Cybersecurity Mentors Podcast

Interview with Dr. Gerald Auger - From the South Pole to Simply Cyber

Cybersecurity Mentors Season 1 Episode 7

Share episode

Steve: 0:34

Today we have the pleasure of interviewing Dr. Gerald Auger. We'll discuss his origin story, how he ventured into cybersecurity, his unique experience working at the South Pole and the creation of Simply Cyber. Gerry has generously offered our listeners a discount code to his GRC Analyst Masterclass. Check out our show notes for the link to his class and use discount code CYBER10.

John: 1:00

And also we're excited to share that we started a newsletter where you can get additional cybersecurity mentorship and career advice sent to your inbox. Check out the show notes for the link to sign up today.

Steve: 1:14

Welcome everyone to another episode of the Cybersecurity Mentors Podcast. In today's episode, we have the pleasure of speaking with Dr. Gerald Auger on his cybersecurity journey. Dr. Auger is a 20-plus-year cybersecurity professional, academic and author. He has been the cybersecurity architect at MUSC, a multi-billion dollar academic medical center. He has built cybersecurity programs from the ground up, is an adjunct faculty member at the Citadel Military College Cyber Science Department and fulfills the role of chief content creator on the successful YouTube channel Simply Cyber. Dr Auger is passionate about cybersecurity and has educated tens of thousands of students on the discipline. He holds a PhD in cyber operations and two master's in computer science and information assurance. Welcome, Dr. Gerald Auger. Thank you for being here.

Dr. Auger: 2:07

Yeah, thanks Steve. Thanks John. Super excited to be here and have a great conversation.

John: 2:12

Yeah, we're excited to have you. So we're going to go back to the origin story, to the beginning. I don't know if people know the story. I don't know the story, even though I've known you for a while. Tell us, where did you grow up?

Dr. Auger: 2:37

Oh, wow, that really originates. Yeah, we're going back. My mom's side of the family was from the South, my dad's side was from New England. So I did spend the very early part of my life in the South and I still have family there, so I would go there for summers and long breaks and stuff like that. So definitely have that Southern politeness instilled in me as a youngster. But I grew up essentially in New England, in Massachusetts, going through Massachusetts school systems which are really good school systems, or at least I thought they were very good Leaned into education, always enjoyed challenging myself, more AP classes and honors level stuff like that and then went on to University of Massachusetts, Amherst, which is kind of the flagship school out there at UMass Fun story, John and Steve Again never really tell this story I was not really challenged.

Dr. Auger: 3:31

Even though I was taking all these honors classes in high school and stuff and did sports and whatnot, I wasn't really challenged. So I was kind of cruising and I didn't have a mentor, I didn't have guidance. My family wasn't really the kind that went on to college and didn't know what the deal was on how to select a school and what you're supposed to be doing. I'm like, I like computers, I'll do computer science. And people were like, oh, you got to apply to all these schools. So basically my girlfriend, my longtime girlfriend, applied to a school and I was like, okay, it wasn't really a computer science school, it's like, all right, I'll apply there. And then I was like, oh, I got a scholarship or whatever to go to a school in Boston and it's like 30 grand a year and they gave me like a $2,000 scholarship. I'm like, oh, I've got a scholarship right, because I'm 18 and don't know anything about anything and $2,000 seems like a lot of money and I'll just take a huge loan out and never worry about paying it. So I get it accepted to both of those schools and the relationship explodes and completely collapses on itself. So I'm not going to that school anymore, thank goodness.

Dr. Auger: 4:40

And then the school in Boston. I realized I'm like, wait a minute, as we get closer. I'm like, wait a minute as we get closer. I'm like, wait a minute, I don't have 30 grand a year or 120 grand, what am I doing? And I remember it was April or May, I mean, it was deep.

Dr. Auger: 4:56

We had already gone way on and my cousin actually went to UMass Amherst. He was a senior at the time and he worked at the admissions office and I frantically applied and just emailed it to him. I'm like, can you help? And so he got it side-channeled into the admissions office. I earned the right to be there. It wasn't like I got gifted an admission, but I certainly didn't go through the right process and matriculated in the fall and went off and got a computer science degree from UMass Amherst. But just even talking out loud I know it's family, but it just goes to show you the value and power of a network. I say it all the time and I never even realized. If I had sent that application out to UMass Amherst in May, they'd be like you fool, like no, you know. So that's yeah, that's me, you know. Got a computer science degree and then entered the big wide world and started adulting.

John: 5:55

So I'm curious, like I know for me, like what was like your first computer, what was the thing that kind of got you into computers?

Dr. Auger: 6:06

Yeah, you know that's an awesome question. So we had an Apple IIe and for you youngs back there, this was the jam. It's the one you'd have in your school, right? We had an Apple IIe like basically the software stack for Mac, or not even Macs. But the software stack for Apple computers back in the 80s was trash right. So Windows had applications and Mac didn't. So I think we had Print Shop and then Ultima Online 3, or not Ultima Online, ultima 3.

Dr. Auger: 6:41

And I would play those, but it was really limited on what you could do on that. So I found an attraction to the computers. I liked the cleanness of them, you could do a bunch of stuff and there was no mess on your desk. But the one that really launched me into the next phase of my life was a Hewlett Packard. Again in the 80s or early 90s you either had a Hewlett Packard or you had a Gateway. So I had a Hewlett Packard 486SX, 33 megahertz with the turbo button. John, Steve, you guys remember the turbo button. It's so stupid. Why would you not have the turbo button?

John: 7:17

Next level.

Dr. Auger: 7:18

Yeah, it was like a physical button you push on the thing. So uh that once I got into that I started getting into bbss, which is like websites before the internet and like dialing into people's computers, playing games, trade wars, like that's like an old school bbs game and I just started getting into that. And then even then, like my getting into cyber, really I got blown away at one point in my career which launched the entire fleet of me becoming cyber. But even at an early age I remember being really not turned on but really interested on fringe type stuff.

