is that we are not
within the academic side
we're not enabling our students to be effective
and to be ready
to go out and do the work that needs to be done
yeah and i wholeheartedly agree with what you just said
i mean we've dealt with a lot of college students
i've dealt with some lately
some high school students as well
that have totally no idea of what
you know they're graduating with their degree in cis
and asking basic questions
they have no idea what you're talking about
and they're working off technology
that's a couple years old
and i was thinking about
you know you're talking about
the unprepared business in the cadaver lab
i mean certified ethical hacker classes
are still using xp and windows
two thousand three boxes for test beds
yep you know
what's the point of
how frequently are you actually gonna run across
i mean yeah
they're out there
but my guy you know
if that's how you train your pentaster
is to expect the easy pushover of both those oss
they're not gonna understand that
half a pen test is failure
that's exactly right
that's exactly right
mike you know
and i think
you know one of the other
big pushes that we see right now in the industry
i think you'd all agree
is that you know
there's this shift
we've been so focused on it security
it security
it security
now suddenly we get hit
because of colonial
you know because of stuxmen up
even before that
because we know that this is a big gap in our industry
and our ability to protect the country
now we're all focused on operational technology
and so you end up in this space where not only do we
take a student that's getting ready to graduate
then you know
going through a couple of classes you know
trying to get their knowledge and their skills ready
you know and i say this for students across the country
this is what's happening
is they're getting ready to go on out there
and suddenly
we hit them up alongside the head and say well
now you've got to learn about all this stuff over in it
in ot i mean
in operational tech
and now they're like
wait a minute
you just essentially
gave me a completely different area of the body
to go focus on
agencies that i need in order to go out and get a job
it's a real challenge
i mean it's a real challenge trying to
you know see what students outside of boise state
are going through right now
they're struggling
you know i have calls with students in arizona and
you know and throughout the country really
where they're calling up and saying hey
how can you help me get a job
and i'm like
well what have you done
talk me through your skills
take me through your knowledge
and oftentimes it ends up
they're having to learn at home
they're having to self
you know self actuate this knowledge
and there's no structure
so it's kind of
we're back to an oral history tradition in the industry
and we're hoping that somehow another oral history
actually propagates
the workforce that we so desperately need
and i think that and that
oh good yeah
no go ahead please
i was gonna say that
in that type of
my dogs is gonna patch you a burnout
because they're gonna get frustrated
and they're not gonna you know
so you're gonna lose a lot of these people in the first
eighteen to three
eighteen months of three years
and yeah i also wanted to add on to you know
learning operation technology
we're gonna cost a lot of clients
that are focused solely on compliance
and they're missing the whole
secure and operation technology piece
and i'm not sure
what the kids are being taught today about compliance
but you know
a lot of these companies are being dumped into either
dumping into her like
well get compliant with hipaa right now
you know kind of
yeah yeah exactly
and i mean it's hipaa
it's pick your three
four or five
liver acronym
you know suit
that's out there in terms of compliance
and you know
the one that we see that everybody
seems to be really focused on at an industry level
right now is cmmc
cybersecurity maturity
model certification
i think it is
that's the dod
you know effort to really try to get their
their industry based
their entire supply chain
to activate and actuate around
putting cyber controls in place
downside you know
from the very large dod providers
all the way through to the smallest manufacturer
and so you know we're
we're seeing this need
within the kind of various compliance waves that occur
to try to activate cyber related program structures
and cyber controls
we're still seeing some headwinds
in terms of how and what within the
defense industry base
but what that means
is that we're also trying to figure out
from an academic perspective
how do we help students understand compliance
and oftentimes
what i've been pushing
is the realization that there's this spectrum
of different cyber roles that are necessary would hate
i mean you know
i came from a i would out say
the fairly technical background
yeah i don't
i didn't get my cs degree
but at the end of the day
i came from a fairly technical background
you know i was running tcp ip drivers back when
for windows
when there were no tcp ip drivers for windows
you know and
and so over my career though
i've transitioned to be able to
take that technical knowledge and incorporate it
from a business perspective
from an audit perspective
from a compliant standpoint
and oftentimes what we see
across the country and other
in higher education is you know
you either go into a program that
teaches you really technical
or it teaches you at a business level
and there's no holistic aspect there
there's no willingness to say
let me take a technical student who
and move them slightly
so at least there's awareness and knowledge
around compliance
and let me take a really
business oriented student and move them
so they've at least got some base technical knowledge
because that holistic standpoint is
to a large degree
what's missing
and oftentimes
what i see is
our academic brethren
speaking from a boise state standpoint
we try not to do this
i see a lot of academic institutions around the country
that try to tighten the funnel
