Ask Us Anything: Cybersecurity Career Q&A — Season 4 Finale

Show Notes

In the Season 4 finale of The Cybersecurity Mentors Podcast, Steve and John wrap up an incredible season with a special listener-driven Q&A. The episode opens with a recap of Episodes 1–7, revisiting key lessons on soft skills, leadership, resume pitfalls, networking strategies, and inspiring career journeys. From there, they dive into your most pressing questions about breaking into cybersecurity — from whether college or certifications matter most, to the projects that truly prove you’re job-ready, to building home labs that tackle real-world problems. Along the way, they share behind-the-scenes reflections, practical advice, and set the stage for an exciting Season 5. 

Check out our Networking is King Course: How to Build a Career Through Real Connections

Chapters

• 0:00: Season 4 Recap & Introduction
• 13:53: Breaking Into Cybersecurity Without Experience
• 18:39: Degrees vs. Certifications Debate
• 23:41: Home Labs & Practical Skill Building
• 35:29: Cloud Security Career Considerations
• 48:56: CPS Mentorship Approach & Process
• 52:33: Podcast Origins & Future Plans
• 1:02:04: Episode Wrap-up

Transcript

Steve: 0:00

John kind of just let the cat out of the hat there a little bit. It was something we've been talking for a good bit now, but things seem to be moving. So hopefully you know, fingers crossed things pan out and we're able to offer these opportunities to everybody. Could you teach me First learn stand, then learn fly?

John: 0:24

Make your role, Daniel-san, not the mine. I know what you then learn fly. Nature rules, Daniel-san, not mine. I know what you're trying to do. I'm trying to free your mind, Neo, but I can only show you the door. You're the one that has to walk through it.

Steve: 0:39

What is the most inspiring thing I ever said to you Don't be an idiot Changed my life. Welcome back to the Cybersecurity Mentors Podcast. This is our final episode for Season 4. And we wanted to do something a little different, something a little special. So today we will be answering a number of your most common questions, and these are questions from how to break into cybersecurity, to what kind of projects really stand out for employers, to what's it like working with CPS for mentorship and what is it like running a podcast. So we're going to have a little bit of everything. So stay tuned and let's get started. Yeah, let's do it.

John: 1:25

Yeah, we're going to try to little bit of everything, so stay tuned and let's get started. Yeah, let's do it. Yeah, we're going to try to have some fun with these questions. We'll mix in some fun ones, not just the serious questions, if we have time. But we're also going to do a recap of this season right, and kind of go through. It's gone by fast, as the summer has flown by this year, it seems like. So let's start with a recap before we do the Q&A.

Steve: 1:46

Yeah, so we've had a great season. I believe we got a lot of feedback from you guys, the listeners and just other people that are finding us and are listening to kind of what we have to say, our opinions, and also just chiming in on some of the guests that we've had and some of the conversations, the topics of discussion. So I mean the very first episode I think was a good way to start. The title was Unlocking the Power of Soft Skills in Cybersecurity, where we literally talk about soft skills and how important they are in order for you to be successful and be a well-rounded professional in cybersecurity.

John: 2:22

Yeah, I think, as we talked about a little bit in the last episode, just how more and more technology is taking over in different ways, the human side is still important. Right, the robots have not taken over. I think that you're not going to go wrong if you really double down and focus on these human skills and I really believe that it sounds funny human skills right, we're talking to robots but I do believe that these things will help you in your career, as it has helped us in our careers, continues to help us. These are going to set you apart. It's going to be a multiplier for your technical skills. So, don't wait, don't short out the soft skills. That's, in my opinion, what makes a difference.

Steve: 3:15

Absolutely so. Following up that, we had a great episode on just leadership where John fanboyed about extreme ownership and Jocko and just about what it is to be a leader, right, what all comes with that leadership position, that role, and if you're striving to be in that position in cybersecurity, that's a great episode for you to go back and listen and just get a better idea of what's to come, what to expect and just a different type of mindset on how to handle that and just take ownership for you and your team. Yeah.

John: 3:52

I don't have a lot to add. Yes, fanboy hashtag Jocko podcast. And other people told me like I couldn't believe it. When you guys started talking about Jocko and Extreme Ownership, I was like I know, I know, Steve's a hater, it's fine. Then we followed up episode three with Evan Reiser. It's a great episode. He really dove into AI and the power of AI and how they're using AI. I mean, he's in a really significant role as a CEO and co-founder of Abnormal AI. Great, he gave us great insight. I thought it was a great episode, probably one of our better interviews open to discuss anything. We may have him back and talk some more about stuff. But yeah, there was a better than I. I mean not that I had low expectations, but it went great Absolutely. But yeah, there was a better than I expected. I mean not that I had low expectations, but it went great Absolutely. I completely agree.

Steve: 4:49

It was a good episode. We had a lot of feedback from people that listened and just said it was a good topic, a good conversation. Yeah, Following up episode four so we had an interview with Dr TJ O'Connor where he kind of shared his story, shared kind of how he got started, all the things he's done in terms of working with the military, the federal government, and then now giving back to being an educator, giving back to students, helping with cyber competitions. I thought that was an awesome episode as well, yeah.

John: 5:20

I just keep thinking about it. It was a great post about him talking about grit and just kicking the soccer ball over and over again as a kid. So it was a great story there and I was glad to have him on. Next we had Episode 5, the interview with Grant Adams, one of our longtime students and mentees since back in the day, and he's doing great. It's great to see him. His beard is just getting legit right, um, his hat, everything. He looks like. He looks like a West coaster, um, but he had a great again. He had a great story too about how I'm networking and meeting others and how it's helped him in his career and he's's. He's still kind of relaunching that security career, but that, hey, that's a great story too. Is you maybe can go a different route for a little while? And it doesn't mean the door is always closed, right, you know you can still use that experience and use your use your network to to get back in the get back in the game.