Dr. Auger: 7:58

Now I'm not going to commit crime or anything, but there was this thing called the Jolly Roger Cookbook a million years ago and it would teach you how to do phone freaking, what blue boxing is and red boxing, and personally I found it engrossing and fascinating. I never wanted to commit any of these crimes but I found it just unbelievable that all this knowledge was out there and that was accessible and stuff like that. So yeah, that was absolutely my first intro into um, you know, interest in cyber, that in the movie war games with Matthew Rogers.

John: 8:31

Yeah, I was going to ask you, were there any? Any movies? For me, for sure, war games was, was part of it, although I had no idea what that stuff was and was just like this was foreign, but it was cool. I was like this is amazing.

Dr. Auger: 8:46

Yeah, this is cool, so cool. I I can like again, like like a complete dope. I remember like somehow like blue screening, like my apple 2e like it. They don't blue screen like a microsoft os does, but like somehow I dropped into a blue screen and like I could type things but it wasn't doing anything, it was some weird space and I remembered like typing like great, like my, my name, and like grades, and then calling my cousin over and being like look, I hacked into the school Like Matthew Broderick, I'm changing my grades right now. He's like dude, you're so stupid.  I'm like nah, it's real. 

John: 9:17

Yeah, check this out. Yeah, watch me.

John: 9:20 

Yeah, so you've got a computer at home. Was that an uncommon thing, were you for your friends did they all have similar like got an apple or a windows computer, or was that unusual?

Dr. Auger: 9:33

Actually, that's a good question umm. So I had different; I've always been kinda like ah like a social butterfly so like I have different kinda like social circles right? But one of them was Computer Club and all those guys had computers and when you got the 14.4 modem you were like blazing. You were like the cool kid with a leather jacket, basically in school. And then I remember I got a 28.8 right there in my senior year and I was amazing. So that group of kids did have computers, but for the most part the kids I ran with didn't have computers. And another thing that people may not realize again, I know you guys are going to identify with this but you had a family computer. It wasn't like you had your own machine, you had a timeshare basically of a family computer. So there was that too. But yeah, I would spend a lot of time on it Man get home from school, play outside, do sports and whatever, and then you know, basically just dial into bbss and dink around or play video games.

John: 10:35 

Yeah, were you, you know, kind of my first I did some bbs stuff and then aol was the thing where you all into aol and and you've got mail and in the chat rooms in there too, because irc was cool, icq, rc is like, oh, that's where the you know, you know you don't know what's going to happen, but you're going to drop in and who knows who you're going to come across. But aol was kind of like the friendly version yeah, that safe so it wasn't.

John: 11:02

It wasn't really, but that's kind of was the idea behind it. Did you get into that phase too?

Dr. Auger: 11:07

Yeah, I did have the AOL. I mean, I was a poor kid. A lot of people when they're young don't have money. You'd be grinding through four-hour free AOL discs left and right, those things. But I did have AOL. I remember spending some time on that because the Instant Messenger bot, the AIM Um. But I did have AOL. I remember spending some time on that cause the uh instant messenger bought the aim bot. If you guys remember that you'd have all your friends on there. That was like. That was like pre pre pre OG discord.

Dr. Auger: 11:33

Um having the aim bots. Uh, and like, your username was like, very important, like it absolutely represented your online persona. Um, yeah, it's funny you mentioned John. I actually can't recall if it was like a clean, like lift and shift to aol and like abandon the bbss. I feel like I I kind of ran in parallel with them because the bbss would give you I mean it wasn't necessarily like you know uh, outlander territory or whatever but it was just a different, more you know community vibe, where aol like they had the communities, but you were just dealing with a bunch of like randos.

Dr. Auger: 12:08

You know what I mean. So yeah aol man I'm so glad they broke off the aimbot um off of the main aol. Do you remember that you could just have? The instant messenger. Oh man, dude, this is such a good like, like nostalgic trip

John: 12:21 

NT Mac was my user ID because I was going to be a Windows NT Mac daddy.

Dr. Auger: 12:30

Oh nice dude, I love it, I love it.

John: 12:34

Yeah, that was like, but it was cool at the time.

Dr. Auger: 12:38

Oh no you were yeah, killing it.

John: 12:41

So you know you're looking to do computer science. Did you have an idea what that even meant, like what is computer science?

Dr. Auger: 12:50

no, no, no idea at all. Like I just knew that I had like a like I had a kind of an insatiable appetite for computers and for technology and stuff like that. Like I just I just loved it. I loved Back then too. Another thing that people may not understand back then you would mod your computer all over the place. You'd open it up, you'd be putting RAM chips in it, you'd be upgrading the modem, you would be in there quite a bit. So I found that fascinating Computer science. I thought, oh, it's just going to take my computer skills to the next level. And then, interestingly, umass Amherst has an excellent computer science program. It's recognized nationally. So I'm not just flexing or whatever. But the program when I went through it I literally thought the only thing you could do is become a software developer.

Dr. Auger: 13:43

Because, right when you start freshman year, they made you Java was the rage, it had just come out, so they made you take Java 1, java 2. And that established your beginning freshman year. And then you take networking, databases, operating systems, and all of the assignments would have something to do with writing programs, to demonstrate capability with these technologies, technologies, and you'd be writing them in java because that's what you had learned. And I was like, oh, like, everything is in service of writing code, this is what I need to do, uh, and it couldn't have been further from the truth. Looking back now, with, with, perspective.

John: 14:19

Yeah, like even the students here, they don't take networking until like junior year. Right, tcp, ip and it's like what? Like how, how is that possible? Um?

Dr. Auger: 14:30

dude, I know, just as a quick aside, college of Charleston. I've hired multiple interns at a college of Charleston as of last time I checked, networking isn't even in their computer science curriculum, which, which blew my mind. I was like how, how are you? Like?  that's not, that's like, oh, that's terrible.  

John: 14:49

 Yeah, yeah, for sure, and and I see the students here right, they are like what you said really focus on development. You know programming. That's kind of what they're thinking and what their mindset is around, like okay, am I going to go into software engineering, and what flavor of software engineering? and then they, they can you know, maybe they come across cyber security. So you're, is that in your while you're in college? Is that when cyber security came became more of a serious path of okay, I think this is where I want to go.

