Balancing Cybersecurity: Mastering Soft Skills, Work-Life Balance, and Community Connections with Tyler Robinson Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Balancing Cybersecurity: Mastering Soft Skills, Work-Life Balance, and Community Connections with Tyler Robinson

October 07, 2024 • Joe South • Episode 171

Send us a text

Feeling burnt out in the tech industry? Discover how to reclaim your work-life balance and enhance your professional journey with our latest episode featuring Tyler Robinson, a veteran in cybersecurity. Listen in as Tyler recounts his unconventional start in the 90s with phone phreaking, which eventually led him to manage his high school network and develop a dual interest in both offensive and defensive security. His story exemplifies the immense value of bringing diverse skill sets into the tech world, including business acumen, psychological insights, and project management expertise.

Ever wondered how to communicate complex technical details to non-technical audiences effectively? We highlight the importance of technical writing and soft skills in cybersecurity. By mastering these, you'll stand out in an industry that values the ability to translate technical jargon into strategic insights for executives. We also dive into the necessity of understanding business fundamentals like ROI and taxes, helping you bridge the gap between compliance and real business risks. Tyler shares valuable advice on creative thinking, the adversary mindset, and the importance of finding personal fulfillment in work to stave off burnout.

The tech sector is facing a shortage of experienced professionals, and Tyler provides a compelling case for robust mentorship and relationship-based hiring. Hear about the absurdity of traditional HR requirements, like a Kubernetes creator being turned down for not having enough experience with Kubernetes. Learn why bypassing these outdated processes in favor of direct connections within the community can lead to better hires and stronger teams. With a focus on unsung heroes in cybersecurity and the critical yet unrecognized roles that drive meaningful impact, this episode is a must-listen for anyone looking to make a genuine difference in the field.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, tyler? This is a long time in the making Several years at this point, I think right so it's fantastic to finally get you on the show.

Speaker 2: 1:03

No, happy to be here. Yeah, I'm horrible. Really hard to obviously get a hold of me and get me somewhere, and committed with the time without something coming up. So I appreciate all the patience and definitely looking forward to a quick chat and hopping on with you the patience and definitely looking forward to quick chat and hopping on with you.

Speaker 1: 1:21

Yeah, no, it's uh, it's totally understandable. Like you know, there's times of the year where I'm tempted to like hire an assistant right where it's just like holy shit, like I can't even respond to emails right now. Can I just hire someone to like just do that? But then's like it's not really worth it money-wise for the person you know. It's like it turns into a much more complex question. Then it's like all right, I got to find something for this person to do other than respond to emails.

Speaker 2: 1:48

No, it's a hundred percent. It's kind of like AI right now. Right, like, yeah, I could have an assistant, I could have an intern, but at the same time by the time I come up with a prompter, I come up with what to do I probably could have done what I was trying to have them do in the first place. So just not quite worthy yet. Yeah.

Speaker 1: 2:05

Yeah for sure. Well, tyler, you know, for, for the uninitiated in my audience, why don't you tell everyone you know how you kind of got into it, what made you want to get into security? Probably wasn't even called security at the time, right? But, like, tell me what that was like, right? And I kind of start everyone off there, because there might be someone listening that maybe has a similar background, right, and hearing that someone else came from that background and was successful in this field, you know, is maybe that one, that one little trigger for them that says, if they did it, maybe I can do it too, right? So what's your, what's your story with that?

Speaker 2: 2:45

No, absolutely, and I I love kind of your, your preface there of like getting additional people into the field that are maybe not traditionally into computers or IT or any of that nerdy stuff. Right, like I go, I go way back and the field really does need a little bit of diversity of who we're bringing in kind of outside of just security people and traditional IT. We still need those people but at the same time, like people with a background in business and understanding in psychology, real deep understanding in people skills and project management. All those pieces are fundamentally missing aspects that make some really great security practitioners and people skills and project management. All those pieces are fundamentally missing aspects that make some really great security practitioners. Whether that's offense, whether that's defense, wherever you're going, each one of those brings a very diverse and different outlook on how we view technology and how we solve people problems, technology problems, all those things.

Speaker 2: 3:36

So my background kind of goes way back to an early 90s, back when security wasn't really a thing. Pen testing wasn't a thing. There was some government agencies, some larger corporations doing. We didn't even call it, I mean military, called some of that red teaming, but prior to that we were just doing security. It was for curiosity, for fun. So I was doing phone freaking way back in the day, early middle school days, and my motivation was very different than most people's getting into this. Yeah, there was some curiosity and I was very interested in making things do things I wanted. But my motivation was to call girls. We'll be real, I wanted to be able to call girls for free and pay phones were a thing. We didn't have cell phones, we didn't have a lot of the technology we have today for easy communication, and pay phones were expensive, landlines took minutes and my family was not very well off. We were very poor. So I grew up in a rural community. You didn't have a ton of technology, so learned how to do phone freaking by getting on a computer. That my family's business. My grandparents owned a print shop and they had one computer with dial up and found BBS forums and printed off all the things I could find and did a lot of reading, learned how to break systems and do things that systems weren't intended to do, which I really did like it wasn't intended to do this, but we could make it do it.

