Episode Transcript
[00:00:00] Speaker A: Phil, welcome aboard to the show. So happy to have you here today.
[00:00:04] Speaker B: Thank you. And thanks for inviting me. It's an honor to be joining you, Phil.
[00:00:08] Speaker A: You know, we have to start with the bear story.
How does somebody find themselves wrestling a bear?
[00:00:17] Speaker B: Yeah. So to kind of give a little background to where maybe that story make more sense.
Back when I graduated high school, I didn't know what I wanted to do for a career, and I was a powerlifter. And my friends said, hey, you should be a pro wrestler. So I went to wrestling school and became a pro wrestler. But during that time, I wasn't wrestling enough to make a living off wrestling alone. So I worked in a nightclub as a bouncer. And on Sundays, we had special events there because normally they would have bands there, like Thursday, Friday, and Saturday. But it wasn't cost effective to have them on Sunday since there wasn't as big a turnout, so they'd have different special events. And since I was an employee there and lived there in the city and was a wrestler, they brought in this wrestling bear, and they used me wrestling the bear as a way to market.
[00:01:07] Speaker A: Hold on. What's a wrestling bear? What does that even mean?
Any other bear?
[00:01:13] Speaker B: Yeah, it's a bear that's trained to wrestle.
[00:01:15] Speaker A: Oh, wow.
[00:01:16] Speaker B: So he actually tried to take.
[00:01:18] Speaker A: It's not dangerous. I mean, it's a bear. It's a wild animal.
[00:01:21] Speaker B: It could be dangerous. I mean, it's the. Far as I know, the bear didn't attack anyone, which is, you know, when I wrestled the bear, I didn't take the bear down. No one at that point had taken the bear down. But the thing that worried me is if someone ever did take the bear down or scared the bear enough, how is he going to react?
[00:01:38] Speaker A: Oh, wow.
[00:01:39] Speaker B: Yeah.
[00:01:40] Speaker A: To me. I mean, what was going through your mind at that stage?
Bears are dangerous. That's a thing that we all know. And you're like, oh, I'm going to wrestle a bear. Pros and cons.
[00:01:53] Speaker B: Yeah. I was like 20 years old. And when you're 21 years old, when you're that young, you do stupid things.
[00:01:58] Speaker A: Fair enough. You know, I had another guest on the show, and we kind of came to the conclusion together that some of the stupidest things that he. I. Everybody does are both delightful and the worst things that you could absolutely do. So I appreciate that.
What is wrestling school? That's interesting. I don't think our audience is kind of familiar with how you become a pro wrestler.
[00:02:27] Speaker B: Yeah, pro wrestling in the US Is pretty popular, I guess. Globally, it kind of is. But you have to go to wrestling school to learn how to wrestle. And pro wrestling is not real. So you have to learn how to throw punches and do the different maneuvers without injuring yourself or the opponent. Although there's a lot of cases, you still. You still do get injured. And just kind of thinking back to the bear thing, pro wrestling was actually more dangerous because I got injured more from wrestling than I did wrestling a bear. But they have different schools. Back then, it was as popular as harder to find the schools. Now there's. It's a lot more popular, popularized. It's easier to find these schools, and they're more well known. Back then, it's like no one really knew how to get into wrestling school. And back when I was getting into wrestling in the mid to late 80s, at that point, they hadn't announced that wrestling was fake yet. So it's still under the guise that it was real. And when I joined wrestling school, I was really worried what it would be like if they would let you know that it's real at first or fake.
And I thought maybe you'd have to really wrestle for real at first. I didn't know what they would do or any kind of initiation that they'd performed to let you know that it was fake. Because, I mean, anyone could have signed up for wrestling school, joined and found out that it was fake back in the time when, you know, they were trying to claim it was real.
[00:03:52] Speaker A: I'm dating myself, but I used to be a big WWF fan. I don't know if that's even a thing anymore, but we used to watch it a lot.