Steve: 6:20

So happy to see him doing well yeah, I completely agree, and we did not pay him for his interview and what he said. Whether you believe us or not, we did not pay him. That just goes to show that what we are talking about is legitimate and it works.

Steve: 6:38

So, yep, yeah all right so episode six it was 10 resume mistakes holding you back. So we really kind of focused on some of the top 10 mistakes that we see when we are being asked hey, could you review my resume, can you help me out? And this is after helping a number of people. We kind of came up with these top 10 mistakes that we see. We spoke about them in detail. Top 10 mistakes that we see. We spoke about them in detail. So hopefully, if you've done one or two or more of those, after you listen to that episode, you were able to go back, review your resume and make it even better.

John: 7:14

Yeah, Now we get good feedback on this one too. I was kind of surprised. I just feel like there's a lot out there about resumes, but our take on it people seem to really jive with and appreciate. So, um, no, it was a good one. The last, or before, not the last, but the one before this one. We just finished um and shared today, actually, uh, the do's and don'ts of networking and cybersecurity.

John: 7:40

So this was a kind of a play on the last follow up from the first episode we did about networking is king. It was great to kind of go back to that topic, as we've been doing all this season. It's kind of been our theme about social skills and networking with others, and so we built on that episode and talked about just more in-depth pieces to how to network in different ways and how to build your network, Shared a little bit about what we talk about in our course that you can go even deeper with if you want to, and I thought it was. We'll see how the feedback is. It just came out. I think it's going to be good, but I think there were definitely some nuggets there, some pro tips and some lessons learned from you know, someone's, from yours truly. So always open to share. You know, hey, you know we all make mistakes in different ways, but just learn from those mistakes and keep moving forward. But I think it was good, I think it was a good another good follow up.

Steve: 8:40

Yeah, I completely agree. I enjoyed recording that one with you because it just had a lot of good information and things that people can take away. And I mean, that has been it so far. Now we're on episode eight, but I believe and John, I'd like to hear your side of it Season four really seemed like a roadmap. It really was. We covered soft skills, we talked about leadership, we heard some inspiring career stories, we talked about some resume fixes, networking strategies I mean a little bit about everything, and it is kind of a roadmap on the things that we believe are important, that someone should focus on and improve.

John: 9:19

Yeah, here's what I would say and I heard another episode, a different podcast that I'm always listening to different podcasts, but I really think is a great way to put this right. We are not. We have no shortage of information. We have no shortage of advice out there, not just from us, but from many different sources. We have no shortage of content that we get ingested all the time. What we have a shortage of is implementation.

John: 9:48

Right, so don't just take what we say and hear it. If you don't put it into practice, that's where you're losing out. You're really. You could take 10% of what we put out there and test it. I encourage you to test it, try it, tell us if we're wrong. Hey, if we're wrong, we're wrong. We're not making this stuff up right. We have experiences that we base this off of, but we may still be wrong and it may be wrong for your situation. But if you just listen and you don't put it into practice, you don't try it or give it a try, then what are we doing, right? You know, even if you take a little bit about some of the things we share and implement you, you will see a difference.

John: 10:33

I really believe that. That's why we share this stuff, but there's no shortage of content in in information. There's a shortage of implementation. Shortage of implementation. So I encourage you to take what we say and put into practice. Um, you know, be on the heavier side of the implementation trial, and you know, trial and error those things and learn on your own, um, but use our guidance. That's the whole point, is like to give you guidance that from lessons learned and mistakes that we've made to help you as we're further down the path. Maybe we're further down the path, um, but but try it out, put it into practice and and see how it goes. That's my, my encouragement from all our seasons, but definitely this season, is try it and see absolutely.

Steve: 11:22

I actually really liked how you put that and that's a good recommendation. Go out there, listen to what we have to say, try it for yourself, come back and, like John said, there may be situations where what you're going through is different and you give it a try and it doesn't work. It's okay. Come back, tell us how it went, tell us what failed and let us give you even more advice and just some more ideas for you to tackle and go after. So, yeah, yeah, all right. Well, that is a recap of season four so far. So now let's get into the Q&A for today. Now, again, these are a couple of questions that are broken up into different sections for us, but it's questions that we've gotten, it's questions that people have reached out to us about, but also questions that are just very common in the industry that we want to answer here. And if you guys have any feedback or have something to add, please do so in the comments. We'd love to just keep the conversation going, yeah.

John: 12:25

Let me just throw a note about that. In comments, um, we need more people commenting, so don't just comment in live chat. Throw some. I mean, listen, it doesn't matter, right? I mean, at the end of the day, it's not like it's, I don't care about the algorithm, whatever, but it does help.

John: 12:44

It does make our, our stuff more visible to other people because it's more interactions, right? So I'm not one of those people that are like please like and subscribe and make a comment so that you get our, our videos higher up the chat, up the stack, right? Um, but I do like to interact and like the interaction that we get. So a lot of that interaction comes in the live chat, which is good, but it doesn't help. It be more visible, our videos be more visible, our content be more visible. So there's the YouTube comment section. You can comment on the actual audio version of this. There's a little link at the bottom on how to send us a message and give us a comment through the audio version of this too. So, either way, it just helps out to know that we're getting feedback.

