From Curiosity to Cybersecurity - A Practical Guide to Getting Started

All right, we're gonna get started everyone. Uh, thank you uh so much for attending this morning. Um, just a few housekeeping items. Uh, anyone that you see with a kind of yellow black shirt on, those are volunteers. Feel free to reach out to them at any time if there's anything that you need today. Uh, and I'm going to introduce Bod. So, uh, Bod's a cloud security engineer at Nextuple, uh, where he focuses on security architecture and threat detection and cloudnative environments. He has previously interned at Cisco and consulted for Deote. Bod is a is passionate about the role of AI and open source in cyber security. Outside of work, he enjoys mentoring newcomers in the industry and is an amateur rally

racer. Uh so really excited to hear from Bod today. Let's give him a little round of applause. [Applause] Thank you for the intro and thank you everyone for making it this morning. As you said, my name is Inodi. I I graduated when I finished my undergrad in computer science and cyber security last year. I'm currently working in the role of a cloud security engineer at NextQuil. I have contributed to the ISC square certified in cyber security exam in the role of a subject matter expert and I enjoy building and experimenting with open-source solutions ideas you know snot and all those tools and I'm pretty interested for the AI in cyber security using AI as a classifier for as

for automating and I also create a lot of home lab setup to try these things out and after this conference I'll be in silicon saxony day in resident Germany and I'll be back in the states next month for the Facebook page there you can connect me for an AI security related talk so when we say we are looking for uh someone a fresher in cyber security from the hiring standpoint. It kind of breaks down into six categories. Four of which even prior to someone getting an interview and the last two are during your interview. So firstly we looks look to have someone who has an idea of the fundamental. This is just the base level knowledge for things such

as operating systems, networking, the basic ideas of what these are. And we also like to have someone who has some hands-on skill, not just like mugged up topics out of a book for an exam. And this can be validated using your personal projects. These can include home labs implementing uh open-source tools. A very simple home lab setup for example can be having three virtual machines. You have a target machine, you have an attacker machine and you have some another machine to just observe have have an idea set up. Uh more on that there is a session today at 4 for building virtual home lab with Cisco bottling labs. I think someone can try that out and also uh you everyone I

would suggest uh to at least try out participate in a PTF that's for happening here or a hackathon somewhere because that builds your experience and you get to know how things actually work together. Now how do we validate the foundational skills? That's where the certifications come in. So here I mentioned three Compia security plus is the de facto standard which is asked for majority of the entry-level jobs and Google cyber security program is a new one as well as the ISC square certified in cyber security. The purpose of all three of these certifications is to validate the base level foundational knowledge that you have uh with the addition of the Google cyber security one having labs as

part of the certification you need to complete to get it. So okay we got the certification your resume looks fine but how can you differentiate as a fresher from the other competitors for that you need to have a good portfolio as well as a social media page and here I don't mean that social media Instagram influencer million followers nothing nothing of that sort just simply document what you're working on Google you can write a blog on LinkedIn or medium talking about what you have done. And for those who are not camera shy, you can even make a vlog out of it and put it on YouTube. And if you're lucky, that might make you a

millionaire. Now, post this, you got the interview. Congratulations. That's step one done. Now in the interview what we look for in candidates is a mindset for curiosity and willingness to learn because no one expects freshers or someone new to this role or someone switching switching careers midway to have solid knowledge about everything how things are done. But we need someone with the willingness to learn, be curious about it and the problem solving mindset. Now what is a problem solving mindset? Yeah, one might come up to me and say hey I don't know anything about this. I cannot solve it. So the mindset here here is more like breaking it down into chunks. knowing asking someone for help

with one part of it, get figuring it out, then connecting with someone else for another part. That's the mindset. And contrary to what people think about cyber security jobs, you know, those hackers in the movies hunched up over their laptops in a dark room, multiple monitors working 16 hours a day. It's nothing like that. You would rather have to connect with multiple teams on work on multiple projects and be focused on collaboration primarily in my organization. For example, I I'm part of the cloud team. We handle security good to go. I have to work with the developers for the application security, secure coding reviews, so on. I work with the finance team on having the uh policies and

standards. We are following the legal comp compliances and cyber security itself is a very dynamic prospect in which maybe you might be working on something today and the next day that system has failed. It doesn't exist anymore. There is a new standard. So you need to adapt on the fly. Now some one might also ask okay I like cyber security I I have it as a hobby why should I make it my profession so the demand for cyber security is currently huge in in the US itself the roles are growing at 32% a year from 2022 till till the next decade entry- level opportunities are expanding Google and IS² have launched their uh entry- level certifications for this