Dr. Auger: 15:22

Actually no. So my undergrad was 98 to 02, basically I had to stay a little bit longer because I was a donkey, but basically 98 to 02. And I say that just so people can understand that then cybersecurity was not a thing Like it definitely wasn't its own major, it wasn't even a course that you took. And I mean, if I think back, you know really hard, like a little bit of security was even involved. Like when you're writing programs you're not writing like make sure it's auditing, you're not writing like the authentication mechanisms, like you're just writing code that runs. And so I didn't even know about computer security, which actually is quite interesting because the way I find out about it professionally is I got audited. So obviously I graduate. I went not obviously, but I graduate.

Dr. Auger: 16:20

I go down to DC working for the Marine Corps at the Pentagon and I'm writing a custom web application model, view controller paradigm and it gets audited for FISMA, which is Federal Information Security Management Act. It's basically a US federal standard that federal agencies have to apply to or comply with, and I get audited. They come back and it's it was deloitte and they're like this software is terrible, like you're violating everything. They're like you don't authenticate and where you do, it's like cheesy, uh, you're not auditing, like this is. This is bad, real bad. You need to fix this. And I was like you know, when someone tells you your baby's ugly, you're like, so I got wicked pissed, uh, sorry, I got wicked mad and um and like dug into fisma because, like, because, basically like a stubborn 22 year old, I'm like these people don't know what they're talking about.

Dr. Auger: 17:19

they're wrong, I'm gonna find people, yeah, yeah hey, like, take your gray hair and get out of here, you old person. So I go dig into fisma and I'm like, oh, this is actually crazy cool. Like look at all these different things and how complex it is. So then I um, I get the bug, like obviously kind of like dredging up some of that uh silt um from my youth and I did what I think is a pretty cool hack. Again, I will be the very first person to tell you I'm not offensive security minded. I don't pretend to be. I suck at it. I'm very conformist in my thinking.

Dr. Auger: 17:53

But I went into Outlook at the company I worked for, which had like 45,000 employees, and the global address list, the gal. It basically lists everybody in the company. I filtered by manager and above United States and cyber, right, you could filter in capability and I got a list of like 200 people. So I'm like, okay, these are managers who work in cyber in the US and I literally just dumped their phone numbers and I called them one after another and probably on the seventh one there was a guy named Ray Sturby and I'm like, hey, I work for this company. I work for the same company as you.

Dr. Auger: 18:34

I'm really interested in cybersecurity. Can you talk to me for a few minutes? And he's like, yeah, sure, and we talked for an hour and he gave me a bunch of resources and I went off and did all of them and I did a follow-up call with him and I credit him for being a pivotal inspiration in my life. And I remember one the thing that like really blew my top uh off was like vulnerability scanners, right, so, like I know they're so trivial now, right, like, oh, qualis, rapid seven, whatever, like you just stand it up and spin it. But back then I was like, wait a minute, like I think to be a hacker right to exploit zero days, you've got to be like this next level phd engineer who, like understands how to, like you know, see the, the cracks in the in the wall and navigate them the matrix yeah, and you could just point a scanner at a computer and it'll tell you all the things wrong and what you need to do to exploit it.

Dr. Auger: 19:30

Like that's I. I remember saying to him I said, like why aren't bad guys using this? And he's like they are. I'm like why isn't everything getting cracked? And he's like they are. I'm like, why isn't everything getting cracked open? Then he's like because the good guys use them too, and we try to move as quickly as we can to close those holes. And I'm like, oh my God, this is exciting. Tell me more.

Dr. Auger: 19:48

So just a quick follow up, a fun fact so I go to Black Hat every year and I go to a very. This is way less cool than it sounds, but there's this invite-only breakfast on Wednesday morning, hosted by Jeremiah Grossman, and it's like 15 people and all we do is talk about cyber insurance, which is why you're probably like, oh, I want to get in on this private breakfast. And then you find out the topic and you're like I'm passed, I'll just grab a burrito, uh, from a food truck. So, uh, Ray Sturby was actually on the invite list, um, uh, two, two, three years ago and I was gonna meet him there and it ended up my flight got canceled and I was a day late to black hat and I missed, I missed it. So, like I I've I've emailed him from time to time, I've called him from time to time over the years just to remind him, but anyways, yeah, kind of a full circle opportunity there. So I've still never met him in real life.

John: 20:47

Okay. So we got to double click on this. This is great. So you got Ray. Well, let me back up a little bit. So the Marine Corps, the Pentagon, how did you land that job?

Dr. Auger: 21:02

Okay, so that's another funny one, again networking. So check this out. I can't believe how impactful networking has been on my career. Sometimes I forget so when I first graduated. We have to take a step back in order to fully appreciate this. When I first graduated, uh, umass with my computer science degree. Another like completely idiotic dumb Gerry thing was computer science is so hot like like 2002, 2000 to 2002. Like that was the dot com boom, right. Like the internet was exploding. Like Mark Cuban was making billions. Yahoo was like the hottest thing on planet. Alta vista was the search engine, right, and all of it is built on code model, view, controller, web applications. This is like how people are making money. Like I mean, dude you.

John: 21:51

You got stars in your eyes. You're like this I'm hitting it now I'm here.

Dr. Auger: 21:54

Oh dude, like I was, like this is so cool like I'm gonna hit like one of those turbo patches on rc pro am where you're just like right. So I, I, I'm like I'm gonna have like my pick of the litter, like I'm literally just gonna like like I'm just gonna do a trust fall into a job I have arrived.

John: 22:09

I have arrived.

Dr. Auger: 22:10

Yeah, so yeah, like Gerry's entered the chat, so I, I trust, fall and I land like face first into pavement and I'm like, huh, let me try that again.  And I fall again into pavement. I'm like huh, and it was kind of a perfect storm. First of all, there is no downtown market of vendors who are begging for recent computer science grads. Okay, so that didn't exist. Again, I have no idea where I came up with this idea. I'm like, oh yeah.

Dr. Auger: 22:38

Second of all, there was a massive macro movement at that time that people may remember you youngs won't know this, but basically outsourcing to India. Software was like it was the thing. It was like how CEOs were increasing revenue dramatically. You were getting the same software basically at a fraction of the price, so it was a major cost savings. So the job market for US-based citizens was actually reducing for software engineering.