Speaker 2: 5:03

You follow that through all the way up until high school and definitely got caught in high school doing some things and luckily I had a great system administrator there, my early freshman year system administrator there, my my early freshman year, and he took a risk and put me on a team of three that managed the, the high school network, for four years. We're talking, you know, thousands of computers, servers. We were doing a big transition. Uh, novell netware, uh, the windows domain, you know, dual boot stuff, uh, doing migrations on that, going from token token ring to Ethernet. So running wires, building computers, all that you know. All the way through high school I was running pretty much all that by myself.

Speaker 2: 5:43

By the time I was a senior and running a successful computer company while doing that in high school and, you know, playing sports and stuff. So the hacking stuff just kind of naturally went with that. We went through the Melissa virus, the I love you virus, all of the viruses, and I was kind of still dabbling in the underground side all my handles and communicating with all of the other people playing with back orifice and sub seven while trying to maintain the, the infrastructure side. So I was doing both blue and red or black back in the day and that kind of led up into a career where I tried a little bit of college. They didn't really have. They had some traditional security stuff back then but it wasn't really the offensive or pen testing that we have today. So I got an associate's but it took a little while to get through that because it was just boring and I was teaching everybody the stuff that we were supposed to be learning, so it was just not. And I was teaching everybody the stuff that we were supposed to be learning, so it was just not a lot of fun. And I went down a couple to Surpass, did some sand stuff and then doing that for long enough you learn how to do things a little bit different and think a little bit different.

Speaker 2: 6:49

And one of the things that I was fortunate enough to learn very early was sales and business. My grandparents, like I said, had their own business. I was 12 years old, you know out door to door selling, bringing a calendar, asking if they had orders or things they needed from my grandparents. So I learned customer service, had the computer store, learned a lot of very difficult customers and clients and those skills, the soft skills and, to be honest, all of the stuff I learned from a technical aspect give or take. It could have went either way. I needed to know some of it and I could have learned it at any point in a lot of different ways. And I think running your own network, running your own computer store all those things from a technical aspect were very important and laid the foundation of being good at the offensive and hacking world. But to be honest, my career's done so well and I've been very successful at what I do because I've learned business.

Speaker 2: 7:43

I understand how to speak business language, I understand all of the terms and what businesses need to be successful and being able to articulate that up the chain and down the chain for both technical people and management, so that they understand what we're trying to accomplish, and I'm able to provide the value.

Speaker 2: 8:01

And I think that's the thing that people really need to keep in mind as they're looking or not thinking about security as a role.

Speaker 2: 8:08

We really need people that have the ability to articulate, translate and interface the technical aspects into other languages and other understandings that are not just technical.

Speaker 2: 8:22

Technical people are not always great at project management. They're not always great at understanding business, roi and the difficulties of politics or interpersonal conflicts. They're not always great at the emotional intelligence side we're very logical people conflicts they're not always great at the emotional intelligence side, we're very logical people and so having multiple aspects of things that people wouldn't traditionally think of as security strengths per se for business roles, those have been the superpower for me that have allowed me to integrate in so many different teams, doing physical, getting involved in working groups and and government agencies and helping across multiple agencies and businesses, bridging the gap between public and private. Doing a lot of the work that I tend to do, both offense and defensive help, have only been able to happen because of the soft skills and additional things that I've learned how to do over the years that are not really tangible from a learning or certificate or technical aspect. So I think that's kind of the short version of some of the stuff I've done.

Speaker 1: 9:31

Yeah, it's really fascinating how you bring that up. You know, having a skill set of you know, like the business acumen, having that skill set of knowing how to kind of read a room and whatnot, I mean, all of those things are soft skills, right, and we're so bad at them. You know, a couple months ago I was giving a presentation to, you know, a room full of, like tech people and executives, and so I had to kind of like meet both, both parties, both mentalities, you know, in the same, in the same space, right, and there was a whole like string of people that were given presentations. I was by far the quickest, like cut and dry, you know, right to the point. And at the end of it the CIO only brought up my presentation, only said you know good things about mine and like only mentioned it, right, I was the only one that he was talking about and I just it's interesting because I think back to the different experiences that I've had that kind of led me towards that right.

Speaker 1: 10:36

And someone asked me you know how do you structure, right, a presentation on a technical topic to an executive? Like, how do you explain this? You know, deep technical topic to an executive to get funding to go and do this thing right, and that's something that I mean 98% of technology people don't even know how to do. And on, you know, on this podcast, I always talk about how to really like set yourself apart, right, because that's that's how you actually make progress, that's how you actually, you know, get paid, you know probably more than what you should, right, that's when you get a name for yourself and things like that, right, and so that's a really it's a fascinating way that you bring it up right, because I hear a lot of people just say a million different things, right, but the business side of it is probably the most crucial part that none of us ever have.

Speaker 2: 11:35

No, absolutely, and I caution a lot of the kids I do mentoring or internship or advisory for colleges or even startup businesses. I tell them if I could go back and redo what I did in high school, college or even just to level up, it wouldn't be. Go, take more certs, get specialized in anything. You can always specialize. You always should have some specialty areas and really be able to distinguish yourself from a technical aspect. But I would go and I would be learning how to write and I would be learning how to write both in business as well as technical.