Steve: 13:32

Yeah, absolutely. It helps to know. You know also how you guys are feeling about the content we're putting out. You know, is it things that you are interested in? But also, are you getting helpful information from this? Because we have a lot of ideas and a lot of things that we want to talk about, a lot of topics, and we try to kind of and this is kind of going into some of the questions we were asked about the podcast we try and kind of come up with the topics of discussion and kind of what we're going to talk about, but we have so much going on. It also would help to hear from you, our listeners, what interests you the most, because we may talk about a different topic that we want to talk about, but if it's not something that you guys really want to listen to and have questions about, then maybe we can shift some stuff around and tackle those things first. So that's also can be very helpful for us.

John: 14:23

So, all right, Sounds good, all right. First question what's the very first step if you want to get into cybersecurity with no IT background? Okay, I'm going to let you go first.

Steve: 14:38

Yeah, absolutely All right. What's the very first step? To get into cybersecurity with no IT background? All right, you have to start with the fundamentals, or the basics. Right, you have already decided cybersecurity is for you, right? So now you have to start with some of the basic learning you can do, and you can find a lot of that online and for free. Right, we talk about TryHackMe online and for free. Right, we talk about TriHackMe. We talk about different entry level certificates from CompTIA, from whoever. Those are things that you can do. That are some are free and some are not very expensive that can literally you can use to tip your your toe into the water and confirm that cybersecurity is for you. Because one of the things I've seen is a lot of people try to get into cybersecurity after they see a TV show or a movie where it's all amazing hacking, cracking, all the sexy stuff and then when they really start learning the material and it may not be as maybe as easy as they thought it would be or as interesting as they thought as they thought it would be, or as interesting as they thought as they thought it would be they then turn to kind of turn around and say, okay, yeah, this wasn't for me.

Steve: 15:50

So my thing is get as much exposure as you can to the different areas of cyber security, but start with the basics yeah, I mean, imagine you're like hey, what does it take for me to be a mechanic on a Porsche or a Ferrari?

John: 16:09

Right, well, do you know how to work on cars? Like, I mean, it's the same. It's not the same, but it's like you got to learn how to work on cars. If you want to be a professional mechanic, there's levels. There's the learn how to be a professional mechanic. There's levels. There's the learn how to be a mechanic.

John: 16:27

Okay, I'm going to go figure out how to work on engines and work on all the different parts of a car. Trust me, you don't want me working on your car. I'm just telling you. But, like, think about, take this scenario cybersecurity. Like we're the, we're the ones working on the Porsches. Right, I'm IT. And then you got the. You got the Ferraris in the Porsche. Um, but I mean, I might be a little biased, but um, you know, you got to start at the fundamental layer. You got to learn. You're going to learn.

John: 16:55

If you want to be a mechanic, just a regular general mechanic, you're going to go to mechanic school. You're going to go learn how to be a mechanic. Now, you can do this, this on your own. You can get books, you can get videos, youtube, university, but you still got to. You got to learn how to break down an engine, take apart a carburetor, change the transmission, all those things. That's the fundamentals of it, right? Oh, now you want to specialize? Now you want to work on Ferraris? Okay, well, that's an. That's another level and you're going to have to get those skills and be proficient at the fundamentals. They're not gonna let you in the shop starting out working on the Ferrari, right? So you know, you got to think through that mindset of.

John: 17:35

Take cybersecurity and imagine you're asking about a different career. What does it take for me to get into that career? Now, I'm not saying this to be disparaging, because you could be a Ferrari mechanic and we're going to talk about this in a second and not go to college Right now. They might be, I don't know. I might be talking at a school here. I've not looked up the skill sets of the Ferrari mechanics. They might all be mechanical engineers, they probably are, but I think skills wise, you know my analogy plays out. It's like look you, you still have to start with the basics. Get fundamental, solid fundamentals, and I talk about operating systems, networking, application development, at least those core. And now I throw ai there right on top of all that stuff, but then build on that to start moving into into security. I like that. I like that analogy.

Steve: 18:33

That's good, all right. Question number two do I need a college degree or are certifications enough for a career in cybersecurity? John, for a career in cybersecurity.

John: 18:44

John, what are your thoughts? I think that you can definitely have a career, and a successful career, without a college degree in IT or cybersecurity. Does it help? Yeah, it helps. Now you have to weigh the. We were talking to one of our guys who's looking at a master's degree. You got to weigh that time and cost. I don't think it is necessary.

John: 19:10

I think that if you, you but you can't just do it with just certificates, right, you do need to build this snowball, the experience snowball, right. So start out small. Your certificates might get you in the door and then you just keep building, you keep building, you keep building. Certificate training, it doesn't have to be certificates. At some point. You, at some point there's like a do I need to keep getting certificates? No, but there's the experience tipping point, where you have gotten enough experience, where the certificates don't really overweigh your experience. Your, your experience weighs over those certificates. Certificates are great, but there's a point of no return, there's a point of least value and so, but I do think certificates and experience, that snowball building the snowball, and keep building and keep building and keep building, will open doors. Now you might run into a glass ceiling or a ceiling at some point that's like hey, I'm looking at candidate a who's got a master's and a bachelor's and this and cybersecurity, and you got nada. You're going to have to do a lot, you're going to have to work your butt off, you're going to have to work hard and you're gonna have to network like crazy and prove that you are the best candidate, right? So there, there is a ceiling there that you you will run against at some point if you keep moving in your career but I does in my opinion, it doesn't mean that you're less of a candidate. You just have to imagine you're in the interview and you're like well, look, we've got candidates here, they've got this and this degree. You don't have a degree. What can you explain why? I'm like well, look, this is how I've been getting after it, this is what I've been doing, this is how, this is what my skills are, this is how I built this and how I solved this problem. And here's where I am. I do have these certificates that help support what I'm doing. But yeah, I mean, here's why I don't have a degree. Right, I felt like the value for what I got out of it. And this could be argued, steve.