so to speak
they actually try to filter students and reduce
the number of students in their cyber programs
rather than saying
you know what we want
everybody that we can to come through this funnel
will give you the base technical knowledge
will give you the opportunity to choose your own path
will give you mentoring
it will help you
you know again with real world competency development
so that ultimately
i'm not taking a business oriented student
who knows risk assessments and risk management
and saying hey
we need you to be a pen tester
it's just night and day
and that's going to lead to that burnout that
you mentioned mike
it just compounds it
would you are you able to talk about or share
any of your initiatives that you've been working on
as far as public
private partnerships and different methodologies
to get students
that real world experience that they need
yeah no i appreciate that jack
i'll give everybody a heads up
i mean one of the big platforms that we launched
to address this problem of competency
was a platform we call the cyberdome
now you can think about mad max and beyond
thunderdome
and i'll fully admit
the geek and me
i'll geek out for a second
that's exactly where the name came from
without a doubt you know
so we just picked up the idea of this this dome
of cyber detection response
and monitoring structures that kind of help cover idaho
as much as it possibly can
and we're focused in idaho because that's our mandate
from a state agency and state institution standpoint
but this concept of the cyberdome
is not something that's new
we're actually building on a number of different
types of platforms that are already out there
there's the pisces project
that's being done in washington
university of texas has a similar approach to this
i just like to say hey
we took these ideas and made them work
and made them work in the sense that what we're doing
is we're actually addressing a secondary thesis
that i've had for a long time
and that secondary thesis is that there has to be a way
through which we can help the weakest link in the chain
across our critical infrastructure
across the nation
and i don't mean necessarily the energy providers
or the you know
the railways or anything of that nature
or transportation structures
i mean rural counties
rural communities
that interconnect with all of
you know interconnect the entire country
so quick backstory
when i was in arizona at tervary
i was running tervary
you know we had grown the business to
be arizona's largest cyber provider and again
one of the largest in the nation
and i kind of did a tour
governor ducey had asked me to participate in
a arizona cyber
the cyber team
or act around workforce development
and so as part of that effort
i was out talking to different rural communities
and trying to help them understand that as
a large provider in the state
we were willing to come in and help them at our cost
we weren't going to charge them a thing
for our services
in terms of profit
i still needed to cover my cost
as a commercial provider
and rural communities across arizona
all said the same thing
we love what you're doing
we love the idea
but we can't afford it
and that step put the light bulb up
i was like wait a minute
if these communities can't afford our cost
how can we help them
and these are communities that may have
two or three thousand residents in a county or a city
but they don't
they can't afford to attract
and retain the cyber talent
and they can barely afford
to run and operate you know
antiquated cyber
cyber equipment
so part of what we did with the cyberdome was
not to create an environment
that's an operational model for students to
gain awareness
and understanding of how to be a cyber analyst
or a cyber engineer
again at an entry level
we're not trying to turn them into tier three
you know highly capable
and ready to actuate
on large scale incidents
but given them the base knowledge
but do so in a way that they're
providing real world support
and so the second thesis really comes into mind
is this melding of the two
the second thesis is
how can we help rural communities
better protect themselves
so our mandate within the cyberdome is to act
to go out and work with our rural communities
around idaho
and bring them into the cyberdome
it's a it's not a
it's a volunteer oriented program for those communities
they can choose to come or not
and in choosing to come in
what we're providing is
operational assistance
we're providing them the necessary technologies
at no cost so that they can actually get
the same level of security
from a technology perspective
as maybe a mid size company you know
and in doing that
what they're also doing
is they're helping
the workforce development effort of idaho
and making certain that idaho workers
students become better idaho workers
and are ready to go out and do great things
for the country
so there's a win win
win all the way around
so the student wins
and that they get real world experience
the communities win
because they get services and technology for free
and our technology providers
i should say our technology partners
are providing us licensing for zero cost
because they
understand that there's not a commercial avenue there
but there what there is though
is there is an avenue for workforce development
so our technology providers are giving us
you know here's a sim
here's ids here's edr
whatever the case is
please go out and use this within your
within your community soc
so our communities win because of the free technology
and free services that we're providing
and ultimately the state of idaho wins
because if we can make the state of idaho
that much stronger
that much risk capable
and that much more of a pain for our adversaries
maybe they'll go on into montana
or maybe they'll go to wyoming
maybe they'll go to utah
they won't attack idaho
and so that's really the
i think our hallmark
our hallmark platform
that same process in the cyberdome of
giving our students real world competency development
extends across a number of other portfolio