Dr. Auger: 23:08

Again, I thought I can only do software engineering. So I end up having to work construction, which, if you've done it, it's not great. I ended up working construction for four or five months, while I'm constantly applying to jobs, applying to jobs, applying to jobs, and I ended up getting one as a software dev, got wicked, exploited which I can go into that story if you want later and I worked there for one year getting that experience. And at the Pentagon, there was a friend, so my uncle, he's an old Marine.

Dr. Auger: 23:42

He had a friend who's an old Marine who ran basically the accounting department of the Marine Corps and the Marine Corps uses professional services in order to do things, including projects like build new technologies. And he said to his friend at a beer meetup or whatever, like hey, my nephew, he's cranking on this software engineering stuff, but he's getting exploited at his current job. You know of anything he's like yeah, I got a whole team building software right now and we're looking for people. Have him send me his resume and I'll give it to the team lead. And I sent the resume, team lead got it. They called me. I went in for what was like the most cupcake interview ever.

Dr. Auger: 24:22

I don't even think they asked me questions. They were just like hey, what's going on? I'm like, hey, I'm cool, and they're like oh, you are cool, we're cool too, and we high-fived it. Yeah like we went to lunch and then their like you know their will probably be an offer letter for you by the end of the week I'm like Jesus, this is awesome. So I earned the job myself, but it was a perfect storm where they needed more developers. I was a developer and the reason I found out about the opportunity was because of the network, so the job was never posted. They just said we need more people. Do you know anyone? And that's how it came to be. And, by the way, I moved to DC in order for the job. So you do. I was open to you know, usually younger in your career, you're open to moving um a little bit more because you have less responsibility, you know. So, uh, yeah, that's how the marine corps job came to be.  

John: 25:07

Okay, networking I love it

Dr. Auger: 25:09
Two for two on networking.

John: 25:10

That's right. So I like the whole gal right looking through the address book yeah so this is, this is young, Gerry, still you know, and you're maybe in your twenties, right, and you're thinking outside the box, right, okay, how can I find somebody to talk to? That is doing cyber, and this is a good lesson for people like, look, you're being motivated, being dedicated. You got to number seven and Ray Ray picks up the phone and you're you're selling. You've already maybe had a couple of hangups. I don't know what people did. When you call them, they're like who is this crazy person?

Dr. Auger: 25:44

Yeah, Like a couple of people didn't answer. One was a voicemail. A couple of people were like I don't have time for this, you know so.

John: 25:51

Yeah. So, Ray, what do you think it was about Ray and your conversation? That he was like sure, you know.  Yeah, I'm willing to help.

Dr. Auger: 26:01

 You know, I don't know, I mean, I think it comes down to personality. You know, Ray had, uh Ray got a degree from Columbia and from Carnegie Mellon and I remember, like, when he told me that I was like, oh my god, like I'm like I got a computer science degree from umass amherst, like I like, like I'm like that, uh, you know, just like square, like cut up spongebob meme, that's like you know I'm like, do I need these degrees?

Dr. Auger: 26:28

uh, Ray, like whatever, you know what I mean, like I think, just being genuine and being, like, you know, not obvious but yeah, like I was hungry, I was hungry and and and I think, like you know, I see I mentor at scale, like I see people, it's, it's clear when someone's hungry and when someone's just kind of like going through the motions because they've been told to go through the motions. But, um, you know, and, and you know, he gave me some homework, basically, and I went and did the homework, and that's it. Man, it was hunger, I knew what I wanted and I was going to go get it.

John: 27:05

That's the thing we talked about in a mentorship episode how to find a mentor. If they give you something to do, you go do it and you show like, look, I did the thing and thank you for that advice. And here's how I thank you. I actually did it. Let me show you what I did. And then you keep building that relationship. So that's, that's great. So maybe fast forward a little bit. And you, you did you get your. How'd you get your first job doing cybersecurity?

Dr. Auger: 27:35

Oh, all right, so so, interestingly again, I worked for a professional services company which I totally recommend people check out early in their career, because a professional service company is like contractors they typically contract with governments and the business model is they pay you, and this is for simple math. They pay you $20 an hour and they charge the government $40 an hour. So if you're not doing one hour of work, they're making $0 an hour. So they're hyper interested in getting you on work right away. And, by the way, if you're more senior, they pay you $30 an hour and make $40 from the government. So their margins are lower. So they're even more perversely incentivized to hire younger, less experienced people because they can pay them less.

Dr. Auger: 28:20

So, having said all that, I was in DC, I wanted to move back to Massachusetts. I've got this bug for cyber, but I want to move back to Massachusetts because my girlfriend at the time now my wife and I were having a long distance relationship and those are tough, uh, kind of kind of tough. So I wanted to get back up to massachusetts because I I was invested in my wife. I knew I was going to marry her um, which is a whole other story of of confidence. But so right at that time, enron uh, if you guys again you youngs go go ask ChatGPT about Enron. But basically Enron had committed this gross, gross financial crime, essentially bamboozling investors and just doing all sorts of bad stuff. So the SEC, in part with Sarbanes and Oxley these two senators basically invented this framework called Sarbanes, oxley or SOX compliance, and it helped manage the risk of businesses abusing their access to financials and stuff like that, and part of that included an IT audit piece of it. And basically the company I worked at, this big professional services company, got in on the game because that's good money doing audit work.

Dr. Auger: 29:40

So I moved up to Massachusetts and started doing Sarbanes-Oxley IT auditing function while at the same time starting to manage IT Basically. There was the small business. Even in these large companies there's little small internal businesses and this business had 15 people and three servers and so I was the nerd. So they're like, hey, nerd, can you do this IT administration too? And I said sure. So I was kind of fortunate. I was getting some IT Windows admin experience as well as doing SOX auditing which, by the way, no idea about how to audit IT, audit SOX, the legislation itself. So that was a lot of printing out as much crap as I could get on it and ingesting it, because personally I have the philosophy that I don't ever want to be the problem. I don't ever want in a project or a team or anything. I don't want me to be the one holding anything up because I have anxiety about that. So for me I needed to get spun up as quickly as possible on Sarbanes-Oxley. So yeah, that's me doing audit work, grc right out the gate.