John: 21:09

Steve knows our students know, right, what, how much experience, actual experience are you getting in cybersecurity in these degrees? It's not a lot. It depends on what it is. You know I can't speak for all degrees, but I know, look, I work in a university, right. And just because you got the degree doesn't mean you're ready to hit the road for a job in cybersecurity, right. So just, I think you can definitely do it. You know, I can show proof of that. It just takes a lot of work. You just have to work at it. Now I do think going and getting your degree is not a bad thing. I think it's a good thing. As long as you're not going crazy and you're spending 120 000 a year, 90 000 a year, then it's like what are you doing, right, like you, gotta, you're gonna pay that off forever. But steve, what do you think?

Steve: 22:07

I like it when you just get going. John, seriously, no, I completely agree. So to answer this question, all right, let me put it to you this way. So the question was do I need a college degree or certificates enough for a career in cybersecurity? For you to get started, you don't need a college degree.

Steve: 22:25

Like John said, if you're trying to climb the corporate ladder within cybersecurity and you're trying to get to a leadership position, it all also depends on the companies and the areas where you're working. There might be some companies that they want their higher-ups to have master's degrees, college degrees, whatever, and that may affect you. Now you may work for a company that doesn't require that. You know, if you put in your time and you are responsible and they know you and you build that reputation, they could care less if you have a four year degree or not, because you've shown through the years of experience and working there that you can handle that position and you've worked your way up. So it really kind of depends. But in order to get started you do not need a college degree.

John: 23:11

That's a great way to put it. And hey, you can always get it. You can always get your company at some point. Maybe they'll pay for it, right? So exactly.

Steve: 23:20

So think about that me.

John: 23:21

Think about that, right. You could be in debt for however long, however many years, or that's a real thing. That's like a weight on your back. That's a lot of how long you might be paying for that, until maybe one day we figure out how to do this without putting everybody in debt or major debt. All right, this is a good topic. We could do a whole episode on this topic. All right, I'll do the third question how important is a home lab and what should I put in it? That's a good question. That's a great question.

Steve: 23:54

I think a home lab is very important, especially for those that are just getting started in cybersecurity and don't have any real-world experience or are trying to get it and are trying to just get better at understanding some of the basics, understanding security tools, playing around with certain labs. I think it's super, super important and it's a complete game changer. You absolutely need a home lab, especially if you're getting started in cybersecurity.

John: 24:27

Great. Yeah, I think what sold me on this even more so was when we talked to Doug Burks, the founder of Security Onion and that company, and he said specifically this you should be building a home lab, you should be playing with things. He has a home lab. He's still doing things. He mucks around and tests things in his own home lab and how. How to me.

John: 24:53

We were talking to one of our, our mentees, our, our guys were coaching this this week. How much gold is it? So what he did? He had, you know, simple home lab so far, he's got a cali box, he's got a vulnerable box, he's got security onion in the middle. He's attacking and he's monitoring and he sees those in security onion and he's diving into the alerts and writing that up. That is resume gold, right? That is like a great opportunity to talk about what.

John: 25:25

If somebody asked you this question hey, you have a home lab. You know what are you doing with it? Or you mentioned hey, yeah, I have a home lab at home. This is how I'm getting practice. Oh, tell me about your home lab, what are you doing? Oh, I did this and I set this up and I tested this out and I'm learning. Oh, I had to set up security onion. Yeah, that's a big deal and not many people know how to do that. Um had to set up Splunk and figure out how to get those logs into Splunk. Dude, these are gold. This is gold stuff. Right, and it's. I mean it's gold because it's a very good experience.

John: 25:57

Think about a typical I would say typical analyst. They're just used to thinking about and this is probably what they're going to teach you at college. Oh, you got to alert Go figure out how to triage the alert. Well, you don't know how to set up these tools. You don't know how they work under the covers. You don't know how to. We did a whole episode on build right. So this whole build concept sets you apart because you know some things that other people don't and you can configure things and it gives you some Windows and some Linux experience and other experience that you just don't get, um, if you don't have a home lab. So I just think it's. It's super useful, it's, it's easy.

Steve: 27:45

You can do it for free, absolutely. So the second part of this was what should you put in it? And I think you've already mentioned some stuff, but just going back, so you can start with a windows machine, a linux machine, cali linux is a good add-on splunk we talked about splunk. Um, we talked about security onion and, if you can, nessus as a vulnerability scanner. I think that's a good. That's a good basic package.

John: 28:06

You can do a lot there yeah, throw a voln hub vm in in there or Metasploitable or something that you can attack and try to monitor that kind of activity. Just throw some stuff in there, test it out, see what happens. Have something in mind, right? Oh, I've never set up X before. I have a goal to try to get some reps in Security. Onion is a great when, because there's so much going on there, you've got elastic in there, you've got zeke in there, you've got suricata or or snort, like there's a lot to play with. So just those kind of things are great examples.

Steve: 28:45

All right, awesome all right, here we go. Uh, next question how long does it take to land a cyber security job from scratch?

John: 28:54

well, and we kind of talked about this a little bit with the starting with the. You know the first step without even getting those fundamentals. So from scratch means you really from zero to hero yeah, like any it experience, right?