programs that we have for our students
we have students that are more risk assessment
more compliance oriented
working with rural communities
to understand what their risk model looks like
and helping those
county commissioners and mayors and city councils
suddenly gain an understanding of detect risk space
that they never would have had otherwise
i love that approach
i mean it just combining the
the strengths of enterprise
who want to get more workforce
giving rural communities what they need at for free
essentially
i mean that's that is
you know true to
true to our mission statement as a company
to protect the backbone of the american economy
and our way of life
i mean those small municipalities
i mean they need all the help they can get
and so to see that
that boise state is taking that challenge on
and that you're shaping that program around that
really helping out
is incredible
so i love the appreciation
is there a certain skills gap that you see
that is greater than another skills gap
within cyber and all the aspects of it
is there one area that stands out
that we really need to work on as a nation
i wish i could say that there was a singular thing
that we just need to go
you know double down
triple down on
and the reality is
there's not
you know i think
across the board we have
we have an opportunity
to really change the how and what we're doing
to help our
those students that are interested
become the best possible workforce
and be ready to work as they leave
the education sphere
now if i could say anything
it would be that if i could pinpoint on any one thing
it's actually we as an industry
from a cyber perspective
i feel i'll get up on my soapbox
the next rung of the soapbox so to speak
i think there's two things that we can really do
to kind of double down on
and the first is
in the early stages
you know for probably the past
call it twenty years
i would say
maybe even more
but at least there's been a concerted effort
over the past twenty years
to really focus in on stem education
getting students as early as
you know elementary school
aware of the stem career path
and helping them
and nurturing them
as they show a willingness to look at stem
kind of nurturing them
towards these kinds of stem careers
and the reality is that we'll see
in the next four or five years
if that pays off
with the huge influx
or re on shoring
of things like semiconductor manufacturing
and all of that effort that's going on
but one of the things that we're not doing
and this is the first of the two
one of the things that we're not doing as an industry
is we're not really pushing hard
earlier in the model
earlier in the education cycle
that cyber is a portion of stem
and actually resonates across all of stem
it's not just a technology
it's not just an engineering
it has medical and it has science implications
and it is almost
if i think about stem as horizontals
in the classic way
the cyber fits across
as a vertical across all those stem activities
and so i think that's one thing that we
we are starting to do more and more
but we need to really double down on
because the
the funnel coming into
high school and getting ready to go to college
or university
is is small
it's too small
to really affect what we need within cyber
in the long term space
the second thing i think
that we really need to focus on
is we need to be a lot more upfront and honest
with our students
i mentioned this earlier
and it's a real big pet peeve of mine
and that is that i have seen too many providers
both of education as well as commercial
services trying to use the classic hooded hacker
you know that whole motif of
come be a hooded hacker
come be a pen tester
you know be a pen tester
and you'll make six figures
i've had there you go
there you go
so those of you guys are here
if you say that laura just put on a hood
it just put up his hoodie
it's it's a
it's a real challenge
you know it's a real challenge
because it's almost diabolical
i'll say that very
very bluntly and maybe too forcefully
but it is what it is
i think it's diabolical that we turn around
and we say to students
you can come into this space
because the need is so great
and you're just gonna walk on in with a degree
and you're gonna make six figures
and it just is not true
i mean we just have to face that
we have to face that fact
there may be some providers
out there that may disagree with me
there may be some companies that disagree with me
but on average
that's just not true
and we need to instead i think
give students the awareness that they will make
an above average salary
that this is a service orientation
you know you are actually
coming in and helping defend the country
and if you have any proclivity towards
you know the arm services
if you have any proclivity to first responders
if your family has that kind of background
or you as a student lean that way
what better way to come help defend the twenty first
and soon to be the twenty second century
and the country
you know from a cyber perspective
and i think that's really the messaging
that we need to be start pushing
is is very different than what we have in the past
you know fifteen or so years
so those are the two things i could really say
if we could change anything
i had a magic wand tomorrow and say
let's change something
that's really a harder push on
activating students earlier in their education cycle
and doing so in a way that's pragmatic and honest
so i'll i'll give a real world example then
throw my hoodie on
but we worked with an institution
i don't want to
i don't want to name names but we looked at about
we did a conference and we had about
i don't know how many
how many students were in there
full or like fifty or so maybe
yeah so we probably the problem was yeah that
yeah for students yeah
so out of about fifty students
about half of them stayed around to chat with me after
the talk and out of those twenty five
we had one individual
that even had partial capabilities
that would be
a suitable being term
so just below that i think
i think that individuals