John: 30:49

Yeah, it's funny because my first real I had an incident that got me interested in cybersecurity but really didn't start having to do it in the job until Starbrains Oxley. So we were being audited and we were being audited by internal audit twice a year and an external audit twice a year, so four times a year at least that we were having to go through. And it was all new Like hey, here's these controls, are you doing these? Like well, here's these controls, are you doing these? Like well, no, we didn't even know what these were right, but that did help me get like, okay, I'm actually getting some experience, because now I have to do this because of Sarbanes-Oxley. So around that same timeframe this 2004, 2005 timeframe is when I was getting my feet wet with some security experience, like legit experience which was cool.

Dr. Auger: 31:43

Yeah, that is really cool. I had no idea that you got a. I mean, I guess you were on the operation side, not the audit side. Uh, but you know, hey socks launched a thousand boats like way to go.

John: 31:50

Yeah, yeah. So you're doing Sarbanes, oxley and you're you're working this job. How did? How did you pivot? I want to pivot to what kind of interested me in you and and I can't remember exactly how we connected. I know I know we connected, but and one of the things was about doing cybersecurity in Antarctica, at the South pole. So I want to get to this story. So how did this happen?

John: 32:18

I just remember reaching out to you, or you reached out to me, or somehow we connected and I was like, dude, you did cyber security in the south, what what? And you sent me like this I still have it in my google photos, this whole folder of all the photos of you at the south pole and tell me, tell us about that. How did that work out? 

Dr. Auger: 32:38

Yeah, so don't sleep on GRC. It can send you to cool places. So now I'm in InfoSec. I did some more stuff up in Massachusetts Again just to point out how hungry you are when that company I was doing the auditing for went bankrupt. Great job, ceo. So when it went bankrupt, I literally was walking my dog and walked by a small business that said TBG Security and I was like, oh, that sounds cool. And I went up and knocked on the door. It's a two-guy business. I knocked on the door and they're like, can I help you and your dog?

Dr. Auger: 33:13

And I'm like hi, I love security, will you give me some time? And they sat and talked to me for a few hours and then they ended up hiring me as a consultant. So just again to pivot onto the hunt, but my wife graduates, we live in Massachusetts and we don't like snow. So first chance we get we move south and I get a job working for Booz Allen Hamilton, another professional services consulting firm, living that consultant life. And within that office they actually had a National Science Foundation contract.

Dr. Auger: 33:51

So the National Science Foundation United States Antarctic Program, which I think is super cool, is out of Denver. That's the home base where the operations are. But they need to be audited for FISMA. FISMA auditing all federal agencies, as I mentioned earlier in the show, including all of the facilities and research stations that support the National Science Foundation's Antarctic Program. So I do want to point out I wasn't doing that work at first. At first I was working on a VA project, which was fine, but I wanted to be on that Antarctic program. So I made friends with all the people on that Antarctic program. I made friends with the manager over that contract. I expressed to her that I wanted to work on it and as soon as I saw someone quit, who was on that job. I immediately went to her office and knocked on her door and I said I can do this, which ended up really causing a lot of problems with my current project because they were really mad at me for but whatever, you know what. I was hungry, I did it I wanted it and I did it.

Dr. Auger: 34:52

So I get on the Antarctic project and basically, with FISMA auditing, it's a three-year cycle but you want to audit every year because there's so many controls that you basically break them up into thirds. Some controls you want to check every year. I won't get into the technical nuances of it. Yes, I said GRC and technical in the same sentence. Right, it's a thing. So we go out to Denver once a year and then every three years we have to go to Antarctica.

Dr. Auger: 35:20

Well, there's two places in Antarctica you have to go. One is Palmer Station, which you go through Chile and the South American Passage. You go through the Drake Passage, which is the most turbulent water in the world. You take a boat Palmer Station, google it. It's coolest place ever. It's like a little hippie commune. I love it. The other one is McMurdo Station, which is the main base that anyone going to Antarctica, whether you're with the US or not, you typically pass through McMurdo as a base. You actually take a flight from New Zealand into Antarctica and you land on ice over water. That's the runway and it's a c7 jet. I mean, it's this massive, massive jet that you don't think should be landing on ice.

Dr. Auger: 36:04

that's only eight feet thick, but that's what we're doing here and uh, by the way, fun fact like there's a plane crash there as well and like, because it's antarctica, they just didn't clean it up. So like, as you're landing there's just like this plane that's broken, that's's kind of like half buried. You're like what the hell?

John: 36:19

Just ignore the plane. Don't look at the rides. 

Dr. Auger: 36:23

Yeah, Please look to your left everyone. So, yeah, so anyways, had to go. You know we audited McMurdo and then only only a select group of people can get to go to the South pole. You have to be, like, pre-screened and authorized and you take a C-130 to the pole and I landed. I was there 36 hours, did my work, got to enjoy the pole, got all those crazy photos that you saw. A couple of fun facts about the South Pole. One, if you didn't know it's actually at a really high elevation. It's completely flat, but you're on top of essentially like a massive Mesa, and I don't remember the exact height, maybe like 15,000 feet or something. But as soon as you get off the plane cause McMurdo station is at sea level, like again, like the runway is eight feet ice on sea. When you fly in and land at McMurdo uh, at uh, south pole station when you get out of the plane, you're instantly having a tough time breathing because you haven't acclimated to the height, because you're high, gotcha.

Dr. Auger: 37:22

Yeah, I remember. As soon as you land they fed us lunch and I had a hot dog. I literally got winded eating the hot dog. I ate half the hot dog, I was like oh boy, I got to take a break from this hot dog y'all.

Dr. Auger: 37:33

It was cool, it was crazy. Also fun fact again, just information security. I'm so blessed that it's taken me so many cool places, but flying from McMurdo to South Pole Antarctica is actually quite mountainous and the plane it would actually fly low and fly around the mountain ranges. They probably didn't need to do that, but it was super, super cool. And it gives me pause to think how on earth did Scott and Amundsen back in the day traverse this on foot? Because it's insane to do it in a plane, but anyways.