It was a lot of fun, I gotta say. But the industry has changed tremendously since.
[00:04:05] Speaker B: Yes, it's kind of amazing because I went with a church friend of mine back in.
I'm trying to think now. It was probably about 2013, 2014 or something. We went to a WWE event, which is formerly WWF. It was in one of our big sporting event venues here in Dallas. And it's crazy to see all the sound system and stuff that goes along with the pro wrestling match. Back when I was in it, you had a basic PA system and they had like all these amps and speakers and lights. It looked like a rock show or something that they were. That they were set up for. So it's so much different.
[00:04:43] Speaker A: Used to be, yeah, it really is. I appreciate that, Phil.
This is. This is pretty amazing. You have had 30 different roles in 25 different companies.
I gotta say. That must give you a breadth of experience and insight almost into the human condition. And I preface that to the following question. You had a really interesting interview where you mentioned a few, let's say, of your takeaways from these 25 different experiences. I wanted to ask you a few questions on the topic.
[00:05:20] Speaker B: Sure.
[00:05:20] Speaker A: You said take your time learning.
Why is that? What was your experience around kind of learning pen testing and learning cybersecurity.
[00:05:29] Speaker B: If you try to rush it, it's hard to retain. And one of the ways I like to compare that to is if you ever look at boot camps. Boot camps, you know, usually, I mean back in my IT days I went through like an MCSE boot camp. It was like two weeks long and fortunately I worked with the technology so I was able to retain it. But compare and contrast that to the Cisco CCNA boot camp I went through which was a week long because there wasn't as much to cover. You know, there's so many different domains and exams you have to study for for the mcse.
And so I took that exam and passed it the first time. And for about a month I could ask answer Cisco questions really well. But as I got away from it, we did get to do some hands on stuff in class but I didn't really know enough enough well to retain it. And another story I like to share is someone from our local community here in Dallas, our cybersecurity hacker community.
This young man had got a job as a pen tester and he needed to get better at reverse engineering. So he learned the assembly programming language.
So he had taken assembly in college as part of his degree, but he really didn't learn it well enough. I think the class might have been not so hands on because sometimes four year universities aren't so hands on. It's usually more reading and more methodology and that type of thing. So he didn't really learn it, so he had to go back and learn assembly programming language. Whereas if he had learned it the first time around, then maybe he would have just needed to do a little refresher. So as you're learning, take time to really learn it well. Especially any items you're going to use in your career. Say if you're going to university and say art appreciation, music appreciation, history and some of these other studies, not to say they're not important, but they're not as important in your role. So the things that you would be using in a role. Yeah, if you're going to school for computer science, really pay attention to that stuff.
Writing courses, any kind of communication stuff that you're going to use make sure that you take time to learn it and not just try to speed through it. Because when you really go through it fast, you don't really retain it well, then you got to go back later on to learn it again.
[00:07:40] Speaker A: There's an incredibly important point here that I want to kind of extract and it's about prioritization because we can't do everything to the nth degree, which means that we really need to choose where we're going to focus and where we're not going to focus.
I gave my son my hack for university. I was working full time, right, more than 40 hours. I was working 60 hours a week and doing my first degree in computer science in parallel. And I said, look, I used to work my ass off at my company and I used to take a week vacation before the basically semester test and I used to study and I told them, look, this works exceptionally well. I got grades higher than what I got before when I actually go into classes. The only problem is you won't remember anything three months later.
So anything that you do in that method you're not really going to retain. That's the big downside.
And I was very frank with him about that point that it's not a great strategy to actually learn. So how do you differentiate because there's stuff on the, let's say the soft stuff of the degree that are incredibly important, there's stuff on the hard side. Right. That are incredibly important and then vice versa. How do you kind of make that prioritization coming from a point that you don't have 20 years of experience?
[00:08:57] Speaker B: Yeah. So of course you really want to make sure you get the soft skills down, which in my opinion a little bit easier to learn than some of the hard skills and more technical stuff because you've spent some time in school before you went got to a university or a community college or wherever Post K through 12 education you're using.
So a lot of those things you should have down. Just make sure you refine those. Because for me, when I was in high school, I really didn't take my writing really seriously. I didn't really take school seriously at all because that's really why I ended up pursuing a professional wrestling career. Because my grade point average along with my college interest exam scores were not high enough to get into college. I would have had to get got some letters of recommendation from high school teachers, retake the exam again. And so yeah, so hopefully most people are coming through there, paid attention and got the communication skills down. But Just really focusing on the things that you're going to, that you're more than likely going to be doing. So if you're looking at cybersecurity for instance, then maybe you don't need to learn databases as well as you would some of more of your core cybersecurity content, some more of the security direct relate, direct related stuff. So if you're going through like a computer science degree, I think that is a great way to get into cybersecurity because understanding a lot of the technology helps make it easier for you to be able to protect that technology as well as if you're a pen tester, to be able to assess the security of that. So really focus on the things that you will be using in your career and kind of have an idea of what you want to do and some of the things you can do to figure out what you want to do in your career is go to some conferences, attend different online and virtual events and get exposed to all those. A lot of people automatically think they want to be a pen tester because hacking sounds fun.
[00:10:49] Speaker A: Yes.
[00:10:50] Speaker B: Get out there and explore the other areas because you may be missing out on your true passion if you don't do that.
[00:10:55] Speaker A: This is so, so important advice. I don't put like a huge exclamation mark at the end. Going and talking to professionals, understanding what their day to day looks like, what their life, what their profession really is, how it makes them feel, how they're treated. Right. What's the kind of pressure, stress in the environment? Like these are things we're not thinking about as youngsters. Highly, highly, highly recommended conferences, networking with people on LinkedIn. You know, there's so many opportunities to those do so today. Highly, highly recommended. I really appreciate that. Phil, you said avoid negative people.
What does that mean?
[00:11:35] Speaker B: Yeah, so you want to avoid negative people because it's, it will. Especially if it's like something around the field you want to go into in cybersecurity because sometimes you find some people that have been in the field, you know, a long time. Not everyone's passionate and willing to help others. So try to stay away from that negativity that's going to bring you down and just hurt your confidence.
So you really want to surround yourself around positive people because if you ever, you know, you and I, we've been around long enough that you know, if you're around someone negative all the time, you're just kind of in a bad mood if you know there's a say, like the bonuses weren't Good at work and everyone's constantly talking about. That's all you're thinking about. It's going to be hard to get over those things. So try to be around positive people. That's going to help lift you up.
[00:12:23] Speaker A: There's a dynamic between being negative kind of reflects negatively on you because in some way it makes you look as if you failed in some way or you're not able to be successful. But on the other hand, these negative types. I had an employee who was just antisocial, negative about everything, but he was the first person I went to when it came to me coming up with a crazy new idea because he would rip it to shreds. Give me 20 reasons why I was going to fail, and about 15 of those are really good points, which I can then go and research into more and think about how I'm going to avoid that type of failure. How do we separate between, let's say, these devil's advocates and then this just emotional negativity.
[00:13:10] Speaker B: Yeah, you just have to see what kind of positive output, although it could be negative. And that's one of the things, too. That's kind of probably one of the things that's kind of held me back from starting a business. And not from the negative standpoint. It's just like you talk about taking this your employee, and he rips it apart. There's times I've thought of ideas for businesses, but I think there's too many cons to that. And it's not necessarily negative. So it's finding someone that can give you that feedback in a constructive way and not just being emotional. So emotions, you really have to separate from it. Maybe someone's got, you know, they got. They're not thinking positively towards that. They've got a lot of cons towards that, but as long as they can back that up and they're not bringing emotions in. When you bring emotions in to the negativity, that's what kind of makes it worse.
[00:13:57] Speaker A: Yeah, that's okay. I think it's about the emotions, really. If it's really the logic and the risk and there's good data backing up the quote, unquote, risk, because I really like to look at it as risk, not negativity. If it truly is risk and not just emotional baggage, then I think that's where it becomes valuable to understand it.
[00:14:16] Speaker B: And, you know, there's some value too, to also taking consideration is that someone is like the constant pessimist, someone that's always positive all the time. You got to make sure that they're seeing things clearly because it's good to be in a good mood. But someone, that's what they say is a yes man, always agreeing and going along just to keep people happy. That's. There's also some negatives with that.
[00:14:40] Speaker A: Yeah. I don't know if you would agree with this, Phil, but I would argue that both of them are equally toxic. I've seen companies go down into basically bankruptcy because of, you know, what we would call groupthink. Right. The senior executive leader had some rosy glasses on. His idea going down a rabbit hole and investing broke the company. And then the other side of it, the negativity is also true. So I would almost argue that it's the balance of really that critical thinking plus a optimistic view of, we can get over this, let's find the solutions, let's see if this will actually work, let's test it. So I think it's really the balance between the two.
[00:15:20] Speaker B: Yeah, I agree. Because if you have just a room full of people, they're going to agree and they may come up and really know this is not a good idea. And you kind of hope you'd have the people in the room that would know whether it's a good idea or not if you're kind of putting them in charge of helping you run things. So, yeah, you would want someone to tell you, but in some cases, everyone just agree with it and they think it's a bad idea and it fails, then, you know, that's not good.
[00:15:43] Speaker A: Yeah, I think to a degree, it's not only about the people you put in the room, it's also about you as a leader, how you basically open yourself to feedback. And in many cases, you know, good people who want to give the feedback are afraid to do so because of how the boss behaves. So I think that's an important part of the equation.
[00:16:02] Speaker B: I agree.
[00:16:03] Speaker A: This is a really interesting one. I don't think I've heard this before. You talk about mentors and study groups.
Is this in the context of studying university or is this in the context of a broader context?
[00:16:17] Speaker B: It could be in a university. But really a lot of that kind of stems from like. And I think that's kind of. It could be a university, it could be a college, it could be someone just studying for certifications. What really gave me that idea, my inspiration was back in, like December of 2012. I had been working on my OSCP. I had taken the certification and failed the certification. But on a message board online, this technical message board, they had some Forums on there about different certifications. And I felt found three other folks that were working on the OSCP certification and we kind of got together as a study group. So it's almost like you're, you've got, you know, there were four of us, so you had, you know, four times the research than just the one person sharing their experiences. Because sometimes you try to do it. I mean, it's good to be able to work on your own, work as a team, because sometimes when you're doing things alone, you do need a team to help you. And mentors are important as well. But a study group could be as equally as important. And some of these people that I'm still friends with today, actually all three of them, although one is in India, so we really don't get to see each other. But the other two I'm constantly seeing at conferences, at least defcon and Black Hat each year. And then one of the others is in the same state as I and we run into this, run into each other all the time.
[00:17:38] Speaker A: This is such an important point. You really create true friendships with people through going through challenging, hard experiences.
Really, really important point. I appreciate that. What about mentoring?
How do you even approach mentors?
It's a thing that I feel like a lot of people know it's a good thing but kind of fail at achieving.
[00:18:01] Speaker B: Yes. And one of the things I like because the style of mentoring that I do is I, I don't like to take on people that I have to meet with once a month, once a week. I've done that before and it was okay. But I found the way that works best with me. Someone that's wanting to become a pen tester. We'll sit down and have like an hour long conversation.