Speaker 2: 12:12

Technical writing is a very specialized skill. It takes a long time. I was not a great writer when I started any of this. A very specialized skill. It takes a long time. I was not a great writer when I started any of this.

Speaker 2: 12:20

And to get even now, to keep and maintain your ability to technically write very brief and concise aspects that may be highly technical but can also translate over to the executive and be able to do both those in the same email or paragraph or report, those will be absolute distinguishers for you as a person. I mean same for the business. Go learn business, understand how business, language and money works and not just money. How do taxes and ROIs and marketing, how do all of those business entities integrate and work together and provide information back and forth? If you're able to do that, translate that for technical aspects and then provide business risk as well as the adversary's mindset because we'll go back to the specialty you also have to be very creative and distinguish yourself from everyone else by having that creative out of the box thinking, the adversaries mindset and the understanding of what actual business risk is versus what compliance numbers, all of the security that everybody tries to push with the FUD. What is the actual risk, what is the probability and priority that we can put on this because of an adversary's mindset and what are priority that we can put on this because of an adversary's mindset and what are the things we're not looking at because we're not being creative enough or thinking outside of our typical boxes of what needs to be tested and how security works.

Speaker 2: 13:48

Again, those are the ways that usually, if I get brought in, it's because this is a very difficult problem. It's a hard target, it needs a creative outlook or it needs the ability to be able to delicately navigate some political or emotional rivalry between different groups and still say the same thing and still provide the same risk, but in a way that is articulated differently, with some very, very good soft skills. So again, that's where you make your money, that's where you're distinguished. Those are the things that will translate over to a higher paying job, a much better opportunity and the ability to kind of go where you want, like when the demand is high enough that people just want you because of your soft skills and your capability for the technical side. That allows you a lot of freedom to be able to say no to things and or go highlight things that you want to do. That personally make you happy, because we'll go back to the day.

Speaker 2: 14:43

Burnout in this industry is huge and if you're not loving what you do and you're not able to appreciate the, the mission that you were devoting a lot of your time, money, resources, resources to, you're going to burn out much quicker than a lot of the other people.

Speaker 2: 14:59

And, to be honest, there are days that many of us dream of going and working landscaping or construction because the burnout is so real. But that requires you to be very honest with yourself and find those things that make you tick, and having a little bit of a distinguishing characteristic allows you a little more freedom to be a little more picky when you're picking jobs so that you can get into something you like and you don't have to go work at somewhere you don't love. We don't all want to die and get to 60 and wonder what we were doing because we burned out three times and three marriages later or something. That's not what the point of all this is. You got to be able to do and balance life a little bit, and that requires some freedom and that requires you to put in the work to go learn things that you may not be as comfortable with yeah, that's a.

Speaker 1: 15:48

That's a really good point. You know, earlier on in my career, really towards the beginning of my start in security, right, I I had a manager that, uh, it was a workaholic right, like to say the minimum like this is the type of person that has literally been hospitalized several times, even still to this day, several times for, like, mental breakdowns from the stress, right, and he, he like, ran his entire team into the ground. He was known for delivering a lot of really high quality work at the organization, um, but he was also known, on the flip side of that coin, for running his entire team into the ground and the turnover rate was on average. If you lasted 12 months there, you were ahead of, like everyone else. You were in the top 1% of people that have ever been on his team, right.

Speaker 1: 16:48

If you made it to 18 months, you were a rock star, right, and I remember working, you know, 80 hours straight every single week for probably eight months, and I get into a, uh, like a touch point with him and the first thing that he tells me is you're not working enough, you need to do more, and I was like I'm doing 80 hours a week, like, how much more is there Right, I'm getting my master's right now. You know I'm getting my master's week. Like, how much more is there Right? I'm getting my master's right now? You know, I'm getting my master's. I'm a full-time master's student and I'm working 80 hours a week. Right, and he goes. Well, you need to be going. You know a hundred, you need at least a hundred.

Speaker 1: 17:31

He's like I'm working a hundred, how are you not working a hundred? And I literally said to him I don't want to be hospitalized, that's, that's why I'm not working a hundred. And, uh, he, he told me, if I'm going to be successful on his team, he needs that, I need to be working more. And he told that to other people on the team too. We were all at 80 hours, every single one of us. There was 12 of us on this team and we were all at 80 hours a week.

Speaker 2: 18:01

See that's and this. This is what distinguishes a lot of the good companies now and people, places that have reputations for not being good places to work, like there is. You know there's, say, work-life balance does not provide the best place for people to be creative, for that initial inspiring team that allows you to do something different than anybody else is doing. If you're working 80 hours, everybody's burning out, everybody's at the same place you are, you're not creating anything great. You're creating something that everyone else is doing, maybe with people that are, you know, great, but not providing their best work. You want the best work. Like you provide life balance. You pay them very well so they don't have to worry about money and they have the ability to keep their head clear. They don't have home stresses Like this is counterintuitive to a lot of places. This is whyintuitive to a lot of places where the four day work week works. In a lot of places with high performers, we're always going to output really great work. We're always going to get what needs to get done. Done that mind and stressors in your life. Then creative comes out and then teams mesh and then what comes out naturally from those particular teams is something that is the magic People think it's the places that are just killing themselves to do that.

Speaker 2: 19:39

That has no value in this industry and we really need to make that not the norm. And the places that are doing it really need to be called out, especially the people that are doing it. They need to be trained as to why this is bad. Understand for themselves what happened in your childhood that makes you need to do this in order to feel that identity and feel fulfilled. And then why are you giving so much to these companies? Again, I love the companies Every time. I've done a lot of work for a lot of small places. All the places I've worked over the years have been basically family and we pour our heart and soul into them. But also, at the end of the day, I look back and there are times where that balance is out of order. The company cares to a certain extent. The company as a whole is a company. They're going to move on. They're going to make business and make money. That's what capitalists do. That's how companies run.

Speaker 2: 20:24

So just because you feel that loyalty and you feel the need to overachieve and provide something for the company, the company doesn't necessarily always do that in reciprocation in the same fashion that you do so, keeping those things in mind as you build those loyalties over the years and stay at places, understand why you're doing it, make sure your reasons are right, but also prioritizing yourself, your family, your health. You're no good to anybody dead. You're no good to anybody burnt out and you're not providing your best self, the the self that is unique to the industry, that provides that unique insight that you know no one else has, because no one else has grown up the way you have, with the same life experiences you have. That unique perspective is critical to wherever you're at, and so bringing the best you, with that unique aspect and mindset, every single day, that's what the world needs.

Speaker 2: 21:14

We need more people that are just good people, bringing their unique, not trying to be a clone of someone else, not trying to fill that imposter syndrome and go be someone else. Everyone's life and journey is at a different point. There's different chapters. Don't try and be someone else and don't try to fulfill that role. We really need the uniqueness of each individual person and I think the more that we start to make that the norm and realize that everybody is unique and brings their best self when they are themselves. That's when we start to get really good quality output, in whatever form that is.

Speaker 1: 21:49

Yeah, that's a really great point. There's a couple of really great points that you brought up there. I think it's always valuable to level set where you are within the company. It's not like you're the CEO and guess what? If you're the CEO of the company, the board can still fire you, right? You're not so valuable to the point where they're not going to fire you on a whim, right?

Speaker 1: 22:15

A good friend of mine, his dad, spent 18 years at AT&T, something like that, two years away from getting his pension. He was grandfathered into this pension thing and then AT&T a couple of years ago decided all right, well, we're going to try our hardest to get rid of these people that are going to get pensions, right. And so for the next, you know, year and a half, right, he fought really hard to just stay at the company, stay with the pension, just be there. He literally moved away from his family to Dallas because they actually thought, okay, if we just tell him that his job moved to Dallas for the next two years, he won't take it. He won't take it, we won't have to do the pension, it'll be great. And so they did that and he literally moved away from his family for two years to get this pension because he had worked towards it. You know, he kind of planned his retirement around it Right before he gets it. They let him go. Right, like they let him go. They figured out some reason to let him go. They let him go. I think it was like three or four months before he was going to, you know, get the pension and whatnot. And he I don't want to say he had to start over, but, like at a company, he had to start over. You know, he had to find another job, he had to go somewhere else. He no longer gets that pension that he was.

Speaker 1: 23:35

I wouldn't say that he was counting on it, but he was definitely being like, yeah, I'm going to get this chunk. You know, he was obviously calculating that in. You know, so, like, you're never going to be so valuable that a company like won't get rid of you. I mean, in fact, you know, when I was working those 80 hours with my team of 12 people, right, we were all told like a quarter into the year, hey, if you accomplish all of this, you know we're all going to get like giant bonuses, we're all going to get giant raises. Whatever you want, it's going to be yours, you know, we won't even have to fight for it. And we get to December, right, when they're, when they're telling everyone what their bonuses and everything like that, and every single one of us did not get a bonus. We didn't get a raise, we got a.

Speaker 1: 24:19

You should have worked harder. I know you accomplished everything that we set out to do, but you should have worked harder. You could have done more. You could have worked 100 hours a week, right, and literally like the next week. I put in my notice, you know, because, like, at that point, you know, I learned the lesson hard, right, because I like the company, the company felt like a family to me and it was, unfortunately, it was just this one manager that was like that. Fortunately, it was just this one manager that was like that, and I tried very hard to move within the company, you know, to avoid leaving because I actually liked it a lot and that didn't work out because there was just no openings on other teams, right. And so when that happened, when I learned I wasn't getting a bonus, it's like, oh okay, I learned this lesson very, very hard way, right, let's just go find something that, like, allows me to have a life outside of work.

Speaker 2: 25:09

Yeah, and those are great, valuable lessons. These are the lessons that I think need to be vocalized more, especially from the veterans that have been through some very hard lessons. We need the next generation to know that they have to put in the work right. We've got 15 second attention spans from TikTok generation and a lot of the kids are not wanting to learn how to learn or taking a little bit extra time learning how to learn. We want them to go through some of the hard lessons and put in the time as a sysadmin or learn how to build a computer and understand the protocols. Put in the time as a sysadmin or learn how to build a computer and understand the protocols. But on that same token, I've kind of changed my tune a little bit, because we don't have the luxury of providing or having that much time. We don't have a decade for these kids to learn all this, especially the hard lessons, and so, while it is great for them to have to go learn themselves and or fail themselves so they can figure it out, we need a lot more people in this industry and we need them very quickly.

Speaker 2: 26:09

A lot of us are getting up to our age. A lot of us have gotten burnt out. We have hundreds of thousands of jobs and fill positions that need to be filled, but with requirements that are just unfeasible. Now there's just not enough of us that started in the beginning. It's a time issue. We don't have that decade to kind of fill that time.

Speaker 2: 26:28

And so getting these lessons out there and articulating these lessons to the next generation so they learn faster, they don't fail as much and they can shortcut some of the things that we had to do, like what is the fastest way to get to the minimum viable knowledge while still learning some of those lessons, but maybe only secondhand, so you don't have to go through them and have five years of bad management and poor work and horrible health and all the things.

Speaker 2: 26:55

To get to the next job where you've learned that lesson and now you're doing better. Let's learn the lesson from someone else and start to translate those into the next generation of the people that are being mentored, make sure they're not making a lot of the same mistakes and short circuit some of this so we can get the next wave of people in here that are good at what they do, have some background, but have some background from the people that have been doing this and learned it very, very hard. I think those would be the things that really would be nice to get out there more, hear, vocalized more and even have places that people can talk about it and ask questions or be mentored and hear some of those hard lessons so that they understand and get some advice. And that's the mentoring platforms that I think are slightly missing. There are small communities here and there, but I think getting a lot of the veterans to open up about some of the shortcomings and failures and real hard lessons learned needs to be wider spread and more listened to.

Speaker 1: 27:55

Yeah, that's valid. That's very true because we do that in so many other areas of technology. True, because we do that in so many other areas of technology, right, like when there's a breach, when there's an incident, when you know something goes good or bad, I mean you're, you're writing down every single little thing that happened. It was like, oh, I typed this command, here's the result. You know all this sort of stuff, right, but we're not. We're not going out there and kind of like putting the work in. I mean I try to. I feel like when people take the initiative and they reach out to me and they ask for help, I then respond with that same kind of. I remember seeing the creator of Kubernetes. He was looking for a job, right, and he saw this Kubernetes security admin role, whatever it was at this company and they required 10 years of experience with Kubernetes. This is like six or seven years into kubernetes existing and this guy created it from inception yeah.

Speaker 1: 29:10

So he, he reaches out to this company because he was actually interested in working for the company, talks to the recruiter and, uh, they're like, yeah, we don't think you're a fit. Like you know, we're really looking for someone with like 10 years of experience with Kubernetes and he was like blown away because he's like I literally created it. Like I literally created it, worked for Google, did my time left and like this is all I know, like I don't know how much more experience I can get, and they turned them down. They turned them away at the HR door, right, and like that's just so. That's so insane to me and that still happens constantly.

Speaker 1: 29:49

You know I've been in security for 10 years, right, and I have like some top level certs, right, cissp, ccsp. You know I've had the hardest AWS security cert, right, that I just like lost all my hair over, right. So it's like I know what I'm doing, but then, like some of these hr requirements will be like you need 15 years in, literally in cloud security and I'm sitting here like when was aws invented? Because when was AWS invented? Because it has not been around for that long.

Speaker 2: 30:28

Yeah, it is one of those frustrating things, and this is when I do some advisory work for some of the startups or even when I'm counseling at the CISO level. It is one of the things that is truly frustrating. We have this huge shortage of technical talent supposedly, which we do. We've got, you know, a lot of. We just we've. There were only so many of us at the beginning. We've only gone so far with so many years of experience and there's only so many people to go around. So the requirements are out there and there's not enough of us. But, on that same token, there are a lot of really great candidates, people that, like you said, invented some of the stuff, like literally wrote the book on the thing that is being hired for, and they can't get past the HR door. Like, we've got to change. Hr has its place Traditionally. They do a great job and they do a job that fundamentally fits the old way of how hiring and recruiting and all the stuff had to happen.

Speaker 2: 31:29

For technical aspects, especially security, especially highly specialized skill, HR just needs to be taken out of the loop. There's literally no place for HR. There's literally no place for the software, the recruiting I can't say in the last for the software, the recruiting, I can't say in the last for highly specialized people. In the last five jobs I've not filled out an application, I've not seen the job posted. I've not went that way. I've went through a network. Someone knew a job, knew that I would fit, or I seen something or heard through my network that this place is going to be looking and it was through relationships.

Speaker 2: 32:04

Relationships is how the technical world understands, because it's a relational transaction in a technical form. You need to know that you can trust them. You need to understand that they know what they're talking about. And that's only built through experience of very longstanding projects or technical scenarios that have went down in which you've contributed to, and those aren't something that you can put on a resume. In fact, a lot of the stuff I do can never be talked about. You can't really put that on a resume. I can't tell you Classified or I can't tell you that's not something that I can actually say I ever did. Those things don't really work.

Speaker 2: 32:40

So you got to have those trust networks and really build that relation around the I would say around your community and the people that are getting placed in positions of hiring or building out teams and then making sure that you're passing that info and helping people get into those roles through those relationships. Because until we take HR out of this, until we take all the job posting and recruiting out of the technical aspect, it's not going to get fixed and it's not going to work. So keeping those relationships and getting people placed is literally who do you know, who does your friend know that knows you that you can actually vouch for and then keep doing good work at the places you're at. So you build a reputation, you build a name that can then be leveraged so that when you need a job you can just go look. You don't have to go look for job postings or boards. You've got friends out there trying to find and place you. Yes, there may be a job posting and the job requirements don't fit, but they can go around you and go to the hiring manager and put in a word and say you just need to look at this guy, Don't make him go through the hr. They're not get there if you don't have some of those networks like reach out.

Speaker 2: 33:46

Build those communities, find the places you can help and contribute, mentor, get into those those relations, spend the time networking. Go to security conferences, hacking conferences, go help in a community, a hacker space, like you've got to have that face time like I've been. It's been probably six years since I've been on the black hat like actual, you know attending talks or DEF CON. You know attending talks and doing stuff. I'm there to network, keep my community alive, help mentor the next generation, meet new people, integrate into other communities Like that's what the hacker cons are for.

Speaker 2: 34:21

That's what the hacker cons are for, that's what the security and technical cons are for is building those networks and relationships so you can leverage those at the point in time that you need those. And that becomes very important once you go to find a job. I promise, If you're not there yet, there's some hacks and tricks. I've reached out to some of the community. You know white text in there with all the keywords for all the jobs so that you get through the stupid HR robots and stuff. There's some tricks to get into some of the places, but really relations and networks is how this has to get fixed and until it's there, you're going to have to play the game a little bit and make sure your relations and networks are getting built better.

Speaker 1: 34:58

Yeah, that's very true. Done several episodes on the importance of building, you know, a reliable network between people and, you know, connecting with people in the industry and whatnot, the value that it actually gives. You know, and this podcast, this platform, right, very small in comparison to other platforms, sort of allows people that I would not normally know or hear about or anything like that reach out to me and say, oh hey, I like how you think about this. You know, can I get your opinion on this? I think you might be a great fit for this role, right, and that's happened a couple times now and kind of like throws me off guard every time. It happens now, because it's like man, if I didn't have this platform, you know, I mean like basically no one listens, right, I mean I don't have this platform, you know, I mean like basically no one listens, right, I mean I don't know how many listen. I haven't looked at my numbers in like a year, but you know, in my mind it's just a conversation between me and you. I'm not talking for 3000 people, and I think that's probably like what makes it special, but like I'm not thinking I'm going to get all these opportunities, Like you know, for instance, someone that I know that's a pen tester, reached out to me.

Speaker 1: 36:05

I'm not a pen tester, like not at all. I'm a cloud security guy, but I don't pen test to save my life, you know. And he reached out to me and he said, hey, I'm trying to pen test a cloud for the first time ever. I don't know Azure, I don't know GCP, I don't know any of this stuff. I need someone to literally just go in there and guide me around and tell me what to do, what to look for and things like that.

Speaker 1: 36:26

I mean, you know that that opportunity never, never, would have happened without the podcast, like a hundred percent, because, like he literally found me through the podcast, he literally came on the podcast. You know, like that's, uh, it's interesting. You know just how connections can be built through ways that you wouldn't even expect. But to maybe kind of shift gears. Tyler, I got to ask you, did you ever go and do any work for any government agencies? And I ask specifically because you're doing a very bad job of hiding all your challenge coins in the back there, and so I know what those are and obviously I can't see them clearly. It alludes to me that you may have, you know, done a little bit of work.

Speaker 2: 37:11

I do quite a bit of work with different agencies and have done work with different agencies abroad and home. So, yes, there's a lot of great working groups, there's a lot of great collaboration happening, public-private sectors that just people don't realize. You see a lot of the operations for DOJ FBI. You see a lot of the takedowns. You see a lot of ransomware pickups. You see people getting arrested all the time. That's not usually even just a government agency. In fact, that's usually public-private partnership where most of the private people with zero I would say zero accolades, there's no press, no one's ever going to talk about it. Those things are happening every single day and there's no press, there's no, no one's ever going to talk about it. Those things are happening every single day. And there's a lot of people, unsung heroes, all over the the world right now, that just are doing incredible work like I can't even tell you, like some of the people I get to work with on a regular, that just have saved the world literally multiple times and no one, no one knows, no one knows their name. They're not a thought leader, they're not some infosec superstar, like most of the people that are doing extremely good, valuable, meaningful, mission level work collaboratively in small working groups and then passing intel to governments that then handle stuff, or even doing and going and working with the governments to make sure stuff gets handled. These people happen and do this every day and you would never know them. They're no egos, very, very down to earth people. In fact, a lot of them have very normal day jobs and you'd be surprised at the level of technical aptitude and ability for them to not have an ego, because they never get any credit for anything and that's kind of the motto of a lot of places and people I do work for is there's never any credit and you just do the work. So those are the people that really inspire of the next.

Speaker 2: 39:12

The next iteration of who I am is where can I do work that doesn't get talked about, that is very meaningful and is actually moving the needle? Like to be fair, I say infosec and I say security and I say especially red teaming and offensive work. It's tainted. For the last decade it's been very, very, very rockstar-oriented, very varsity. Why are we not highlighting the work of blue teams, the people doing all of the hard work and securing the things that we go break? We've not been or done a good job of helping the blue side. We've got some purple, but we'll be real.

Speaker 2: 39:49

The egos inside of the offensive space, the red team, they're not superstars. It takes a ton of work to get there. Yes, it's hard, hard work. You got to know everything about everything and really understand how everything works and be able to build it all and tear it back down and get real deep understanding. But people have to do this day-to-day grind. We break stuff and pass it off over the decades. That's broken and so I've really burnt out on the industry of just seeing all the companies and startups and big names getting lots of money and lots of startup funding and not doing anything.

Speaker 2: 40:24

That is actually moving the needle. We've not seen ransomware go down. We've not seen tax go down. We're not protecting ourselves that much better. There's always new stuff coming out and I love to go break stuff. I love to find new stuff. I like to go find O'Day as much as the next red teamer.

Speaker 2: 40:37

But until we start to responsibly do that, help the blue team build collaboration and facilitate relations that are meaningfully securing the world better, so that mom and pop shops aren't going out of business because they get ransomware, I've had to adjust and put my energy and efforts and kind of go under the radar more to help the places that are doing good work. And there's, like I said, those unsung heroes and people doing the meaningful work. No one would know, you'll never know and just it's good places to kind of find ways to really bring some meaning back into your life once you've burnt out a few times. I don't want to discourage anybody from getting into the field and going down that path, but find places that are doing good, meaningful work outside of just making a dollar, building a product. Most of those things we've been doing this.

Speaker 2: 41:31

I've been doing this almost three decades now and it's not like there is literally nothing has changed.

Speaker 2: 41:37

It's the same as it was 10 years ago, as it was 20 years ago.

Speaker 2: 41:42

We've not moved the needle that much. There's just more things to look at, more things to do, more things to secure, and we've ever increasingly made this complexity that is causing more and more issues and more and more vulnerabilities and no one can seem to keep up or get ahead. So have we even done anything better for society? Have we created anything that is actually meaningful? Are we securing things that are meaningful and building things that are better in the world. I'm at a place where I don't think we've done a great job there, and so I think finding things and places that are doing real good, meaningful work outside of what they're building and contributing that and allowing their employees to do that more and more, I think those are the places that you'll see talent get attracted to and you'll see the veterans that will then mentor the people inside that company, and so finding those places so that you can get mentored or become one of those veterans to mentor like those are the places you really have to look for and they're very hard to find. Like get real.

Speaker 1: 42:41

I'm getting real picky with with where I work and why I work there, so yeah, you know I I think it kind of goes back to what we started with was having those social skills, right. I feel like you know you always hear about the offensive guys, right, like you see, you know, odeh going on Sean Ryan's show. It's like okay. Well, you know when.

Speaker 2: 43:07

Who's writing the Yara rules.

Speaker 1: 43:09

Right? Who's contributing to this Right? Who's the guy that's the Yara expert at your company that's underpaid, that just spent, you know, 80 hours trying to script it out in a language that you know most people don't even realize?

Speaker 2: 43:25

exists and not break anything, because no one and they're the ones that get blamed soon as something breaks. It doesn't matter if the pen testers break it or the red teamers break it. That's part of their job, it's fine. Yeah, they don't have to be careful, or as careful I'll be real. Like there's stealthy operations, there's good red teams. Don't discount me, I'm a red team, I'm offensive guy, I get it.

Speaker 2: 43:42

We, we do good work, but we don't take the same care that a lot of these places have to understand the scalability and we really are at that like varsity football, quarterback right, like no one's given that that outside the, the center blockers, any, any credit. They're the ones protecting the quarterback. Like, okay, you made the, the throw, but did anybody look at who you know made that throw happen? Because they blocked and the entire team you know managing and handling all that. The offensive team is like the quarterbacks. They've gotten the credit for so long. They're doing the one play that makes a big thing, but there's a lot of work that goes into doing security and the blue team.

Speaker 2: 44:18

Just, we just really need to stop idolizing the hacker mindset. Well, change that, because hacker, I believe, is the creative. We need to take back that word from from the criminals, like hackers, are the creative side. That, I believe, is good the the criminals. We really need to stop idolizing the criminals, stop making characters out of them and giving them fancy names.