Dr. Auger: 38:09

So yeah, I got there, did a bunch of GRC auditing, took a bunch of pictures and got out of there Very cool. I went to Antarctica three times. If I had my office done up better, I actually got awarded, uh, antarctic service medal. It's like the only non-military ribbon award you can earn. Um, you know, I've got it all framed in a shadow wow and stuff.

John: 38:32

yeah, that's kind of fun. Yeah, that is that's. I remember seeing the pictures and you were I think we were talking and you're talking me through it and I'm like what this is so cool, like how those are the kinds of things that you know, you just don't know. Like everybody needs security, like maybe you can be that person. 

Dr. Auger: 38:49

Yeah 100% I mean it's um, you know, If a research station gets cracked you know what I mean or hacked into or whatever it could be, it could be bad, especially that place, because, um, it's called wintering over, but like, basically it's you got to remember, the sun doesn't come up and come down like normal rotation, like it's like six months of sunlight, six months of dark, uh, and the dark it's so cold that you can't fly a plane there because the, the jet fuel will freeze in the plane. So like, like, yeah, there's a lot of like logistics that go on. So like, you have to winter over there. So like, if you shut down the, the, the um, the energy or the like, you know, if you shut down critical systems, you could kill people.

Dr. Auger: 39:29

Um, so yeah, it's a whole thing, although it always cracks me up when I see these like conspiracy theories about like what's really going on in the south pole. I'm like oh, oh, my God. 

John: 39:39

Yeah. So, all right, coming up to where you and I connected you, you were at MUSC and, like I said, I don't remember exactly how, but we started scheming hey, we need to get, we need to get Clemson and MUSC and USC together and and you definitely were a pivotal like person to help us organize this, and you and I, really you and I, honestly you and I were the ones that kind of organized it. And then the CISOs came in and they're like yeah, yeah, we did this thing, you know we got everybody, yeah, yeah, I'm like, like you, you guys.

John: 40:11

Okay, we dealt with. It was fine, yeah, but that was cool because we came down to MUSC and hung out with you guys and we got to meet in person and got to collaborate and really tried to stay in touch ever since then really, you and I but just from you and the next steps in your journey. You're at MUSC, you're doing cool things, talk us through, and I'm going to let Steve kind of take over here. Getting to the point where you are, how did Simply Cyber become an idea in your mind? And to maybe? Hey, I'm going to do this thing full-time for real.

Dr. Auger: 40:53

Yeah, so it's actually two things that happened that facilitated Simply Cyber. So this is the Simply Cyber origin story One in like 2015, a guy named Steve Cardinal who worked at MUSC with me. He had experience doing podcasting and theater and stuff like that and he wanted to start a podcast internal to MUSC. So for those listening who don't know, musc has like tens of thousands of employees. It's an academic medical center and we wanted to start an internal podcast that would focus on cybersecurity with healthcare bends to it and this is all part of a really nice information security awareness program where it's not like oh you're looking at PowerPoints once a year, right. So I did that for two years with Steve and I learned the podcasting business. I learned about, you know, audio and running interviews and production and stuff like that. So it's a skill I picked up and I enjoyed it. But one of the things I did not enjoy was the constraints that MUSC put on us. So like there were certain things we couldn't talk about, there were certain guests we couldn't speak to or, you know, didn't like that level of censorship or control Not necessarily bad, it was just policy and Steve quit and went to work somewhere else and I did the podcast for another week or two and I was like I don't enjoy this, this isn't fun anymore. What I would like to do is my own stuff and do it in a way that I like, and I think with video it would be really cool, right? I'm a more visual person. Anyways, I think it'd be more fun. So I said, okay, I'll start Simply Cyber and actually you probably can't find it online. But in the very final episode Steve came back and we did a closeout podcast episode to end the show and for what's coming up next. I actually introduced the idea that I would be launching Simply Cyber at some point.

Dr. Auger: 42:50

The other thing, John and I'm sure you get this all the time same Steve I get asked a lot the same questions. Especially, I got a PhD. A lot of people it's very mysterious and mystique, but a lot of people have the aspiration of a PhD. So I would get asked quite often like what's the PhD? Because it's a PhD in cyber operations, which is even more new and nuanced. So a lot of people would be like what's a PhD like? Should I get a PhD? How hard was it? How did you apply? I'd also get questions like how do I break in the industry, what is GRC, what is risk? All these questions and I would answer people and it would take me 15 minutes to answer the question, which is not terrible if you think like, oh, whatever, that's 15 minutes, but if you get asked the same question 30 times, that's 30 times 15. And it's the same question, which I don't mind, but I'm saying it over and over again. Same question, which I don't mind, but I'm saying it over and over again.

Dr. Auger: 43:44

I am big on optimization. Time is literally my most valuable asset. So I said you know what I would do. I should make videos answering the questions. And then what I ended up doing was, if someone asked me the question, I would send them a link to the video and I'd say I've answered this question extensively in this video. I'll tell you what. Watch the video and if you have any questions at all afterwards, reach out to me and I will be happy to talk to you. That way I felt better, because I wasn't just like here's a link, kid, get out of here. But I was doing what Ray Sturbe did to me before. Here's resources, do the work. And, if you want, I'm here later on. And I would say honestly, 99% of people never followed back up.

Dr. Auger: 44:23

I hope it's because the video answered their question extensively, but either way, it would take me like three seconds to send them a link, not 15 minutes, and I just continue to stack on that. In fact, simply Cyber now today has like 1200 videos, and one of my favorite things to say is I have a video for that, because, like almost always, I have a video for that, even for like, even like nuanced things, like I have a video on how to become, how to go from being a rabbi to a cyber engineer, like I have a video for that.

John: 44:53

I went and looked at the video that we did on sigma and I was. It's got 12,000 views Like what in the world, like I haven't even looked at it, but it's those it is awesome that you have. You have videos for practically everything makes sense, so that's amazing.

Steve: 45:11

So just briefly, if somebody were to go to your YouTube page, Simply Cyber is helping people get into cybersecurity. Is that correct?

Dr. Auger: 45:21

Yeah, I think that's a fair uh. Yeah, I mean it's so hard to distill it down into a quick headline, but yeah, I mean helping people. I like to say launch or level up a cyber career, because a lot of practitioners get value from the platform as well.