same purpose and while there is a industry trend of using automation or using AI to eliminate many of these L1 roles that doesn't mean that entry- levelvel jobs are no longer it rather requires someone who has a base knowledge of what this AI is and how to operate that new system and as I said every industry need be it defense finance retail healthcare education if an industry is insecure the industry cannot exist and the global cost for cyber crime is rising rapidly. It is projected to hit 10.5 trillion USD by the end of this year. For context, other than China and USA, every other country has a lower annual gross domestic production list. So if the cyber security costs were a

country in itself, it would be the third highest. Now what exactly is cyber security and how can one learn it? So we have a session here at 11 on how to learn cyber security by yourself. You guys should check that out if you're freshers of moving uh changing from some other industry to cyber security. So cyber security can be broadly divided into let's say five roles. One would be the researcher theory. This is cryptograph have been working on cryptography uh quantum resistant algorithms formal methods security developing the security protocols so on. This is a very academic role and here you have a lot of heavy heavy mathematical work lots of innovation driven and this is done primarily in the

universities and then comes the engineering and implementation. Here we work on security architecture uh cloud security dev sec penetration testing incident response threat hunting a lot of application based work getting the engineering part of it to do not just theory making work out of it then the third is GRC governance risk and compliance here uh you if you don't have a STEM background you can 100% % work on this here compliances such as the ISO standards uh the sock two compliances and here you'll be working on carrying out risk assessments creating the policies for the organizations conducting audits and here for GRC it's actually a bridge between legal teams uh engineers and operations then there is human and behavior in

security. So how many of you have heard of social engineering? Almost everyone. And that itself shows how a human factor can be a threat. And this is regarding that. Here you have social engineering defense. You have to design secure user experience. Secure U. This is UX with security. Lots of design. But taking into fact the human factor, the psychological factor. Then on the legal side we have policy, advocacy and leadership. This is primarily carried out by the government bodies. These are as creating national cyber security policies and frameworks like the GDPR and HIPPA. Uh lot of public sector roles work done by think tanks and international cooperation. So, what do these entry- levelvel roles look? I just listed out a few of the

relevant examples that I see every day. So, for a beginner, it starts off with a sock analyst. That's the L1 I was talking about here. One goes through logs, monitors them. uh and the roles here are for sock everyone sock analyst assoc cyber security associate can be called many things then moving one step further is a cyber security consultant normally this is someone with one to two years of experience they don't handle the technical hands-on work but they formulate the overall strategy then there is security engineer in general here one works with multiple rows. These are seaming tools. Uh maybe it can be for using some vulnerability testing, app testing and then you go on to the

specialization part of it. Cloud security is currently what I am doing. Then there's application security, there's dev sec, the secure practices of deploying and scaling applications. uh on app security again there is a session at 300 p.m. one should check that out if they want are interested in that. That brings us to the big topic at the moment AI in cyber security and AI security. These are two very different things. AI for cyber security is utilizing AI. This can be for classification. So many organizations even part of a project I'm working on currently is for always detection. We are integrating tiny LLM. Yeah, tiny large language. That sounds weird but we are integrating it to enhance our

detection capabilities and as well as for uh IDS and XDR as well as for data loss prevention. Uh the benefit here is we move past the static signature based detection and it can also handle zero day threats that is a threat that has not yet been reported. So and another huge benefit of using this is uh a small uh ML solution might potentially replace three software as a cost benefit for the corporations. Now what is AI security? So these machine learning models these are systems in themselves and at the end every system needs to be protected. This can be in the uh source of AI model protection. This is more towards adversary attacks. Then there is

explainable AI that is uh the AI model being able to rationalize per se what the uh responses are being taken and why it is being taken. And there are ML specific threads such as prompt injection that is a pretty generic one implemented into that. No. So AI is actually the new battleground for both the defenders and attackers. So whichever side you may be, blue team, red team, purple team, AI would be there for you. And while AI is making cyber security faster, smarter and more adaptable to threats, it is also transforming how we defend against these various threats. And while it is benefiting us in doing so many ways, it is also creating new security challenges