Speaker 2: 44:40

Why are we not highlighting and idolizing the people that have to protect against these adversaries? And let's make the varsity team the cool kids. Let's make them the blue team again. They're the ones doing the hard work, they're the ones putting in the effort. What about the people that are building this technology and coming up with all the new stuff, rather than the people breaking it? Let's make sure we're idolizing and really bringing back the, the industry, to the things that matter, which is, we creatively build things that just no one thought could be done, and then the breakers like we'll be real, like it's hard to break. It's very difficult to understand all the technologies all the time about all of the aspects of everything But's highlight their work rather than the cool thing that we just did, and that goes back to the ego and being unselfish and getting a little bit more empathy around each other and promoting each other, so that we're doing the right thing for the right reasons.

Speaker 1: 45:52

Yeah, it's interesting because I've never been on the other side. I've always only been on the blue team, right? So, like I'm used to like no one knowing my name. If you know my name, it's a really bad day for you. Basically, you know, and I'm I've always like kind of played that that more, I guess, like business centric, you know, blue teamer, where it's literally like hey guys, you know, I, I have this sledgehammer over here, right, like this is fully approved, I can use it whenever I want to. I really do not want to because that makes me, you know, having to do a lot of work. Right, how about we just resolve these vulnerabilities, you know, and that actually gets a very positive response, right, because I feel like a lot of these people they're used to dealing with people that either are that sledgehammer or they are someone that doesn't know how to vocalize.

Speaker 2: 46:49

You know the importance of this vulnerability being resolved and whatnot, and so I have a good that goes back to our original side right, like if you don't articulate it in a language that is understood, that's you know business, that's risk, that's dollar amounts, that's you know brand reputation, like the things that matter rather than the technical aspect of you know I can pop a sequel injection vulnerability that dumps a database table that gives me all the hash password, like okay, the ceo's.

Speaker 2: 47:16

Like what does that mean to me? Is that money? Is that risk? Like what is, what is the business language? And once we learn how to articulate that right like, that's when it becomes a much better conversation. And if we can take ego out of that even further and get you know, highlight blue team's ability and really address root cause and root cause analysis of these things, that's when we start to change companies and companies become better. But that starts with people and that's relationships and that's laying egos down and all the things that are becoming very difficult, uh, for a lot of people in this day and age.

Speaker 1: 47:54

Yeah, yeah, absolutely. I mean, we really kind of took the audience on a journey here, right. We kind of gave them a blueprint, so to speak, without saying it, of like you know really how to be successful, how to like stand out in security, right, Like we talked about maybe the key area of security that no one else really has, which is that business aspect, talking to people getting that buy in, Right.

Speaker 2: 48:22

Yeah.

Speaker 1: 48:22

Making the connections, getting those skills that not everyone has, and becoming marketable. You know, I mean, you can't ask for much more than that. If you do all of those things like, you're going to be successful. Like there, there's no doubt about it. It's not a, it's not an if, it's a when, and you have to be very, you know, persistent with it as well. Well, you know, tyler, unfortunately, like we're at the top of our time here and I'm, I'm very, I'm very strict with you know, when I tell you we're going to end at a certain time, we're going to end at that time. But yeah, absolutely, man, it's been a real pleasure. I really enjoyed having you on.

Speaker 2: 49:01

I'm definitely going to have to have you back on Not a year hopefully.

Speaker 1: 49:05

You know, I had Jack Presider on and he literally told me he's like hey, man, it took you 18 months to bring me on. You know how about, like we make this a little bit more frequent, right? Don't make it a year like, make it like six months, and I've done a terrible job of following up on that and so I need to like have more guests come on regularly. You know, I think that'll be a good flow or addition, right.

Speaker 2: 49:34

Yeah, absolutely. This was definitely not the technical interview of any kind. That usually happens in some fashion, but I think from a business standpoint, you pay attention to this. This is how you build good teams. This is how you find and recruit talent from leadership. This is how you really aspire and motivate teams to do better, be better and get to a place of being better and those coming up. That's how you get a good job and land at a good place that are doing these things and hopefully they all paid attention and got a little bit out of it. But yeah, let's do it more regularly. We'll find a couple interesting technical topics and see what I can talk about at a particular time.

Speaker 1: 50:09

Okay, yeah, that'll be awesome. Well, tyler, before I let you go, how about you tell my audience where they can find you and maybe, if you want to give a shout out to your company or any work that you're doing right now?

Speaker 2: 50:33

No, I mean anybody can reach me on Twitter X, whatever it's called now LinkedIn I think it's Tyler Robinson, it's always my name in some form or fashion Security Weekly podcast. I'm on there once in a while. I've kind of taken a step back, like I said, to kind of prioritize and highlight some of my stuff. A lot of my work is outside of those communities, but feel free, if anybody's looking for mentorship, looking for communities to get involved in, has questions, you can always find me on Twitter or LinkedIn or I'm sure there'll be a link in the bio there with a couple of my handles. So reach out on one of the 500 platforms we have out there today and I'm usually pretty good at responding. Sometimes it takes me a while, so please be patient, as Joe knows, but I do try and respond to everybody and make sure that I get back to you. So I appreciate everybody kind of hanging out and listening. Like I said, don't be scared to go, get involved and find someone that has done this for a while and learn something from them.

Speaker 1: 51:21

Yeah, absolutely Well. Thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host