I kind of give them some things to work on, let them go on and work on it, and then they follow up with me how they're progressing. And if we need to have another call, we will. But just kind of after that initial call, just kind of communicate through, you know, text message or some messaging app and share information like that. Because, you know, also with mentoring, I think it's good to teach the mentee or protege how to research some of those things. One of the most important lessons I learned from the offensive securities OSCP certification is some people really downplay the try harder, think it's bad. But we, and I think today it's in these days. And I've, you know, had experience with this myself, we tend to give up too much. We need to learn sometimes to push just A little bit harder to try to get it. If you can't figure it out, then go get help. But I like to mentor where people are learning how to research and find the answers themselves. But one of the things I like to mentor across a bunch of different people and I really think that's the ideal way to get mentors. Find someone and it doesn't have to be a long term thing. Have a call with them, get their advice, start putting those into action. And when you have the diversified list of mentors, I think you have opportunity to learn more. You're not just dealing with this one person's opinion and experience. You're using the experience of many and the knowledge of many opposed to just the one.
[00:19:44] Speaker A: Yeah, I want to kind of reverse engineer the psychology of the mentor.
And this is from my personal experience. Tell me if you agree with this. If you give somebody advice that you truly believe with yourself, your heart and they kind of ignore it, that's not the relationship that the mentor is looking for.
You're looking to have an influence on a person that will actually invest the time. And if they kind of ignore what you're saying, there's really no first step for a relationship.
[00:20:15] Speaker B: Yeah, I agree.
And at that point, the mentee needs to find someone that they can work with. If it's them following the instructions, then they need to work on that themselves. And sometimes it could be mentee mentor relationships is interesting. I used to do mentoring through acp, the American Corporate program. And it was this organization that was pairing up people working in the industry with people transitioning out of the military. And I had a mentee one time that never showed up for any of the calls. But then I had another one that we were working through. He was proactive. He was constantly texting me, asking questions. He was mentoring people himself while he was on his journey. And so it's just sometimes it's the relationship, how well you get along and sometimes you just may not, you know, for a mentee, it may not be a fit for you the way they do things. Because one of the examples I like to share is there's some people that have been in industry a long time, some people view it as gatekeeping and sometimes it's just this is the way I did it, this is the way I think you have to do it. So there's some people that I know that work in offensive security, work in security that they really think they're really intent that you should be assist admin or network administrator before you become a pen tester and my thought is if you can learn the skills and the knowledge, you don't have to put in that time as a system administrator or a network administrator working it. You don't have to do that. Is it helpful? Yes. But then sometimes I think that's some of the things you run into that this is kind of their way. The mentor is not flexible enough in the thinking, so it may be just a matter of finding someone else.
[00:21:55] Speaker A: I appreciate that the final point you made is around networking.
I think from the job search perspective, a lot of us think that we're just going to submit our resumes and that really doesn't work. Some stats from the end of the year. 1000 applicants per role in tech jobs.
How does networking fit into this? How did, what's your strategy?