particularly for securing the integrity of the AI models themselves. If your AI is faltering, you might not even know it's getting the you are getting the wrong uh responses and without the correct response, your system has basically failed. not how can you look towards implementing all of that. So uh from a personal standpoint one can look into working on projects. Uh basic one I think I recommend for all students to definitely add to their portfolio is to build a personal soft uh security operation center. You can implement open-source tools such as Wazoo uh elastic search called Eb and uh one of the major uh corporate uh enterprise teams is solutions is plunk. They actually have a community edition

which you can try out and as a fresher it is a very good skill to have since this is something that one might be actually working on every day in the care in their career. You can uh use VMs to simulate threats attack a system observe how to do it. It's your it becomes your playground basically. Uh another project can be to utilize the set of pools provided by the boots and you get uh you get pools like the bug suite metasloit and you can launch brute force attack on another VM and you can then monitor this and understand what's actually going on behind the scenes and for the ML based projects uh which is pretty much now becoming a regular

part of the curriculum for M's courses is uh one can use a build an email fishing email classifier. You can use a pre-trained natural language processing model to classify emails. Pre-trained models can actually be used very easily on free resources. You don't need fancy GPUs to run it. You can use Google collab. They are open here for that. And you can also sorry you can also fine-tune these using the hugging face uh uh on hugging face. Now I think uh as part of your cyber security journey uh if you can if you have a mentor that will be someone uh just a few steps ahead of you not not very so let's say you are a student or a fresher and you

go to a CI and you look up to them say hi I need advice it actually won't work out they might not things have changed from their time as a fresher and so it is preferable to have someone who is maybe two steps ahead of you three steps ahead of you uh personally uh during my undergrad I've been fortunate to find a mentor in one of my faculty professor Kiran Bautam he has guided me not only just academically but even from even down to how I can enhance my career, what I should focus on and he has actually helped me remove a lot of these ubiquitous terms from cyber security and from my career standpoint in general.

Uh how many of you are students here? Only one. Okay. then I don't think it would be the right suggestion for me to say you can look for mentors through uh through from your academic standpoint. Uh there's a slide on engaging with the community a couple down in that I'll focus more on how to find a mentor from outside the your immediate surround back to the aim. So these are some of the ideas that I have on how someone can actually start off with and this is not very difficult to implement. You can find a lot of blogs, you can find a lot of YouTube tutorials and as I said you don't need a PhD to

get started. You just need your curios curious mindset and you just need a web browser with internet access. You can try out tools like uh I transformers, skit learn, gradio for quick setup. Uh what these tools do is you can deploy a tiny LLM locally and as well as on the cloud using uh the Google collab and the hubbing phase inference API. How to do that is mentioned here. So for those interested please take a picture and at the very end of my presentation I'll give you a QR code with a link to this presentation. So here uh I have added quite a few data sets you can utilize to train your train and fine-tune your model as well as a few

more things and a few of the beginner friendly uh use cases uh that I identified were having a mainly theme enment. So you can get your opensource themes like implementing ELK stack graphana and bazoo but what would you be just learning if you straight up download it install it set it up not much the work here you can do is by enhancing it further the great thing about open source is you can piece multiple things together you can implement and uh small ML with this for fine-tuning. You can use classifi you can de have classifiers using state and and uh as I mentioned for the fishing detector you can uh use a text classifier to identify which links might

be malicious. And uh another case is the URL reputation checker. Here uh you can spot domains uh which might be uh target for fishing which and as well as uh as well as malicious domains. Okay. So you have done all of this. You have a good portfolio. You have skills. You have built built your things. You have gotten a certification probably. Now as I said it's important to document your code. That way not just you other people will get to know what you are actually working on and you can take a CTL you might succeed you might not that's a still a learning experience you can uh break it down on how what were the steps what were the

thoughts you had how you were going about it and same thing you can do for a lab setup and maybe you face some challenges uh maybe you got some success out of it. You can mention all of that. The transparency is never bad. As everyone and anyone in this industry might probably tell you before for anything to succeed, you must experience previous and you can start a GitHub repo with all your project codes, your data sets and so on having a demo and same thing for a YouTube channel. Document it. show what you are good at and this also highlights your top skill that would be your communication and interpersonal skills. Yeah, it's a bit different

uh delivering for an audience versus on a onetoone basis but it still contributes I now uh since most of you are not a student I think this gets pretty important. So I myself I'm from India so I'm not I wasn't particularly aware about the uh local scenario in Buffalo. So shout out to Patrick Rost. He was a speaker last year and he's a volunteer this year as well. Uh I've linked down his LinkedIn. So be sure to give him a follow. He is pretty much into the cyber security scene here in Buffalo. Uh one of the local opportunities you can have is with the info west New York. So here uh they have another have an uh annual