John: 29:09

um, you know, similar to what we said said earlier is it's going to take some time, you know you, you're going to have to pick a path. In my opinion, pick something IT that interests you and get some experience, and you may. You may just be able to get enough, just skills to land a help desk job. Skills to land a help desk job, you know, but you may still need to get a job in it to get enough experience to then bank off of that experience to use to get in security. Right, it's not a goal, you know now. It's even harder. So it's not given that and we all know this the entry-level jobs that are out there, are they really entry-level? That you're going to be able to get an, a job in cyber security from scratch, like, oh, I've never worked in it before and I've never. I don't have any, I've got certificates and I've got skills, but it's going to be hard to get in the door. You're going to have to make a really good case and show your skills and network your butt off, right, so you may have to work six months, you may have to get a job in IT for six months with the mindset of okay, this is my launching point. So somebody can say, oh, what experience do you have? Oh, I've been working as a, as IT consultant for six months a year, but at the same time, I'm getting my certificates in cybersecurity, I'm doing TryHackMe, I'm doing Hack the Box, I'm doing this in security and I'm trying to get my. I want to be in security right. But if you're zero and you've never, and you don't know how to troubleshoot a network, you don't know how to work with Windows, or you don't have to. Uh, you know work with windows or linux. You know this. There's a, there's a lot, right? So if you want to work on ferraris and you got zero mechanical experience which is like me, I'm like maybe a little over zero um, you're gonna learn how to be a mechanic, just like we said earlier.

John: 31:06

So it depends how much time do you have available? Are you a student? Are you a family person? Do you have kids? Do you you a student? Are you a family person? Do you have kids? Do you have a job? Right? So if you're a student and you got all the time in the world and maybe you're in school, you got a lot more time available to you, you could level up faster. You can get those work on those things that you need to work on. But if you're a person that has a family and you got commitments, it might take longer. It's going to take longer, right, because you're going to have to. You're going to have to be spread out over the time. Now, what I would say is the good news is you can do it, it is possible. It may just take more time and you may have to go through intermediary steps, like a knock job, like a help desk job, like a whatever to land to the next opportunity. But it is possible. You know you can do it.

Steve: 32:01

I completely agree with everything you just said. It really just comes down to are you starting from zero? What's, what's your end goal? I mean, this is kind of like some of the questions we ask when we're getting started with mentoring and coaching someone right, like, what's the finish line to you? What does that look like?

Steve: 32:21

And we assess, kind of where you're starting, we come up with a plan, like John said.

Steve: 32:25

But it's really easy to come up with a plan that you can get just by watching some YouTube videos or just hearing somebody talk online or asking chat, gpt. But it's another thing when you're working with actual professionals who can give you more of a straight line path where you can earn yourself some time, some money and some effort. So it really just depends on how good is your plan, like John said, how much time can you commit to the training, to just everything that's going to take, and how quickly you want to get it done. We've worked with people who, hey, they are a family man, but he's got a deadline, he's got a day that he needs to be ready for and as long as they're putting in the effort, we're putting in our effort and we can reach our goal. We've also worked with others that it's kind of a slow crawl, and that's okay. Everybody's different, everybody manages their time different and has different availability, so it really just depends on the individual. But it could be anywhere between six months to 12 months to 24 months.

John: 33:38

It just really depends yep, everybody's unique and different depends on where you are and your goals, like you said yep, absolutely all right, here we go.

Steve: 33:48

Next one all right. So what kinds of projects really demonstrate practical skills to employers? If you had to recommend two or three projects that show I'm job ready, what would they be?

John: 34:03

that's a good one yeah, yeah, I mean the similar projects that we're telling our folks right and we talked about with the lab um setting up your, your tool set, setting up something like Splunk, setting up the different VMs, doing you know sitting, you know, figuring out how to get logs into Splunk, getting that data in the Splunk or a tool like Splunk, elk or whatever. And what I want to see you do is work through those and triage. I want you to see it get as much work that you could show.

John: 34:36

One of our examples was download a PCAP that has that, has an incident or has malware related to it from network traffic the real, real traffic that you ingest into something like security onion. You pull it in, it's got alerts, it's got logs and you go figure out and decipher it and try to figure out what happened. Now you may not know what to do at first, but you can use tools and write ups to say, hey, help me understand this. What does this alert mean? Right, but any of that stuff that you're going to do in security that you can do and mimic and simulate in your lab is perfect Vulnerability scanning, right, you can do that so many different ways. Fire up, download the free Nessus and scan a bunch of vulnerable VMs, I mean that's perfect, right.

John: 35:27

And then write a report. Hey, this is what I found. This is what happened. This is what the error said. This is what is what's vulnerable. Oh, let me go look at that vulnerability.

John: 35:36

Hey, there's a write-up on this vulnerability or there's a. Maybe it's exploitable. Now let me see if I can exploit it. You know, oh, can I see if my detection tool can figure it out? Right, a lot of this stuff you can do. These things we're saying are good, home lab type projects.

John: 35:52

Um, but any of that stuff that you're doing, even in other other tools, like hack the box or try hack me, you know it's okay to use those and to to, to write them up or put them in a way, I think what we're saying, what I'm saying is that do them. There's no shortage of ideas, of things to do, but what we're kind of starting with the Homelab version of this and then do a write-up. The reason that write-up helps so much is number one. You can put it on a page your LinkedIn, your GitHub, your whatever and share it as something that you've done and people can read it and be like, oh, okay, cool, this is what you did.

John: 36:27

Let me ask you about it. Right, but it also helps you remember it better when you just do it and you hack that thing or you did this vulnerability scan and you okay, I learned from it. But it also helps you solidify. Oh, this is what I learned. I'm putting it down on paper. Let me understand. It'll help you understand it and and remember it later after you've put it on paper. So there's a couple ideas. What do you think, Steve?

Steve: 36:52

Yeah, no, I think that's good. I think what you said about try and think of the positions you're going after right. So, for example, if you are beginning your journey and you're trying to land a position as a SOC analyst, right, there is a lot of information out there. Even we have kind of discussed what a SOC analyst does day in and day out. Based off that information, it's pretty easy to kind of create certain scenarios or lab work, especially if you kind of create your lab, kind of like we just talked about previously. You have your machines, you have your tools, your tool set and you have somewhere to work.