Steve: 45:37

Okay, awesome, awesome. So you kind of got into the podcast creating your videos. You started Simply Cyber. At what point did you say you know what? I'm going to move from the typical nine to five. Start my own business, take this and just fly with it.

Dr. Auger: 45:56

That actually was years. So I started Simply Cyber in December of 2019. And, excuse me, I went full time in September of 2023. So close to four years it took. Personally, I really love cybersecurity. I love working in it.

Dr. Auger: 46:18

I was basically CISO a couple times. I was enjoying it, but essentially what happened was the demand that Simply Cyber was putting on me was getting larger and larger, and I ended up having to either diminish what I was doing with Simply Cyber in order to meet the timelines that I had, or I was struggling to balance these things. In fact, with my last two jobs before I went full time my last two jobs I had actually worked out a deal with the CEOs of the company that I would only work 30 hours a week and 10 hours I would be working on Simply Cyber. One of those situations, I actually got them to give me a stipend for Simply Cyber. I think it was like five grand a year to spend however I want, with no discretion, and I bought this microphone, this camera, so I was starting to already kind of leverage the relationships in order to start leveling up Simply Cyber with the ultimate goal of pivoting.

Dr. Auger: 47:24

Now for me personally, I'm responsible for my wife and my kids, I have a family, I have responsibilities, I have financial obligations, all these things. So for me I couldn't be like, oh, I'm definitely not reckless, I'm a risk professional, right, I'm not going to be like, oh YOLO, let's see if this works. So I actually worked hard for several years, basically running two full-time jobs, essentially until I got to a point where I could quit my full-time job and not really Obviously, I took a pay cut immediately because I lost that salary, but my monthly expenses, my monthly income from Simply Cyber and the things associated with Simply Cyber, had exceeded my monthly expenses. So I knew, no matter what, I wouldn't be putting my kids out or my wife out and putting them in a tough situation. And that's when I made the decision.

Dr. Auger: 48:23

And it's important to note too it's not like Simply Cyber is this roulette machine or not roulette? What are these machines called Jackpot? Yeah, it's not a jackpot, that's just printing money. But I do speaking engagements and I do consulting, and Simply Cyber is just one facet of my business. So, like just to be transparent with everybody, it's not like I'm just this Mr Beast YouTuber who's, like you know, just printing money. It's definitely not that way.

Steve: 48:52

No, that's awesome, I mean I. So I have a master's in business administration with a focus on entrepreneurship, and it's always interesting for me to hear from people who have done it that they've started their own business, and just getting their answer to hey, it was at this point in my journey that I said, okay, I'm ready to take that big step because it is a big step right. So to me I find that very fascinating, and just to kind of hear different sides of different stories.

Dr. Auger: 49:21

Well, and to put a final point on it, Steve, I remember telling my boss when I quit. I said, listen, I got to quit. I'll make the transition as smooth as possible, but I got to quit. He's like well, what is it? You want more money? And I said no, I don't want money, I don't need money. I need time and this job is taking my time. I need to quit my job because I need the time that I'm spending in the job to spend into the business. And it made it a very easy decision.

Steve: 49:51

So we talked about Simply Cyber and what you're doing in that space and how you are mentoring to larger groups. So can you talk about how that has been and that experience?

Dr. Auger: 50:03

Yeah, I mean simply cyber, like I like to say that I mentor at scale, which has its trade-offs. Now I get you know, I probably get like 50 or 60 DMs a day of people saying very open-ended questions like I want to break into cybersecurity, tell me what to do or how do I do this, and I can't answer that volume of people, unfortunately. But I try to make it very clear, very transparent at scale that I am doing Simply Cyber to help people every single day from 9am to 9.30am. It's an AMA session where you can ask any questions you want. I encourage people to come there and ask the questions, but just from a time management perspective, I have to do it that way.

Dr. Auger: 50:45

One of the nice things too is, yes, I'm mentoring at scale and answering people's questions and helping, but Simply Cyber has evolved from just me and a channel to a whole community and the community is Again, I hate saying this because it sounds so arrogant but it has inspired other people to seek out mentoring at scale.

Dr. Auger: 51:06

So other YouTube channels have sprouted up of people who are in the community and we all share and support each other.

Dr. Auger: 51:12

We all make each other aware of what others are doing within the community so other people can find out about the community, which is awesome for me. Even these 30-minute AMAs when I teach during the semester Tuesdays and Thursdays I can't do those AMAs. Two members of the community have stepped up and one guy runs the Tuesday, one guy runs the Thursday. So it's awesome to not just mentor at scale and help people achieve their goals, but also to help and help people achieve their goals, but also to help inspire others to want to mentor at scale and see the power and the impact that it can have and, frankly, how to do it, which is super awesome. Plus, it's so rewarding Every day. We get 500 people-ish live in chat every single morning for the daily briefings and people are like just today, like three people were sharing that they had just gotten their first cybersecurity job and we you know, we celebrate that as a community because it's amazing and it's fantastic and like that's why we're doing it.

Steve: 52:11

Yeah, no, that's amazing. I mean, I have to say, what you and others at Simply Cyber have been able to create is amazing. I know it has motivated John and I to start this podcast. So thank you for that. And it is good to hear and good to see the communities within cybersecurity, especially with Simply Cyber, just helping each other right and just being open to helping others, answering questions, giving advice, mentoring, whatever it may be, but just being helpful. So that's amazing. I wanted to kind of just ask you what's next for you?

Dr. Auger: 52:54

I didn't build Simply Cyber or my business with any idea or goal of exiting, so for me it's just continuing to grow, build the community, be impressed by where it goes organically. I like to tighten up. For me it's always improving everything, at least 1% a day, little by little, and basically making these things accessible. All sorts of projects kind of crop up so just like some fun ones, like I have the distinguished opportunity to keynote Wild West Hacken fest this fall, which is like my favorite conference. It's so good and so community driven. So I'm able to I try to leverage all these things because like, okay, I'm keynoting a conference that has like 1000 people who all work in the industry. Because of that I'll be able to feature Simply Cyber and have more people learn about it. So hopefully that feeds into more people showing up, which hopefully inspires more people to contribute, which makes more people in the industry go. So it's a very, very positive cycle. But it's like InfoSec man, it's work. You got to put the work in, you got to grind. There's no easy button, but you just do that.