with us for about three or four months
and then shaped up the resume
and we helped him get a
get a position at a
at a large pharmaceutical company for about
i think was about eighty five k
so you're you know
i think that's a more realistic
and this was a couple years ago you know
yeah i think and
and thank you for doing that
i think that's
i think that's
the other thing laura is that
you know that we as industry providers
need to do a little bit more
again i'll throw it out
this is not just a problem that happens in academia
this is two sides of the same coin
and i'll throw back on my industry hat
we need to do more
we need to be
more honest in our presentation of career pathing
we also need to be more willing to take that risk
and push our academic partners harder
you know so that we ultimately remove this idea of
an entry level cyber worker
has to have three to five years experience
plus this the isp plus this
and in that regard
all of that said
only say that the starting salary is
forty five thousand dollars a year
there's an imbalance across all of that
that we as an industry need to address
and part of that is activating the hr
talent engagement
talent management
whatever you decide to call your chief people people
have them activate on what the real world looks like
and they can go get survey after survey from
different providers
and they can say well
we're with it in our band and so forth
well you know
we need to be a little bit more pragmatic
and if we want to attract talent and keep talent
and do so in a way that doesn't set the worker
that new employee or your company up for failure
well thank you so much
it's been just great talking with you
and here in the really
the inside scoop i mean
you get to see a lot of things in the academic world
and be able to translate your real world business
experience and industry experience to
that i think
is incredibly valuable
as we wrap up
is there a final word of advice
that you would give to students or people out there
looking to potentially go into the cyber security field
yeah no i think
thank you zach
and my thanks back
zach laurel and mike
i really do appreciate
the opportunity to chat with you today
but not little you know
i think that if i was a student interested in cyber
i would be doing a couple of things
one would be
i would be looking for
a program that really stood out and said
we're going to help you get the skills and knowledge
that you need to go out and get a great job
and do so in a way that
they can actually show you results
so it's almost that classic money where the mouth is
you know you have money to pay for tuition
you have money and approach that you can bring to that
and knowledge
that you can bring to that university or college
make them show you that they have the programs in place
and the structure in place
to help you activate your career
and i'd say the other thing is
i say this every time i talk to students
it's the classic line from alice in wonderland
and it is curiouser and curiouser
alice states this throughout the entire book
i can't stress enough
i don't care if you go into risk management
i don't care if it's compliance
i don't care if it's a highly technical area
i don't care if it's product development architecture
whatever you really want your career to focus on
from a cyber security perspective
you have to be curious
you have to be constantly learning
i looking back over a thirty year commercial career
i am ecstatic every single day that i wake up
knowing that i get to learn something new
that's the passion that keeps me driving
that's the compassion that keeps me in this industry
and if you don't see that for yourself
you just want to get up every day and put tab a
slot b and you know do the thing that
that you need to do to get get through that job
cyber may not be for you
you know because it's an ever changing ever growing
ever expanding market and industry
and you know as
as you heard mike earlier and you
as you heard laurel and his look in laurel's corner
this is an industry that's constantly
constantly under pressure and
you know constantly changing
the great part is that if you do have that passion
we need you
feel totally aware of the fact
and be totally aware of the fact
that we absolutely need you in this industry
just find the right program and
and learn learn learn
and then realize that the community is
kind of the final point
the community is extremely giving
if you can find a mentor in industry
align with that mentor
asking questions
expand your network
great things will happen
again thank you zach
for all this
all this this been great
thank you ed
and if people want to
if listeners want to find out more about
boise states programs or the cyberdome project
or get in touch
what's the best way to do that
yeah two ways two ways
the easiest way is to go to boise state and
edu cyber security
that's going to take you right to my institute
again boise state
edu cyber security
if you want to email us
glad to have inner
you know glad to have you email
and that's cyber institute
all one word
cyber institute at boisestate edu
outstanding
and we will put these links on the show notes
for those listening
remember you can go to cyberrants podcast com
you can find the show notes for each episode
will provide the
news article links that mike goes through
will provide the links to boise state
and the email address that you can reach out
to to get more information
so thank you so much for listening
we hope you enjoyed the cyberranz podcast
be sure to subscribe rate it
share it with your friends
help us get this information out there
because it is really
really critical to get this information out so
we are protecting the backbone of the american economy
our way of life
and others around the world as well
i mean we are at war here
make no mistake about it
and cyber crime is more prevalent than ever
so there's a lot of work to be done
so thank you all for listening
and we will see you next year
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast