Why Cyber Sucks - Keith Price

thanks everybody um yeah my name is Keith Price uh I am originally from Glasgow as you can tell um my accent is very thick no I'm I'm originally from Buffalo New York um I came over here uh many years ago with the US Air Force sent me over here and I've just stayed and nobody's told me to leave so it's gone very well uh got my residency now so yall are stuck with me but I I was thinking of a topic and I it's been a long time I used to talk at all these types of events preco and this is my first one in like three years so I might be a little rusty and I might suck a

little bit so I apologize for that in advance but I'm going to try my best I think this topic um so where I'm coming from is I want this to sort of be a discussion really versus me just talking to people um it's a view from outside our industry and how other people see us you know the the cios the CTO the CFO um other people in the organization who might not like us a you know and for good reasons sometimes right so I think we're very good at self-reflection and self-deprecation so this is kind of in that vein um it's from a place of love but I am a sarcastic kind of guy some of

you may know that um and so it's going to be delivered in that sense I don't know how to get it back on the screen so I've already failed um sorry about that I've got it here on the screen but I don't have it there so I just need to turn it off and start again yep there you go turn it off and back on again never all right yeah so thank you very much Madison um it's uh yeah so it comes from a place of love but it's going to be kind of harsh um so I apologize I hope I don't trigger anyone um but basically uh yeah it's been a rough time for Humanity

uh last couple years um security has gone through a lot of evolution a lot of changes um I came from the military the US military where as a security guy people would come and say I we want to tr no no nope NOP big red no and I just said no all the time and it was the easiest job in the world and and I got paid and nobody ever complained because it didn't matter right but that's really not the real world and in fact the military has changed since then as well um to sort of meet the requirements for what the real world needs so as an introduction um this is my family uh so this about two

years ago um I have seven kids I have uh in here there's one grandson who's now a year old uh that fur furry thing is a grandchild as well I guess but the rest of them I've got two son-in-laws and the rest of them are mine in that area um so in the military when you change assignments you go into a new house and you don't have any TV and you don't any internet and there's not a lot to do so every time we moved we had a kid and that sort of was our you know my wife said you can have sports cars is a midlife crisis or kids and I said I like Legos so let's go kids

and that's what we did so my youngest she's uh five now and my oldest uh Chloe she's 27 or 28 I can't remember but they all live we we live uh near elely now um that this was taken to the garden and she she and her partner they live uh doing their own thing and everything and the five youngest are with us and uh and these three here um they're like the devil because uh he just um got into my diabetes medicine and changed it for other pills and was quite honest about I thought I could kill Daddy and um and these two enabled him so that's what I'm dealing with um and this one wanted to come with me today

and I was like there's no [ __ ] hell there's no way you're coming you just tried to kill me uh so my uh yeah 32 years uh now um and it's weird cuz I'm only 35 years old so I started really young uh it in the in the military I was a Munitions guy starting out so I was building bombs and missiles and things for a10s uh f-15s and things like like that uh retired at 20 years out of Lake an e which is nearby uh went back to the States went to UNI at 37 I thought this is I'm really old for this but you know it was a good time and I and I learned more

than I thought I would and then we came back I got a job with the US Army came back via Stuart Germany uh to mouldsworth and after 5 years I retired again as a civil servant and uh was about ready to go back to America to Washington DC when uh this company in Dubai dark matter called and said hey we want you to come over here and build a cyber practice and I was like I never did that but sure let's go so went over there spent a year building a practice um working with nuclear and oil and gas and financial and all the fun stuff and we had a lot of toys and a lot of money and it was it

was good times and you know everyone everyone had money oil was expensive and so our clients you know were just shelling it out for us um and then deoe called and a friend of mine jender at deyy call he says hey we want you to come over back and build a internal cyber function you know I'm I'm the ceso and the GRC and I need you to do the the Cyber the technical security and I said cool you know come home my wife and kids stayed here while I was in Dubai and so I came back uh I worked for deoe for a year but Co hit and so they said um hey Keith you you worked epidemics while you

were in the military didn't you and I says oh yeah and they're like congratulations you're now on the deoe epidemic team you know and so I was working supply chain and I was working you know secure working from home and all and it was actually a lot of fun uh but I the Cyber thing fell away and so we parted ways after only a year uh from there I went did a really short stint at a place up in Nottingham didn't work out uh um and moved on to my own Consulting limited company and that's what I've been doing for the last two years is um working with Envision Pharma they're a technical uh company providing like SF

Solutions and applications uh for all the pharmaceutical companies so they had a they had a Cony bre in 21 and they brought mandant in and mandant my friend at mandant said Keith come in and help us and then help them build the security program so that's what I've been doing for two years as a contractor outside IR 35 and it's been amazing so uh I got no complaints but um I've actually got something now that I'm looking to move into permanent work uh I don't want to announce it because I'm one of those don't want to jinx it kind of guys but in the next month or two I'm moving back into a permanent role uh I'm quite happy

about it so you know keep an eye out and uh hopefully it works out uh you know I can go back to permanent and play all the political games you know that bureaucracy that's involved in in politics and so forth but and also I work um I I volunteer um working with students capslock I've worked with capslock I've worked with military veterans mostly on the US side but now I moving to British military veterans working uh signing up with tech vets and some of the others and then also trying to help people that you know maybe they want to they want to go into cyber you know so I had um a couple 14-year-olds Friends of the

family they want be work experience and their their their parents were like you want to go with Uncle Keith CU that's a good job so I had three 14year olds and I said oh this is amazing what do what do I do with 14-y olds you know and so we got hacked the box and I got on doing cybrary and we were doing stuff together and it was amazing and I'm like I want to keep doing that too so now I'm looking at setting something like that up um sort of like a cyber Cadets or something like that um here in the UK and then I I do board advisory for some startups uh some

friends it's really friendly advice you know so I'm there to help with that and then again at the bottom and this is really shouldn't be at the bottom because for me it's like Priority One is I'm a huge advocate for improving mental health um especially in our career in our field our profession is really hurting and it's across all levels you know we used to cry about the poor SEO uh but it's everybody in cyber you know the seos too but the mid-level people who are expected to wear 10 hats and things like that so those are some of the things I'll be talking about today in why cyber sucks and I I'll be honest and I hope this

isn't rude but I was originally going to title this [ __ ] you cyber um I have a book I've been writing for about three years now as everyone writes a book and it's called [ __ ] You cyber and it's kind of the same thing it's like you know we want to be successful but they're cyber you know screwing it up and they want to do this and they want to do that and you know and I know that we're getting better so I don't want to be too uh pessimistic about it but all right what yeah why cyber sucks so and my my my slide skills really suck I used to do all the cool

swoopin and uh you know that and now I'm just like here's here's my slide so this is the this is basically what I'll be talking about today and again I kind of like it to be interactive so I'm going to be asking questions I'll try not to pick on people because I know often people like no don't call me um and I won't do that or I'll try not to but if it's it's I want it to be and it's almost like I think someone had a talk earlier about Choose Your Own Adventure it's kind of like that because if the audience doesn't want to talk about entry-level cyber jobs and how they suck well then why would I talk about it I'm

wasting everybody's time so let's talk about something that means something to you the audience so the career BS uh they're all going to laugh at you who knows that reference nobody no Adam Sandler I going to laugh at you oh my God I suck already and I kind my wife is like nobody's going to know that okay yeah and then and then as I said to Rosie it's kind of a [ __ ] sandwich right this is Keith he's a nice guy and then and then cyber sucks and then it's not that bad you know at the end so uh we'll see if I can you all right uh so let's start out entry level you know there's a

talent shortage everyone screams there's a talent shortage there's a skill shortage there's a skills Gap we have 27 trillion jobs and not enough people to fill it okay maybe uh but you know I think I'm one of the ones who my belief is we have people that can do the work it's just most of us in leadership our budgets and our teams are so tight we would love to hire entrylevel no skill people but every position is critical and so the reality of that is you need to come into many cyber jobs technical especially with some experience um and that's kind of how it really works um but um how so raise of hands who here has been trying to get

their first first cyber job three okay uh I'm going to I'm going to hit this briefly for you three okay um how many have you seen things like you can earn 75,000 right out the gat you know do this uh certification and right we've all seen that I see it all the time I see it from like British Army adverts uh and they're like leave the Army and earn 78k as a cyber I'm like it's not really being honest with the folks that are looking to join our profession you can get there you know and we can talk about you know career paths and how you're going to get there but the reality is it's probably closer

to 25k 27k tier one sock analyst and that's the other thing is we I don't think we're quite honest with people who are looking to join the profession whether they're uni graduates or they're just you know 181 19 and they just want to join a profession or career Changers I don't think we're honest in studying the expectation management for them you know when you look at the jobs that are out there as entry level most of them are sock tier one jobs or uh big four Junior associate advisory type auditor assessment um you're not going to find many entry-level pentester jobs red team jobs you're not going to find uh many engineering and art architecture jobs

even folks who come out of uni with all that skill set it's very tough for them to find I see people with master's degrees and they're like I can't get an entry-level job with a master's degree what's going on and the reality is they're competing against people with three five years hands-on experience as a CIS admin or a network engineer who's now transferred those skills into security um and then of course the job ads you know entry level three to five years experience you need a sisp and here's the list of all the seams you must be experienced in and then we want this and you're like what really first of all you know you're telling me that

you don't know what you want which is not necessarily a bad thing because not all companies know what they want um and so if they go to a specialist recruiter that recruiter might help them say look that's terrible job ad and we need to think about what is it you need but at the same time don't advertise which scene tool you use as well so let's keep it generic and and and around the tooling and stuff like that so again uh it's very defeatist when someone who's looking for a new job and especially now you go on LinkedIn and you're like oh a new job and 800 applicants what the heck you know you're like how do I compete

and I think a lot of us know on the inside we're like it's it might be 800 people who clicked apply and never went and applied or it might be 800 people who applied from you know jalter and they're not available for the job you know it's just people Hail Mary you know I need a job and I understand that it's hard it's hard in the states I would say there's been more Tech layoffs than here um but that's a whole another topic of mine I'm you know around workers rights and things like that that I I won't bring into this but what are some of the best entry-level searches like some of you new folks what when

you're searching for for a new role what kind of roles are you looking for Tech Support Tech Support so like uh they need basic experience CCNA you know okay so uh tech support is it more on the infrastructure side or is it more on the customer side customer faing okay customer facing and that's uh that's actually a good Gateway um I worked at a couple organizations where we took help Des people you know they've been there a year or two and moved him into cyber as a well I had a GRC Junior analyst and then we trained one to Sock because our help Des was actually doing some sock stuff anyways there there's not as hard

delineating lines between it and security and they're crossing over more and more each day you know I just did an Azure implementation of my current place and now I got rid of all these other security tools and now I'm using all the azure Defender and da da da and my budget just went cut in half because they're like well you don't need the budget because you just got rid so I'm like yeah but I got still have security tools but they're being paid for from a different place so now it's hard to know what tools do I need to uh get the experience in as a as a entry-level person and I would say even

maybe mid tier is starting to think hang on a minute the old way of security was never put all your eggs in one basket don't got you know window u ms is terrible for security they're getting better but um so what do I do with all this 10 years of knowledge in Splunk for you know Cisco formally known as Splunk you know as we do now um so it's tough also for the mid-tier people to go well I just invested all this time and now everybody wants to go to Azure you know I got to relearn something that you know it's really frustrating and and that's where I transition now to the mid career right everyone wants the Unicorn

everybody wants oh oh I'm going to hire one roll I'm going to pay him 45,000 and they're going to be an engineer an architect an abset guy a pentester a tier three sock analyst a threat Hunter a junior SEO a and you're like come on you know and people take those jobs because in their mind they think oh I can get this job I can get all that experience and they're going to develop me and they're going to pay for all my Sands and I'm going to get you know $70,000 worth of sand shirts and and then they get in the job and they're like hey here's your office in the basement keep us secure good job good

luck and you're like the guy the person is like I've been left and oh no what have I done you know and then they either hopefully have a back out plan or they stick it out and then we get into the mental health issue the burnout you know and we see people you know and I think Co kind of changed it a little bit where and also the younger Generations they're what's important to them is get into an organization make an impact and then one or two years move on to the next challenge whereas folks you know in my age cohort and so forth we like got to spend you know I got to do

five years there I don't want to seem disloyal and you know but then you get to the end and you're like it's no challenge it's no fun I did everything and I really want to move on and they we see all these young folks like yeah I'm going on the next thing and you suck and good luck and but it there's not enough development too that's another reason people in the midcareer move on we've stopped developing them again we go back to the tool we go to Azure in my place he says oh yeah we're doing Azure and I said okay do we have any Azure trained people or knowledgeable ah they'll figure it out you know they can do

online training and you know on their own time of course and I'm like oh awesome strategy you know that's great and then once things start go to hell and who here has tried to get a hold of Microsoft before for tech support they're like it's like your reseller is on this phone and Microsoft is on this oneone they're like good luck have fun you two and you're like I don't know what we're doing you know and we're not developing our teams we you know some of these sand courses all right they're like the top-of thee line stuff but they're what $110,000 who you know nobody has that kind of budget so in my place in Envision I was told

you know you're a oneman security tee that's it that's how it's going to be for a while and uh I said okay what I found was some of the it folks had already done some of their own cyber training so I said oh network engineer you want to learn some more so I dotted lying to him and we started I started teaching him some more and then uh the woman who took care of our ISO and GPR and all that she was working in facilities and operations I said oh do you want to learn more about cyber assessments and things like that dotted lines to her and I was doing that was dotted lining like being really sneaky

and uh I told their bosses I was doing it they're like yeah whatever and then like two months ago we got a new permanent head of infos SEC and I said you've got five people that you can just steal and bring it and he was like oh well they told me I couldn't hire I'm like no they're all internal so we this kind of shitty thing to do we went we went and said uh to the CTO the new CTO were like hey we can build the Cyber team and it's not going to cost anything cuz we're just taking people from it and facilities and other places in the business and it's not going to cost you anything he was like

oh do it approved and then and then we went and then we went to the IT director and I says oh I'm stealing uh two or three of your people he was like at first he was like oh man sucks for me then he thought about it he's like well do I get to back hire yeah yeah it's still open position you get to back Phil they're coming to us he's and then he kind of was like well CU one of the one of the assist admin she actually handed her notice and then that week I called her I said would you stay if we brought you the infos SEC she goes yeah so he goes well at least

we get to keep Lorna you know she was about ready to leave and now she's having going to infos yeah okay I can support that and so it didn't end up being as a dickish move as I thought it was going to be at first so but yeah we're not developing I mean I'm not telling anyone in this room anything that you don't already know you know and to include developing ourselves you know um I had to go and teach myself Azure cloud computing defend Defender for cloud uh Sentinel all these things which I had enjoyed and I dusted off that 10-year-old part of my brain that hadn't done that a long time and I've

thoroughly enjoyed it but that's not really the answer it's not a long-term strategy is to you know retrain 50-year-old cesos into you know that type of work it's I don't have the mental flexibility to really do it as well as younger folks and then on the late stage you know the poor SEO right we we have a there's a high turn rate globally of cesos um it kind of has tapered it tapered off a little bit over the last few months because people were losing jobs in the states it had a bit of a knock on effect um recruiters were losing their jobs I've seen a ton of recruiters out of work and so cesos were

like oh I'm just going to stay where I am because I don't want to lose my job and my security and Stu like that so but typically it has been an 18 to 24mth turn rate on seos and heads of and I think I think it's going to pick up now because my as a contractor I watch the job boards all the time and it's gone from 10 SEO jobs in the UK to like 40 50 um and they're not all SE some of them are DPO type jobs which you can't pay me enough to be a DPO but uh it's current tough job market um but again I think it's when I wrote this slide a couple

weeks ago so much has changed even in the two weeks and then lowered standards um I think businesses are trying to have a bit of a go so they're like we used to pay this much for cesos we know that there might be a lot of cesos looking for work or even just looking for a change and so we can offer this which is lower or they just offer silly low with kind of again insane requirements and they hope to get someone in just to take the job or someone that wants the SEO title so that way they can then get their path towards ceso and then that person is not prepared they haven't um you know lived

the life of a maybe a deputy ceso or someone who's assisted and all a sudden they're in at the deep end and it's like we need you to do this we need you to do all and and all of a sudden the person's like I don't think this was a good idea for me um but what do I do I can't give it up so again it goes back to the mental health problem and and potentially oh yeah sorry Michael on the on the light stuff how much do you think that's influenced by C's taking the blame for everything and how much do you think of it is because this this new market like VC so we use

VC we can't the one on our own yeah so we bring in a thirdy how much yeah I think um there's a lot I do see a lot of folks going straight to vcz as a path and I think it's it's easier cuz it's lower risk for them because CU it's they're a consultant they're an advisor you know they're not a internal full full-time employee so if they mess up okay you know it's not as harsh on them the the the the kickback on them is won't be as bad um so I think there is an increase in that virtual SEO Market availability and it's from it's also from people that um I have some friends

who are moving and they're going from the it or the U digital to being also security so it's kind of like they're a hybrid and they've gone and seen oh there's a lot of these V SEO so I'm going to do V SEO vcio V you know and they've got the whole V covered you know you're like oh great you know I get six people so uh yeah I just definitely some impact there from that um but the studies that we see from you know like hiscock and things like that I don't think they answer I don't think they ask those questions I think they're still very sort of vanilla on what they want to know from cesos and

V seos and so until we start really diving into the root causes we won't have you know it be anecdotal evidence but I think yeah I think you're on to something there um and I've seen it um and I hear Europe is really bad for finding SE oel and I think it's because they see it as too much pain for Less responsibility you know or they have the same responsibility but not the um impetus you know they don't have they're not sitting where they're they think they should be um and I know a lot of times we say well we should be at the table you know we should well really do have to earn our place there and there's

it's not as bad as a lot of people think but um I think a lot of folks even in the states or mostly in the states the cesos are the risk owners and I tell my compatriots I'm like don't do that don't let but the problem is is they they don't have a choice because they can be let go in a snap of the fingers they can lose their job in America there's no protections for them so they're constantly worried if I say no to something if I push back I know it's not right that I'm accepting all this risk but I'm going to lose my job right whereas here we have a little bit more of an attitude like no that's

not right and if you don't like it you can get rid of me and that's fine I'll be all right I'll have health care and I'll have other things to fall back on um and I'll move along so we have a little bit more power here on this side of the Atlantic so um is there any questions or comments that anybody yes I the kind of like IDE of career progression and things like that how does one adequately progress from like the Unicorn to the see so sobbing in the corner so to speak um because the mid mid career is where I'm at at the moment late stage is where I'm wanting to progress to eventually but seeing the

kind of opportunities to adequately progress to a point where I'm prepared and would be not an unprepared newo which taking on a role with a lower standard so to speak it doesn't seem like there are many opportunities to actually do that properly it's either going in and prepared and jump into the deep end and hope I don't drown or accept I'm going to be mid career until I retire time even an option in this economy yeah and I will answer your question but if I could quickly say too we have a problem in cyber that that it solved a long time ago and that's with the individual contributor so if you want to climb the

ranks of career progression but not VI a ceso or not supervised we don't have we have Architects and engineers and things like that we don't have as much as other Technologies options but for you you want to go into that leadership position and it's really you kind of have to find a place that is known for developing that Talent so I'll give you an example at deoe I was a director head of cyber and uh reporting into me was half the seos in Europe they were all managers they were seos and they'v been doing it like 15 years and so that was their progression was they were a seeso but they still had someone to care for

them and guide them and develop them so but in most organizations when you wear the ceso crown you can't go to the CEO and goes I need development today you know cuz he's going to go no the SEO do it do the work so it's a very good question and it's hard you know until you know of that type of organization or you have friends that are that type it's very hard to identify where those opportunities exist because they don't normally it's normally you go from the position where you're at and then they say congratulations if you want you're now the new season that's terrifying right so that's not a great answer I'm afraid I mean there's

uh so for me I was very privileged in my career I was told where to go and what to do and who to be by the military and I just happened to like fall into cyber security uh you know and so I didn't have any of these conundrums that everyone else in the real world has but when I left the military and I was oh I'm G to be a seeso in the private sector and then I came in and I knew nothing of business I was one of those cesos thrown in the deep end and I did to myself and I said ah okay and I went and did a small little NBA course to learn how how what

the hell they're talking about and then uh I got a CFO and a COO Mentor so they go hey you know how can I stop being the dummy in the room you know or worse I was you know we have 750,000 vulnerabilities and like you know why does nobody care about my cyber metrics and reporing it's beautiful look at all the graphs and and they're like no that sucks and so I at gez 40 something had to do it you know and so I I did like the certified ceso course and doing other things I was like okay I wasn't really ever a SEO was I I was you know in the military they called me a chief

security architect but I wasn't SEO and then so I've only really learned in the last 10 years how to do it so it's a tough question if you will allow me I would like to go away and talk to some people and try and get you a better answer than what I'm just giving you today CU it was kind of a shitty answer so what am I doing for oh my gosh I'm way off time it's F the next one's I talk I wait I ramble I oh my gosh I've got 42 slides to go I not I am not going to make this all right let's do this oh don't on that some of the other [ __ ] in cyber

influencers all right influ influencers because their advice is rubbish um okay again I'm not trying to be mean but you've been in cyber like 8 days and now you're a LinkedIn [ __ ] influencer for cyber how did that okay I know how it happened social Saturday everyone post here and you'll get 2,000 LinkedIn connections are quality and I'm like no okay I mean if you're selling a book or if you're selling something awesome go get all those connections and 70,000 followers and stuff because it's your business but if you really want to connect with like I connect with people mostly recruiters because that's self- serving for me at the moment but um I connect with people and then like hey

how you doing watch up to this week and then like a week later oh let's have a video call let's get to know each other you know it's like two people a week that I do that with across all levels you know entry level people come to me and say uh I had someone yesterday say I'm having a really hard time and I know them but we've never met I'm having a really hard time and you posted something that thinks that I think you're going to support me and I said let's have a call jump on a call right now and she was like oh I hate this and yeah that sucks so those are like the

connections that you want to make not okay you know again a lot of them don't have much experience now a lot of them they have a their hearts in the right place so they want everyone to succeed they want but a lot of it is like it's almost like a drug like I have 20,000 this week I have 28,000 this week and I'm like so what what does it really mean in the grand scheme of like life or our profession how is it how are you helping those 20,000 people I don't know you know maybe I'm just grouchy about it but gatekeeping women don't belong in cyber oh how did we go from 22% according to Sans to 17% this

year pmic in one year pandemic affected the pandemic women typically have more of the RS are home that's my opinion no no it makes sense and I'll be honest with you I I'm thinking more recent about it than pandemic I'm thinking financially families can't afford child care and who makes more money the husband and so the wife says I'm going to sacrifice my career because we can't afford the child care and I'm going back to look after kids or they work in a shitty place now like I'm thinking America again here as an American I can be racist against my American in America women are it's like well we're firing all these people and so you all better watch your [ __ ] and we

can just treat you however we want then includes you women so stop being so independent and like sticking up for yourself and because we'll get rid of you and a lot of dudes are that way I'm talking like guys my age and older who you know return to the office mandates who's impacted most by return to the office mandates men or women women exactly because women working from home have the flexibility to do things that they need to do to take care of the other part of their responsibility in life but they still get the work all done right they're still doing their job taking care of the kids looking after the house yelling at their husband for

not doing a goddamn thing to help all those things the women are doing but now the the business is like sorry we need everybody back three days a week because you know collaboration and uh you know all these other things it's horeshit these guys they like to look out over their cubical Kingdom and go I own all these people they all work for me and if I can't see them because they're at home where they're [ __ ] lazy and unproductive even though the data says differently right um I'm kind of like a hybrid flexible kind of guy I like to go and meet people not necessarily the office I like to go go meet at the park or at the beach or at a

cafe or whatever we still collaborate but yeah these old dudes and it's usually old dudes who say you know oh also my portfolio is suffering I own a lot of business properties and you know [ __ ] my mod BL is St so everyone come back to work you know and it really is down to that it's very you know I sound like a siop Fant when I say it but it's the truth I think we can all everyone in here can be honest to say um that it definitely negatively impacts women so much more all these things that are happening and I think that you know I would love to see a proper study that

goes to women and says why are you leaving you know why did you leave the last few years and then so we can see why that occurred and then do stuff to try and reverse the damn course on it right because we worked you know I came in there was like 5% women in it and we've seen it you know we're like yeah we're getting better we're getting better and it's boom you're like oh what the [ __ ] happened right so um and then degrees versus CS versus experience you know you see it all the time degrees are better CS are better experience you know I think it's just like all three you know in moderation or or a mixture of

two of the three or one of the three but really good you know but like I told a guy had 32 CS in 2 years and I'm like I'm never I would never hire you man oh why well cuz you cheated probably right brain dumps I know about brain dumps and I know that you can go to India for a week and have a vacation and they'll take all your tests for you because I've been offered that kind of stuff all the time I'm sure everybody gets you know we'll give you 100% pass rate okay how much is that and they're really bad in the Department of Defense for that the IT people because they have

to have certain certifications to get promotions they'll cheat and get you know I got 10 10 Microsoft shirts last month and you're like Jesus Christ man you know have a life uh and then I suffered I suffered so should you you know I have worked 32 years and I had to make tea for four years and it sucked and I had to do all the crappy stuff so you do too cuz you're just a new young person and you don't your value is not as much right so they're like what the hell you know came in here all excited brigh eyed and bushy tailed now my you know my boss or my boss's boss is

saying that I should have to pass all these tests and obstacles and things just to be you know equal or or earn a place in the team right ridiculous um and then the user is the weakest link right o we always blame the user and you know but it's our awareness programs we fish people to death you know why do we do the fishing tests you know I do them because I want to see how good I'm delivering my awareness that's what I use them for um you know fishing tests they do have their place all admit it's a very easy way to get a metric that tells you what's going on but you shouldn't use it as a stick you

shouldn't say well you know you you failed three fishing tests you know this last year and um you're not going to get your bonus or you should say why have you failed three fishing tests and they'll go well I have 10 jobs and I'll be quite honest I don't give a [ __ ] about your fishing test in fact I know it's a fish I've had people tell me this I know it's a fish and I click on it two minutes all right I am really sorry guys I why the board doesn't give a [ __ ] all right really quick they all think we're rock stars they think we think we're rock stars we're Pradas you know we go

in you got to do it our way you know uh and so we have to think you know I was like I said no but it should be like yes but you want to do that yes here here's the three courses of action you can do to try and get there or you accept the risk right uh we're greedy uh we still spend a lot on things tools and toys and um you know cyber spending is still increasing when everybody else is dropping theirs and then we don't understand the business again I said I'm guilty of that I thought I was the [ __ ] hot technical ceso you know from the gods and all that and then I came into

the real business where they're like you're dumb like you you absolutely had nothing of value here and I'm like oh you know so I had to go away and and do better and and it really involved again reaching out to those mentors that could say okay yeah you are dumb but it's okay you know we're going to help you get better uh okay uh and then it doesn't really suck here's the other side right we have tons of really good mentors right I haven't seen many other Industries where people are willing to help others all across the levels of their journey in cyber there's growing mental health support So cyber Minds is a new initiative that was just launched

uh again I'm a big proponent of improving mental health and sometimes that involves hiring more people to take the stress off your teams and then we get to hunt I mean we hunt bad people right that's like our job we're like the police of the internet we help protect children you know families uh it's not just about the business uh it's about protecting human you know safety it's quality now it's not just about security for the sake of risk it's introducing quality into it to improve business but with security behind it and I'm sorry for my whole plan was to give everybody like 5 10 minutes to go uh do stuff so I'm really I'm really

sorry but is there any questions or uh happy to yeah I really like terrible money thinking so from a very early stage from the operation stage let's say you start having a I think from the very beginning you should be forced to think about where you going to be in a non operational right so that transition way towards say you got engage with a business but you're not early on and all you care about is technology security so I think it I think you should be forced to think about how you going to get out this operation two four years yeah and then basically choose a discipline choose a specialis right so you're not going to

be like a Jack and show you value to business I think that's really where that yeah where I agree and and we're often called one trip ponies by the board in these right all I can do is I can only give you seasonal Ro I might be give you an IT director like an it rooll or something but you know CFOs and cosos and others they kind of can't move around right it's that NBA like I said the NBA is kind of powerful and it's not just because of what they know from that NBA it's like a badge and they're like I'm an NBA you're an NBA right so like you said um we are so focused and so

tunnel visioned on being just as the best we can on this one mission that we do lose that Future Vision of where where should I be in three years you know maybe uh maybe I should move back to technology and learn more about what's going on there and then think about coming back to security or or you know in your in your opinion which is you know really good is like think about specializing and not trying to be everything to everybody but still having because there's there's know technology companies want a CTO s they don't really care about mbas as much they want the technology might FKS does it make sense right so when I say NB those are Gods I

mean in that world uh it doesn't apply everywhere so yeah and I'm telling people that now like I had an army guy yesterday I was mentoring and I said he's in he's in the raft he's in cyber intelligence and he says I'm about to get moved outside cyber intelligence to a different Intel field and I'm worried that if I stay in the Wrath and I lose that and when I retire I can't come back to cyber and tell you know what I was doing I said uh not necessarily however if that's what you want to do and you're focused on that then you know think about punching out the year staying on that track keeping

your focus I said because you know we think about AI security and robotic security and OT security very hard to fill Niche functions um my Cobalt came up again the other day on Cobalt what okay and there was $350,000 job in the state for like I wish I remembered that but you know so to your point yeah I I agree I think we lose because we're so concentrated on what's in front of us today we do lose sight of the future any anyone else want to for the like entry level folks how guilty do you think the it space is for rebranding loads of jobs cyber oh like can you give me can you give me an example of what I see loads

of folks who go and they looking at like the sock it's usually a sock analyst role I read the go that's the oh yeah yeah you see you see like companies because they know there's great programs like caps which you and I invol with and suddenly they say like and I look through this go pretty sure this is the when I was 17 working on the call the tickets well msps msps are really bad for that right oh and when I say really bad so I worked at littlefish and they were an MSP really good and then they wanted me to come in and build an mssp and my track was from the help Des right and so they

started doing that they started advertising the help Des jobs as cyber partially was true because we our sock was 7:00 a.m. to 7:00 p.m. so the help desk actually those night shift people were sock tree ERS you know we trained them to respond to certain thing but you're right I think it it's a way to like oh we sell this job as a cyber job we're going to get more candidates better candidates as long as they're a little bit truthful in what they offer I don't see a problem with it but if they're ball face lying about it yeah I'd have to I'd have to look at someone see some of those send me some of those

you know I like to tear up a job back right anybody else again I'm really sorry that I went over time oh it's fine the next one isn't on for the 10 minutes okay good well thank you all very much