Dr. Auger: 54:11

So for me personally, I've got a vulnerability management analyst class. I didn't even talk about the school in this interview. But basically I have a school full of education that I am working on. I'm a big GRC person. There's not really good GRC training. There's tons of pen testing training and SecOps training, but GRC people are kind of left like, hey, go look at NIST. So I'm building a whole school that it's everything that you would want to learn about GRC, nothing else. You won't find a pen testing course in there, but you will find GRC analysts, Cyber 101. I'm working on a vulnerability management analyst class. So those are kind of the bigger projects and initiatives, but really the why behind them.

John: 54:54

Do you want to talk about the TV show? You're going to be a host for a TV show.

Dr. Auger: 54:59

That's another thing. I'm so terrible. I do so many things that I forget about them. Thanks, John, for reminding me. Yeah, so actually I flew out to Vegas two weeks ago to film season one like a full-on TV show.

Dr. Auger: 55:11

It's called Late Night with Gerry and it's a late night format. I have an opening monologue, I have a band, I have guests come on, I do interviews, silly games with the guests and stuff like that. I got a desk coffee cup and they're in the desk chairs, so that'll be coming out in August. The studio told me that they want to premiere it at Black Hat with a whole red carpet event type thing, so it's with them right now. I've done all the principal photography event type thing, so it's with them right now. I've done all the principal photography, which is what I'm involved with.

Dr. Auger: 55:43

I wrote all the scripts. I found all the guests. I think people are going to love it. The guests are amazing. We had a red episode, a blue episode, purple episode. So yeah, look for that. Right now it'll be streaming on Night TV, which is a little bit smaller of a streaming service, but it's actually being shopped with very, very, very well-known streaming services that most people have already subscribed to, so you'll be able to find it. Trust me, when it comes out, I will be telling everybody where it is. 

Steve: 56:22

 That's amazing. Yeah, that's awesome, Really really cool.

Dr. Auger: 56:25

Yeah, definitely a once in a lifetime thing, like going to the South Pole and have my an IMDB page like basically that's right.

Steve: 56:33

That's awesome. So just really quickly, just to kind of wrap us up, what are some fun things that you're doing right now? What are you doing for fun on your free time, if you have any?

Dr. Auger: 56:43

Oh man, yeah, I mean not really. I mean I love running. Frankly, I don't run as much as I would like to. By the way, you think you'd get your own business and you'd be like, oh, I'm the boss, I make my own hours, and in reality you're just more busy. So I love running. Basically, when I run, you can't get a hold of me, so it's nice, I get to clear my mind, clear my thoughts. I'm also doubling down because I'm doing health things for my body, since I mostly stand at my desk for like 12 hours a day. So a big fan of running and spending time with my family. Frankly, I enjoy that quite a bit too. 

John: 57:22

Are you listening to anything cool while you're out there running Are? You just in the zone.

Dr. Auger: 57:28

No, so normally I listen to retro synthwave music. There's a band called the Midnight that I love, but just recently, I'm a big fan of multi-volume fiction stories. So just recently, recently, I actually started the witcher. I'm on book four, so I'll listen to an audiobook, uh, while I'm running, uh, it's just to relax and decompress, but, um, yeah, so I've been listening to the witcher, but normally I'm uh the midnight type guy and, um, or you know, yeah, it's got to be fiction like I don't want to listen to like non-fiction while I run, because I just kind of want to chill out and be vibing um fiction, non-fiction. I read in print. I'm a I'm a print person. I can't read a kindle book.

John: 58:11

Usually I would listen to something audiobook that's more instructional, helpful. In the morning on the way home I'm listening to some kind of fiction, like something to decompress, fun that I'm not having to think too hard about, so I love it too.

Steve: 58:31

Everybody needs a break sometime, yeah yeah sure awesome. Well, thank you so much for being with us and sharing some time before we wrap wrap up. Are there any final thoughts? Anything you'd like to share with the listeners? Maybe talk about where they can find you.

Dr. Auger: 58:49

Yeah, if you want, if you liked what you heard, you can go to simplycyber.io, which is my website, but simplycyber.io/socials and that's basically just like one of these landing pages that has links to everything. So I have this page. So, basically, depending on where you are in your career journey, depending on why you want to talk to me, depending on whatever it is, there's something there that kind of aligns to every kind of person who's going to reach out. So, simply, cyber.io/socials. I'd also really encourage people to come to the morning threat briefings. They're 8 am to 9 am Eastern time every weekday.

Dr. Auger: 59:25

It's been going on for 618 episodes in a row. Like I said, there's 500 people there. It's very, very valuable from a networking perspective, from a community perspective, from staying abreast of current things in the industry, and you can get to that quite quickly by going to simplycyber.io/streams with an s streams and that'll basically just dump you to my youtube live page. You'll see, uh, all the different streams and the dates and everything like that, and uh, say hi in chat. If you do join us, let us know that you heard this interview on the pod and uh, we'll give a shout out.

John: 1:00:00

Yeah, you may find me there. I'm on there occasionally. I'm usually on there at least Fridays and Mondays. So I'm trying to show up to and I definitely get value from it, so I appreciate it.

Dr. Auger: 1:00:12

Thank you.

John: 1:00:14

Yeah.

Steve: 1:00:15

Awesome. Well, this wraps another episode of the cybersecurity mentors podcast. If you have any questions or or on what you've heard today, please visit our Discord channel or send us a message on LinkedIn. Other than that, thank you again, Dr Gerald Auger, for your time.

Dr. Auger: 1:00:31

My pleasure. It was great being here, thank you.

John: 1:00:34

Thanks, Gerry.

Dr. Auger: 1:00:35

Yeah, absolutely.

Steve: 1:00:37

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

John: 1:00:42 

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Steve: 1:00:52

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you.  

John: 1:01:04

Until next time. I'm John Hoyt.

Steve: 1:01:07 
 
and I'm Steve Higareda. 

John: 1:01:09 

Thank you for listening.