event that is buffalo shadow days. It's already happened for this year. There you can do mock interviews and day uh and they have a lot of content and workshop for beginners and interviews. Another one would be infos 716. This is carried out by map tracing from the southern buffalo itself. So be sure to check that out as well. And in case uh you cannot be part of these physical events although personally I feel uh the physical connection with a person building relationships is very important because it's not just about your technical skills. It's about how you work with people. It's a very people solution. Yeah, I think postco everyone is into the is very much into having

that hybrid setup and the virtual setup but onetoone communication is very essential not just for what you are radiating about yourself but about what you can get out of from the other person and it is very important to collaborate to learn from each other and keep moving forward. So even if not these are some of the global cyber security groups uh ISG square member community they have webinars on the trending topics they have a lot of post and they also give insights about the certifications then there cloud security alliance we focus primarily on cloud security and the compliance standards for cloud and hybrid modules and OASP uh is very is a very good group for anyone who is looking into

vulnerability testing or application security. Again the links are here you can look into it. Now uh when I was part of the ISC squares AC exam team uh very common theme that I got from the hiring managers was this we don't expect freshers to know everything we just know we just want proof that they know the basics and can grow and learn quickly. So here that's primarily a mindset thing. Now this was one funny thing I was uh I so employers are looking for tangible skills but you need to have a way to demonstrate that you can't just say hey I know cloud security please I they need to see it for that to happen.

Um for the basics you can get the certifications as well as the documentation that shows that you have put your hours and to have uh the problem solving ability the curio curiosity mindset it is you can document whatever you try out on your personal projects home labs and break uh so how many of you have worked with algorithms and flowcharts So you know how these break down a complex problem into small small steps with all the details that is very much how a problem needs to be solved and that is probably the only way a problem is solved efficiently. That way you can demonstrate the problem solving for hands-on experience. again your projects, your labs,

maybe even a hackathon or hackathon or a CPA communication skill again uh you can demonstrate using your documentation and preferably YouTube. It is actually something even I am trying to get into. Normally I'm not much a c into the camera person but let's see how that go and for the cultural and team fit uh if you are part of a community community be that you're local or a global one that will show your collaborative skills as well as your interpersonal skills and uh continuous learning mindset I I think for anyone who is curious and I believe all of you are since you ended up here on a Saturday morning your portfolio can show that how your

company has been day over day week over week every month you are continuously working on something building something that shows a lot now that concludes my contribution for And what about the next steps one can take I would say one should focus on the skills you already have identifi carry out a SWAT analysis so you know how it's strength weakness strength weakness opportunity and threat it's carried out by organization but one should also do it for themselves Identify what you lack identify what you're good at. Identify what you can learn and and most importantly find out what you should stay away from the threats and please feel free to reach out to me and as well as others you can connect

with me on LinkedIn u my LinkedIn is also part of the link tree I have mentioned and uh also for Patrick Ross you're very active in the community here and if you are good addition for all of you to learn from and any questions. Is there a risk for beginners like some of us maybe if we're writing blogs on media or YouTube or whatever um if we're explaining something wrong or maybe not something polished is there a risk that an employ potential or employer community will see that be like what is this guy talking about he's totally wrong here and uh so I think bad negative of impact for us. I think rather than a risk that's an opportunity

to correct yourself and identify something that is going wrong because you put it you publish it put it to the public the public will tell you what you what you are doing wrong and maybe someone is helpful they'll also say how and why where you are going wrong. So that gives you an opportunity to better rather than the people just there will always be negativity but you'll also get the opportunity to identify the problem. Thank you. Hope that's the answer to your question. Right. Any other can I inter something on that just real quick? Sure. I'm a hiring manager in infosex. I'll be honest with you. If I say to you, "Hey, uh, I noticed your blog that you have this

this thing here. Can you tell me more about it?" That usually means they don't agree with you, usually. Or they want to know more about what you're thinking. Don't get defensive. Here's what I was thinking. Why' you ask? The number one way to shoot yourself in the foot in an interview is to dig in on something you're wrong about or something you feel really strongly about, but you don't have the data on. So, feel free to just be open, be honest. Hey, this is what I this is what I know today. And then ask, hey, what's why do you ask? What's what's the thing that drew you to that particular question on my resume or whatever? It's

a big help. I know personally for me at at this point in my career, I don't feel comfortable putting myself out there on something like that because of that risk. I you know I maybe don't feel comfortable saying hey I don't want to write those medium blogs right now because of that potential of being wrong and somebody saying hey you do it if your blog says like the speaker here is spot on what he said was actually perfect and if you if you frame your blog as I'm a student I'm learning here's what I know today you'd be surprised the people in this room who have so much knowledge Everyone likes to tell you why you're

wrong and you can just learn about it, right? But if you don't if you don't put it out there, that's that's the big risk. I saw a couple of people shake their heads. The risk is if you don't put it out there, then you think you're right. And that's the worst. Put it out there. Just be, hey, this is what I think today. And someone will comment. Be transparent. Be honest. Open transparent. Be curious. What do you say? Sorry to interrupt. It's good. No, no, no. Thank you for that. Thank you. I just want to reinforce um some of the stuff you said especially about um the foundations of security. I interview a lot of engineers, security engineers for

Google. I asked a gentleman who kept focusing on I have a master's in cyber security. I said, "Can you tell me the difference between TCP and UDP?" And he said, "Well, yeah, TCP is encrypted." And I'm like, "Wait, what?" And that home lab point that you put up there too is great because I ask people, maybe the hiring manager will agree. I don't know. Um, I ask people, "How do you stay current?" And all I get is, "Oh, I read this blog or I follow this podcast." I'm like, "Really? You don't do it on your own?" So, these are great points. So please pay attention to those points when responding. Thank you for that. So uh two questions but first kind of

thanks for coming out and sharing this with us. Um I know from my vertical I've been both a hiring manager and a teacher size shares your especially extremely valuable. Um I did want to pick your brain on something I see with my students right now. So I have a bunch of students that generally they're they're very brand new to cyber just getting into it. Um, but I also have students that are new to cyber but not new to a handful of professional disciplines. So I have people kind of coming in as let's say they'll come come in early to mid-level junior of a key domain as non-cy trying to convert to cyber. Do you have any advice specific to those

individuals who are not brand new professionals generally but just want to kind of evolve what they're doing to cyber? So personally uh I have a teammate who has it that exactly. So they are a senior developer then they wanted to trans transfer to cyber. So they started actually working on secure coding reviews as a dev. They know how to write code that's their job and implementing that and learning what is secure coding how to do code reviews those kind of concept is transferring the skills you can transfer from your existing role and combine that with the cyber concepts the security concepts. I think that is something maybe one can just sit down and even identify

and especially with cyber security having like so many different verticals itself I'm definitely sure any STEM background even non- STEM can actually implement what they already know and enhance that. Wow. Thank you. And the second question I had was again from course from the hiring manager from the academic side. Um what are you seeing and if this is beyond the scope you can go off on the problem but what are you seeing with AI kind of eroding the interview process and can you talk about some projections if you don't mind um that you may put in place to kind of fight that threat. That's a good one actually. Let's talk. So one of the things I kind of from

conducting interviews from if people use buzz words or just mention the topic a lot of times it kind of means that they don't know what they're actually talking about they just know the maybe they just chat GPT during the interview itself and they're just repeating it again and again. That's just a behavioral thing I observe personally. Maybe you can hear a bit more on that. I have so many opinions on that. I mean, I could say a couple things in here, but I'd love to connect with you later as well. The the reality of it is is that it's still the same hiring practices. It's just that you have to just be more aware on the

hiring side. So, when you're when I'm interviewing someone, it's always on camera or in person. I'm always looking for what are their personal ticks while they're talking to me. I asked them deeper questions about how to do something not just uh what was the question earlier uh what is the difference between UDP and TCP. So back in 2010 that was like a very common question for people going to the IDS space. So if you get to a place where you say you ask that initial question and they they answer something that sounds a little textbook the next question in is a little bit deeper. So all right so UDP what port is whatever running on? I used to like to ask back

in the day, what port does World of Warcraft run on? How would you find out? Because believe it or not, back in the day, a very common ask through enterprise was to block port 666. And being in a sock, we had to figure out why. It was because people were playing World of Warcraft on company resources during their breaks and people wanted to shut it off. So just asking that next layer of question helps you really get into it because they don't have time to ask a question to their AI. Yeah, but I got a bunch of more things. Yeah. Yeah. I'll add we, you know, we've interviewed people and we've had the same thing kind of AI come up in the

interviews, right? And um we've started kind of putting some I don't know trick critical thought questions in there like uh like why are manhole covers round? Like some people may be able to pull that information up immediately, but you shouldn't really have the top five Google answers at the ready depending on what position you're applying for. Rowan would probably know that. Yeah, it's the only shape that won't fall in. See? So, it's not a perfect situation. I'm ready for my next interview. There you go. Oh, no. Cuz one of my questions says, "How are you preparing for the next zombie apocalypse?" Ask them what Oh yeah. It's a level three protocol. So, I'm hearing people from the the other side

of my generation here, which is cool. Um, and someone who's 23. I'm trying my Sure. Right. How what are you guys looking for in us? Like, what maybe let me ask this question. What's missing from what we're bringing to the table? Is it the skill set? Is it the authenticity of the actual person? Is it robotic? Like, I work with uh the interns at work, right? and I'm trying to prepare them to be ready to go and have these interviews for a job. What is it that I can do for them or that I'm missing where they're getting autorejected or you know I I've heard of them some of them applied for 300 jobs and haven't heard back. What is going on

where what we're not understanding? Thank you. Go ahead. You're the speaker. I'm looking at the whole group. Sorry. I'll I'll throw something out cuz the last probably seven candidates I've interviewed, I've dumped everyone. Um just there's no drive, there's no initiative, there's no basic foundational knowledge. I mean, I I start to get to that TCP question. I started by, oh, you type in an email message and click send. Can you walk me through everything that happens? cuz I'm looking for encryption, connections, certificates, log authentication, you know, tell me all of that. And they can't. And I'm going, no wonder we put all this fancy crap in our environments and yet we still get breached. Why?

Because the people don't have foundational knowledge, but they don't have the drive that I've seen. I'm I just turned 65. I've been doing this since 1982. Um, and I I just see people that are they walk up and say, "Give me a tool." And that's all they want to do. I I want to see you thinking about problems and going, "Have we thought about this, right? Maybe maybe we're going at it the wrong way." You know, that's what that's what I would see. Yeah. I would I would probably summarize that in a way. Not just what to do, but why you are doing what? Yeah. Yeah. And and the first thing I'd tell you is attend uh Bonnie's talk at 11:00

a.m. this morning about that. Um the second thing I would say is uh yeah, when you when you put a URL into your browser, tell me every step of what happens. And they're only able to give you like that very Okay, there's HTTPS. What's HTTP versus HTTPS? But then the train kind of stops there. Yeah. Like what happens at layer three? What happens at layer four? Do you know what layer 3 is, right? Of the OSI model. The OSI model. I'm going to say you that's the thing. Can you can you walk the stack? Can you walk it up and can you define the presentation layer? What's the what's the response if they don't know? Another

question. No, wait. What is how's the reaction? Is it you know I don't know, but I'm going to come back to if I get another interview. One question close your interview. They have serious doubts about you for other reasons. Do more. Do you see that a lot? Do I see hiring managers walking away after one bad question or do you see my people from my generation? So, first of all, I don't think it was a generational issue. I I um if someone 65 comes in and says, I'm doing a career move and I've spent my entire my entire like I spent 20 years in the restaurant business. So, I had to move into cyber security. I had

to like I was you but I was 40. Doesn't matter the age. The thing that's important is how what's the depth of your knowledge? How willing are you to learn? How good are you to work with? The points that he made earlier are all spot on. I would grab that slide deck and just review that because he sees spot on there. And then again, love may be asking the question. Was it also complimentary? Yeah. Was it also based in the fact that they weren't being interviewed in the first place? What was it? Say it again. Sorry. Um your question is also based on the fact that your um colleagues weren't even getting interviewed in the first place. Correct.

Okay. So, couple different thoughts on this and for the other hiring managers in the group, I'm going to hold our team accountable too. Um good communication with recruiters is key. Um I've had a lot ofations over almost a decade of Jimmy hiring where recruiters didn't fully understand the cyber workflow because they're HR professionals. they don't necessarily understand cyber off the bat. Um, the quality of candidates I received went up dramatically when I had almost a calibration session with recruiters saying this is who I'm looking for cuz they were often looking for very specific keywords. And when I see a candidate throw a whole bunch of keywords on their resume, especially when they say they they know 18 or 20

different tools, I'm like, you are fresh out of grad school. I trust that you've seen these tools. You're not proficient in them. That is what it is. Maybe I could be wrong. device I'm not actively aware of. But when I've calibrated with the um HR group say you know what I'm not just looking for someone who knows this stuff but like I'm looking for authentic person who um maybe coming at work here and needs to know. So a more authentic resume at that point does pan out but it's also common on hiring managers I think what we're really looking for for our jobs. Um, and also I'll say on resume professionalism and all the counts. Um, even if they're not

a cyber professional, that helps have someone take a look at your resume. You know, make sure it's clear and concise. You know, make sure there's no typos. You know, communication skills are I don't say they're very rare, but they're definitely in need of greater and greater refinement. And when I see a resume come, if I see one typo, we all do it. I'm not about that. When I see four and five different typos in their resume when they talk about previous work, I'm a little bit worried about not only their technical competency but their ability to be effectively in the workplace and that itself can take a career. Got it. And do you think so what about

dry applying to jobs? I try to tell them that's a no no to interns. that's been like are you guys picking out people or have you seen um more people who are reaching out on LinkedIn or saying hey I'm really interested I'd like to talk about this 100% 100% 100% if you've reached out to me and I know what your name is and then I see you apply and you're a fit that is a thousand times better than if you simply throw the resume out and hope it gets through the keywords and hope it gets through her and hope it gets through everybody else. But if I know where you are, better if, as he said,

you have a a program, a portfolio, a home lab, uh, whatever the thing is you're applying for. Have you done it? Because the 18 tools resonates with me because everyone has 18 tools that they say they don't know how to use, but do they use them in a workplace, right? Can I fire off the right flag at the right time? Sure. You don't know that, right? So, you have to just kind of you have to ask them deep questions, but before you can get to that, they have to know you. That makes sense. And I think you bring up a good point too. Going and understanding the HR process is a whole different ballgame. And if you don't

understand that and you can't collaborate together, then you're going to have that missing stop. And also just adding the last comment. Um, as far as, you know, I prefer to hear from someone I know about someone. If you cold contact me on LinkedIn or cold email me, I probably won't respond. And it's not because I don't find that contact valuable, but because I also have to be careful that I'm not expressing some bias in the hiring process as well. I want to make sure that whatever comes through comes everyone's got a fair shot at it. Sure. Now, it's one thing if I hear from a friend of a friend of a friend, I can pass that feedback to the

recruiter, but because there's objectivity, I want to make sure that, you know, all applicants are treated equally. So, if someone does do a direct call out like that, I'd say don't worry if they don't get a reply, it may just be something ours trying to be objective can, especially in a public contact. Got it. Yeah. It's usually a checkbox about your ability to interact with others and your aggressiveness. Sure. like something maybe come in earlier that folks don't try hard enough that's that's an opportunity to say hey look you know you went the extra mile you found I'd like to pick up one topic about me saying you append with the 300 tries especially on LinkedIn with the

easy apply button it has been that if people see there might be just a 1% remote fitness it's a math application and that actually doesn't say about what you are doing what you have what you know how you can contribute to the role phone and on that having a personal connection even if doesn't need to be that you know the recruit you can still send them a note shoot them a message an email hi this is my background uh these are my skills this is how I can contribute I'd like to interview for this position and for this actually there's uh Rah is having a session at 10 called the shadow job market that is

primarily about how you can present yourself to the recruiter and go write a blog about the difference between TCP and UDP. Last one. Yes, please. Thank you for doing this. My big fear I I teach and my big fear is that AI will replace all the entry level jobs because I've seen a couple of articles about that recently. What do you think the chances of that actually happening are? So for the automation part A is already doing. So you know the S band is the one who goes through all the logs that is my prediction would be it will be going extinct by maybe the next few years. But then uh like how when the computer came

the people who used to the type jobs went bust those who used to calculate do the mathematical calculations by hand that went bust. But it also raised the job of the computer operate. Then when the uh internet came slow. So maybe one avenue is closing. But for one thing I think for these AIs is uh how many of you remember how that uh prompt engineering role became suddenly very relevant like shot up with the 100k a year salary and it quickly went bust but you still need people to fine-tune the set the parameters and that is something where there is a lot of scope currently it's for the intermediate role but as it matures and CI becomes more

available everywhere. I believe it will thicken down to the entry level. Maybe not just fresh out of uh the spoon but maybe even with 6 months or one year. We hope that answers the question. I'm not happy that All right, let's give a round of applause for [Applause]