Steve: 37:30

And then, like John was saying, right, what are some of the things that a SOC analyst does day in and day out? Where they're looking at alerts right, there is a SIM solution, there is network monitoring, things are coming in, alerts are going off and you are investigating. So, as you're doing this, creating a write-up is exactly what you would do in a job as a SOC analyst, right? Also, vulnerability management like John said, download the free version of Nessus, get a vulnerable VM into your lab, use the Nessus scanner to scan for those vulnerabilities, get familiar with doing that, get familiar with reading that output and then giving recommendations. And again, you could write that up, take screenshots, put it in like a PDF document, upload it into GitHub. I mean, all of that matters.

Steve: 38:20

Now, some of the things that I like to tell people too is if you kind of already have an idea of what position you want to go after, what position you would like to land, as you're going and looking at different position descriptions, you will start to kind of see a pattern of different security tools that are being used, different things that they mention that they want you to have experience on whether it's investigating phishing emails right, so you can get ideas off of those position descriptions for things to do in your lab environment as projects. So that's just something else for you to tackle.

John: 38:56

Yeah, we did a whole several episodes that kind of cover some of this. One is tools and skills to master as a security analyst. Part one and part two Yep, go check those out. Right, we talk a lot about this stuff that you could just be like, oh, let me, that's a great idea, let me make this into a project or put this in my lab.

Steve: 39:20

So that is a season two, episode five part one go check it out and if you know, if you've listened to that and if you've kind of done your best and you still need a little bit more help, just reach out to us.

Steve: 39:29

We'd be happy to take a look at what you already have on github and what you've already done and then just give you some advice on where to go next. So this next next question is kind of the same, but it says when building home lab projects, how can I focus on ones that connect to real world problems that are just endless exercises? Well, we kind of just talked about that. Right, think about what are you going to be doing day in and day out, what kind of tools are you going to be using for what role you are going after? And if you're unfamiliar, you can Google it, you can ask chat, gpt, but also you can look at different position descriptions that kind of describe the experience that they want you to have, and from there you can kind of tell a little bit better what is it that you're going to be doing, what tools will you be using?

John: 40:17

and then from there you can kind of get some ideas yeah, one of the things in here that we had that I don't think we've really talked about um, which I think is a good idea, is active directory, like hardening active directory so, and I was trying to find examples but they're they're out there in github. But there are whole kind of environments you can spin up that have a domain controller and vms that are part of the domain and you know those kind of configurations that you can do without having to fully now again build is good. Learn how to build a domain controller is not a bad experience. It's going to be good but it takes time. Um, but learning how, if you had a vulnerable active directory, learning how to harden that man, that's a huge skill. That's an awesome opportunity that you can do in a lab environment and get practice with active directory and hardening it and understanding the security weaknesses.

John: 41:15

Oh, this says, this says it's vulnerable. Why is it vulnerable? What does that mean? What could a bad guy do with this vulnerability? You can do all that in a lab.

Steve: 41:23

Yeah, I mean also, just like you know, if you're using Splunk, you know writing Splunk rules to detect certain certain things. You know it is really just so much you can do, but if you do need a little bit more guidance, more of a plan, just reach out to us. We'd be happy to help. All right, what's the next one next?

John: 41:45

one. So I'm interested in cloud security, but is diving into it early helpful or will it stretch me too thin? So what I would say is you know, you, you still got to work on the basics and fundamentals, because what is what's a, what's a definition of the cloud? It's another person's computer, right, so it's. It's ultimately you're running your stuff, your apps, your hardware, not your hardware, but you're running on their hardware, their virtual machines. But that's really what it is at the end of the day. But there are a lot of things that are different about it, even though it's ultimately just like running on their stuff All the different nuances of Azure versus AWS, versus Google Cloud, and that terminology, cloud and that terminology.

John: 42:42

I would say keep building the fundamental stuff at the same time working those working in the cloud stuff. Right, you know it's going to be tough because you can get spread out work, like you said, too thin in this question of okay, do I spend time on AWS, do I spend time on Azure, do I spend time on Google Cloud? Pick one. There's places that are all one, all the other, both, I would say, azure and AWS are the top. Aws is probably the top, it depends, maybe not anymore but sprinkle those in. Pick a class, an Azure security class, that you can take probably free and go through that.

John: 43:22

Try to get some experience understanding the terminology, because there's a lot there terminology-wise that it gets confusing. You're like, okay, I know what they're saying here, but what does that mean? Right? So, as opposed to, if the cloud security is your goal, I wouldn't wait too long. Right, if you, if you have a good, decent fundamentals, start sprinkling in some of that cloud stuff, because you're going to start getting familiar with the way the architecture works and and those keywords and the terminology, that if you wait too long now you got to start over with cloud stuff and learn the whole world of cloud. It's not too hard, it's just it's still based off the fundamentals. But if somebody starts throwing words at you you're like I don't know, I don't know what language you're speaking. Right, so I would. I just wouldn't wait too long If that's your goal, don't you know, don't wait, you can sprinkle that in.

Steve: 44:19

Yeah, I agree, I think, focusing especially so if you are interested in cloud security right, not just cloud, but cloud security start with the security fundamentals first and then go into cloud fundamentals as well and go from there and, like John said, don't wait too long. I feel like that is also an area that just keeps evolving. Things keep changing, so you want to kind of start as soon as you can, but as soon as you feel comfortable, so that you don't get overwhelmed, but you are still focused on your primary, which should be security, with a sprinkle of cloud on top.

John: 44:57

Yeah, and eventually you get to a certain level. Okay, I feel pretty good about where I am. Then you can dive in to the cloud. Next question what projects would you recommend for blending cloud security with traditional security? So you know, as we're saying, there's a lot of stuff that is overlapping, but there are stuff that is different. A good example is hardening and the hardening guidelines, like the CIS hardening guidelines, learning how you could implement those for your instances in the cloud and how you might benchmark against those and or alert on those.

John: 45:37

How are you going to do alerting in the cloud? Like, how are you going to do, are you going to send your network data back to your SOC? That one might be hard to dive into other than just understanding. You know, I could probably look up four, five, ten books on security in the cloud for different ones AWS and Azure, um and and pick out some things that are like just imagine everything that you do and an on-prem sock or security role. How can I do those same skills and tasks in the cloud environment?

John: 46:13

A lot of it is similar. At the end of the day, an alert, you get an, you get an alert. Right, that's what you want it to be. But you know the same stuff. It's going to land in an alert queue like a splunk or like a whatever sim, right? So it's the same skills, it's just learning. There's different parts of that. There's like the analyst triaging alerts, and then there's the engineer focus of like I'm going to help design and engineer a solution to make sure our stuff is secure in the cloud, right? So if you're starting from the basics though I wouldn't go too deep in the engineer side now it's still good to learn it, but you can get overwhelmed. That's like the leveled up version after you get through like okay, how does the fundamentals in each cloud area work and how do I do monitoring, detection, response?

Steve: 47:06

Yep, absolutely no, I agree. One thing to keep in mind is some of the tools that you use to work in cloud environments might be different than some of the tools that you use on-prem. There might be, for example, there might be, some AWS-specific tools that you want to use for AWS environments, potentially same thing with Azure. So, just keeping that in mind, but, like John said, just don't overdo it. Start slow. But again, the focus should be security. You want to get your security down, packed and then you want to move into cloud. All right.

Steve: 47:42

Moving on to some more questions here, all right, how does mentoring with cyber professional services work? That's a great question. So it really depends on kind of your needs. But if you're coming to us because you just need overall help, just starting from zero, trying to get to hero, it's very simple. So first we discuss kind of what your finish line is, where your end goal is. We create a personalized roadmap that will get you there, and then we work with you to help you along the way. So we do regular check-ins. We're accountability partners you along the way. So we do regular check-ins where accountability partners will give you real world advice, but also use our experience to kind of help. You take it from A to B in a straight line and you're not doing this wasting time, money, effort, and we're going to go specifically to the things that you need to know, need to do and help you get that job.

John: 48:37

Yeah, good answer. Next question Can you really help someone with zero experience land a job? And I think we've talked about this a bunch already. Just, you know, yes, it might be an IT job. It might be that first step that we can then help you through your career, right? So, yes, we can definitely help you. I believe you can do it. It just takes time. So it is possible, we've seen it. We've helped people with it. It just you got to put the time in.

Steve: 49:11

All right. Next question what's the most common mistake mentees make? I want to say just, they go crazy on applying and don't really take the time and effort to slow things down. Focus on a few really good positions they're interested in. Spend the time to tailor and customize those resumes. Do some networking within those companies that you're really interested in working for. And yeah, I think they just think as long as I have one good, solid resume, I can apply to a hundred companies and someone will call me back and that doesn't happen.

John: 49:50

Yeah, so I would uh, I think that's a great point. I would say getting spread too thin in general with too much, too much information, that we talked about too much content and working on too many things and losing focus to keep the ball moving right. That's something that we help a lot with. It's like all right, here's where you are, keep that moving, focus on this, keep focused on it, but build on it, build on it, build on it, build on it, build on it. Right where there's, you just get overwhelmed. So I just think that's what happens to a lot of people is they just get snowed in by too much information, too many things you can go do. Yep question do I need to be technical to benefit from mentoring? What?

Steve: 50:37

you got? Not at all. I know we have kind of a SOC background and technical background ourselves, but we are helping other individuals who are not so technical land their roles in cybersecurity and that includes compliance policy, grc work, not just technical engineering SOC work.

John: 50:59

Yeah, no, well said, I don't have much to add. You don't have to go down that same path that we did, but we can definitely help you and we are helping people right now that they're wanting to get into GRC compliance jobs, and we're happy to help them.

Steve: 51:19

So next question why did you start the cybersecurity mentors podcast?

John: 51:26

That's a good question. That's a great question. I had to trick Steve into this thing, right. I was like, hey, you listen to podcasts. He's like what? Oh, I've heard of them. I don't listen to those things.

John: 51:44

Um, and I don't know, I feel like I love podcasts. I've loved podcasts for a long time. Um, I enjoy, I enjoy, I still enjoy listening to podcasts. Um, I don't really listen to the radio that much. Every now and then I'll listen to some music or something.

John: 52:00

But I like learning, I like listening from people and listening stories about people's stories and listening about lessons learned and things. So for me, I was like you know, we can do this. We can help share and give back to people and help scale our mentorship to others, where we had been doing this to a small scale, small-ish scale to our people, and we wanted to be able to see, well, maybe we could help have an impact, a bigger impact, out there in the world, by doing a podcast and sharing our stories and our lessons learned. So that was the biggest motivation is because I thought it would be fun, I thought we'd have a good time and we would learn a lot and be able to share some of the advice, give some guidance. We don't have all the answers, but that's okay. We're not trying to have all the answers.

Steve: 53:04

But that was the main motivation behind it for me. Yeah, john had to twist my arm and sell me the stars and the moon to get me on here. You know I was not a huge podcast fan like John was, but I think it also. Once I kind of started really focusing on mentorship I'm really mentoring others I saw the value in us getting on here and just sharing some advice, because I would see a lot of people that would go and ask the wrong person for advice and they were leading them down the wrong path and I saw it as you know what.