[00:22:22] Speaker B: Yes, networking is one of the biggest things you can do. And kind of part of it has been my personal experience was once I got out networking, if I need a job, I can find one rather quickly. I got laid off at the end of February and then within six weeks I had an offer. And I only spoke with like three companies because my current employer, whenever I interviewed with them, I really liked the company and the people. So I was really kind of holding out to see if I got an offer from them or not. So having a, you know, really leveraging your networking is going to make it easier to find jobs. And this is not just through LinkedIn. LinkedIn is very important, but one of the things that makes things a lot better is when you meet people in person. So focus on building your network on LinkedIn as well as in person because once you form you forming relationships with people just seems to work better in person. And the more you work on that, the easier it is to find a job. There's some people in cybersecurity that are really working on their opsec or operation security. They really don't want people to know where they're at so they where they work so they can't get social engineered. I know someone has been in IT and security for many years and the company, they're really worried about getting laid off from their job, but they don't have a LinkedIn profile. It's like I tell people, you could be the best in the world, but if people can't find you, it's going to be hard to find a job. And then looking at these recruiting systems, there's such a huge influx of people looking for jobs. You could be competing against thousands of people and what's going to set you apart? You May have all the certifications or degrees, and maybe this AI enabled application system may not be checking, pulling your resume. So if you're meeting people in person, then you're either able to get your resume in the hands or CV in the hands of the hiring manager. Someone can get you in touch with the hiring manager, and a lot of people are willing to introduce you or refer you for referral bonuses. A lot of companies have referral bonuses. So if you connect with these people, you know, ask them if they refer you. A lot of cases they will, it's not going to hurt them if they, if you get hired, they make some money off of it. And in general, I see most people in cybersecurity want to help others, so they're willing to help others make their break into cybersecurity. Not everyone has time to be an adjunct instructor or a mentor, but there's little things they can do along the way. And when you're networking, you're going to these events. You know, a lot of people that work in cybersecurity technology sometimes can be really shy or introverted. Get to know the people there. Let them know what you're going to school for, what you went to school for, your degrees or certifications, your goals and what you want to do. Because while I was teaching at Dallas College, I got a lot of people asking for resumes of junior pen testers. And I knew people in the community that had the skills, what they were looking for, know that they were always showing up at these events eager to learn and volunteer, and I'd recommend them. And I had helped many of them get jobs just for the fact that someone's looking for junior pen testers and the fact that I talked to them, knew them from the meetups, knew their skill set and what they wanted to do.
[00:25:32] Speaker A: So I love that. What do you mean by volunteer? How does that come in?
[00:25:37] Speaker B: Yeah, so volunteering is like some of the different meetup groups, some of the different cybersecurity user groups, like your ISSA chapters, ISACA chapters, ISC2, OWASP, and even at conferences, a lot of conferences are always looking for volunteers. And this is a good example, good opportunity, and especially for students just trying to get out. I know a lot of college students that are graduates that graduate now still in college, some that they go and volunteer at these events and they find, you know, internships easier, they're able to network with people. Whereas, you know, sometimes that's kind of missing in some of the schools. They don't always emphasize networking and When I was teaching at Dallas College, that's one of the things I always emphasize to my students is get out there and network. The more you get to, and not only is it good from a job perspective, if you run into a problem on the job, then you've got this pool of people that you can reach out to and get answers.
[00:26:33] Speaker A: This is incredibly important, right, Because I saw this interesting stat. I don't know how true it is, but that men network more inside of the company, while women network more comparatively outside of the company, which is tremendously helpful for them to find their next job when that happens. And I was like, oh my God, this is such an important thing. And at least for me, that stat was true. So it kind of changed the way that I was looking at networking. This is an incredibly important tool.
So I really appreciate that insight.
There's only, believe it or not, we're out of time. This has been so much fun.
I have one last question. It's the only scripted question that we ask all of our guests and it's a difficult one because it's a personal one at that.
If you had to go back to 20 something year old Phil, what kind of advice would you give him?
[00:27:26] Speaker B: Yeah, one of the things I would have done, would tell 20 year old Phil is I would have focus more on public speaking sooner and just to, you know, put more effort into learning. Because at that point this was like in my wrestling career and even, even like public speaking. If I would have been good at public speaking when I was going through my pro wrestling days, I would have been a better pro wrestler. Because if you're a shy person to get up there yelling and doing like the pro wrestlers do, that can be kind of difficult. So if you have experience speaking, if I would have got into public speaking sooner, that could help me excel in other areas.
[00:28:06] Speaker A: I love that. I could not agree more.
The stat is outrageous. It's like 80% of people are mortally afraid of public speaking. So it's a skill that many of us can definitely improve in. Phil, what an absolute delight. I appreciate you coming on the show today.
[00:28:22] Speaker B: Yeah, thanks for inviting me. This has been a lot of fun. I do a lot of podcasts and this was very unique. I like the questions. It was a lot different. So thanks for having me.
[00:28:32] Speaker A: Thank you so much, Phil. It's very kind of you to say.