Steve: 53:40

Maybe this is a way for us to help a lot of people with some real, true advice from people who are actually in the field, who have actually worked in cyber security, who still work in cyber security, who know what the heck they're talking about. So that these you know individuals who are just trying to get started. Stop listening to these. You know influencers who don't know jack about security. They're just trying to get paid by pushing you to join some boot camp. That's worthless. Um, that really was infuriating. I had a couple people come to me that just kind of fell for that trap and I was like you know what, john, let's do it. Let's do it, man, because if we're not giving people advice, they're getting it from somewhere else, and some of that other advice is trash.

John: 54:27

So that's why I said okay, but John has been wanting to do this for a very long time yeah, that's a great point, though it's like like these I'm not trying to call people out, but it's like how long have you been in security, how long have you been doing this? And you're out there. You got a million views like who, who are you? Right? People, people don't, I don't know like people want to see the flashy stuff, the cool stuff, right, and we don't have flashy things. We don't have lasers coming in, um, that's okay, right, um, but but it is fresh. It was frustrating to say like who are these people and why? And people are listening to them and listening to their advice, and we're like look, we can at least get out there and give you know our experiences and and help people get on the path, in our opinion, the right path. Yep, absolutely All right. Who's been your favorite guest so far and why?

Steve: 55:27

Man, this was a tough one. Yeah, this was a tough one. This was a tough one. Okay, we've had a lot of great guests we have and there's some in the works. We've had a lot of great guests we have and there's some in the works. So I think, you know, I have to say I have to say probably my favorite so far and don't get a big head now was probably Grant. Yeah, because it was good catching up with him. Okay, and it's just because he and I have some history.

Steve: 55:56

Yeah up with him. Okay, I mean, and it's just because he and I have some history, yeah, and it's it's just good to see how his life has turned around and all the great things he's getting into and just reconnecting and catching back up. But we've had a lot of solid, solid, professional individuals. But that to me it was just, it was just catching up with, with a buddy again.

John: 56:14

So I have to say grant I could say carson, just so that I could have the opposite and they could go after it. And I do love Carson's episodes and I love Grant's episodes as well. I'm not going to say they're my favorite, but nothing against them, I love them. Sorry, I think my favorites were I got a couple.

John: 56:35

One is Matthew Diggs and the storytelling episode he just killed it and he's got a lot of great information and entertaining way he presents. And then Dave Kennedy right yeah, it was off to the races from go right.

Steve: 56:54

He did not stop.

John: 56:55

If you haven't listened to both of those. Those are my top recommendations, like look, these guys brought it and definitely were informative but also entertaining, and it's great, great episodes next one is what's one story from a guest that stuck with you?

Steve: 57:13

yeah, yeah um, that is a good one I.

John: 57:16

The one that stands out in my head, just because we had him on this season, was TJ's story about the soccer and just getting after it and going and kicking the rock, kicking the ball against the rock. That's one that stands out right now. You know, I'm sure there's others that I have brought up and said hey, remember when so-and-so said uh, this but that's that's the one that stands out to me.

Steve: 57:41

So for me, um, and I again, it's probably because it's fresh in my mind from this season, but I want to say it was, um, evan, ceo from abnormal AI. Yeah, just his story of all the failures that you know he kind of went through before that success and I, as a you know entrepreneurial mind hat, you know like that, I really enjoyed that. Getting the, the perspective from a successful entrepreneur and kind of where he's at and what he's been through.

John: 58:19

that actually really enjoyed that yeah, yeah, he was great too. Okay, last question what is next for the podcast to the moon buddy, to the moon, to the moon.

John: 58:31

We're taking over well, I will say, um in that vein, right, we're we're in talks and trying to explore ways. We can't make any promises about anything, but you know, we we see that there's definitely a huge opportunities there to connect others, to get real experience. Right, that's the golden ticket. And all these questions we've talked about is how do you get experience without experience? You know, we are trying and investigating and cooking things up to see if we can offer those kind of opportunities. It might be apprenticeships, it might be, you know, internships. It might be something to be able to work with us in a real way and for real engagements and be able to actually put on your resume, work with John and Steve and for this group.

John: 59:33

And we did this and this is what I did, right, and that's what I would. That's what we did and have done for students. That's what we've talked about being able to give you a chance to get that experience. And I mean, how cool would it be to work with Steve and John? I mean, listen, right, when it comes to big and bold um, it's a big step and we're going to have to make sure we we have everything lined up and we cover our bases. But that's what we're thinking about, right, we're thinking about these, these things, big goals.

Steve: 1:00:10

Big, big goals and John kind of just let the cat out of the hat there a little bit. It was something we've been talking for for a good bit now, but things seem to be moving so hopefully you know, fingers crossed things pan out and we're able to to offer these opportunities to everybody.

John: 1:00:27

But this season has been another great season. We've worked a lot. We've gotten better. I think we keep getting better every episode, and just give us your feedback, absolutely.

Steve: 1:00:39

Absolutely yeah, and that is it. That is a wrap for this episode. Again, thank you all for listening. It's always a pleasure to get on here and, just kind of, john and I talk about what we believe is interesting and important for future cybersecurity professionals. But yeah, again, just so you know, swag Shop is live. Link's under the description. Also, our Networking is King training is live and you can find the link in the description as well. But with that, season four is a wrap. Thanks everybody, we'll see you. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

John: 1:01:19

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Steve: 1:01:29

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you. Until next time. I'm John Hoyt and I'm Steve Higuretta.

John: 1:01:46

Thank you for listening.