Master The Fundamentals, Then Change The System Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Master The Fundamentals, Then Change The System

December 15, 2025 • Joe South • Episode 216

Send us a text

We trace a journey from a teenage online threat to security engineering at global scale, exploring how deep fundamentals and distributed thinking shape reliable defenses. Along the way, we unpack certifications, teaching at scale, and building a practical path for learners worldwide.

• curiosity-driven path from fear to purpose
• foundations before security: systems then networks
• depth of concepts vs surface knowledge
• thinking at scale with distributed systems
• threat modeling as a constant that endures
• learning the why behind legacy architectures
• community building through a book and courses
• coding confidence for security practitioners
• practical framework for choosing certifications
• direction over collecting badges
• reflecting on progress and resetting goals
• links to connect and learn more

Use the code security50 to get 50% off the upcoming cybersecurity bootcamp at learn.thecyberinstructor.com

PodMatch
PodMatch Automatically Matches Ideal Podcast Guests and Hosts For Interviews

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_01: 1:46

How's it going, Karan? It's great to get you on the podcast. You know, we've been trying to schedule this thing for a while now, and it's been completely on my side where I've had to reschedule last minute and everything. So I appreciate your flexibility with you know still even wanting to come on. You know, I know that it's probably frustrating for a lot of people because it's just my life is crazy right now with two little kids and then a sick guinea pig, it's just like crazy.

SPEAKER_00: 2:13

Yeah, no, no worries, man. I appreciate I love being here and you know, things happen, right? It's just you know, it's like a live demo, I call it, right? When you have to present something, yeah, the chances of something like going off from what you planned is is they're high. So it's totally understandable. Like I hope things are better now.

SPEAKER_01: 2:30

Yeah, things will things will always go wrong when you're doing it for real that one time, you know. Like it always works in your pristine lab environment, but uh as soon as you start showing people, you know, just starts acting up. Exactly. Yeah, so Karan, you know, I was really I'm really interested in your journey, right? Because I I feel like I feel like it's pretty unique in some ways, and it's not often that people want to give back to the community, and you seem to be doing quite a bit of that, right? And so it's always interesting to me to bring people on to hear kind of their journey with how they got to where they are, right? So what does that look like for you? You know, take me back to you know how you got interested in computers, right? And how you even made the pivot into like cybersecurity. What did that look like, you know, and all that sort of stuff?

SPEAKER_00: 3:25

No, yeah, happy to chat about that. So I don't think I've shared this a lot with a lot of like in in a lot of public places, I think maybe once, but I got into security because I was basically threatened by somebody online. I was like teenager, right? Like just using like social networks at the time. You know, people used to post a lot of things that are good or not good. So I think one fine evening, somebody like I have I didn't know this person, right? Like, so there was nothing, you know, there's no history. And the person just claimed to like, oh, I can take over your profile, like things like that, right? Just I don't know if they even like meant it or they knew how to do it, but like just just just the the claim that, oh, this person is claiming to do so got me like two things, right? It got me scared, but it also got me super curious. So I actually remember like that night I was like up, just literally researching, right? Like, okay, how is this possible? Like, what are exploits and like what are vulnerabilities? Like, and you know what? Like, it just kind of one thing led to the other. And I started like, I just never stopped from that. Like, like the idea that you could figure out vulnerabilities and exploits and systems that people don't know and like use them both for good and bad, right? Like, you depending on how you're oriented, I guess. That idea was really intriguing to me. And I obviously like, you know, definitely on the good side, right? I was like, I don't want people to go through this ever again. Like what I went through, and like that, that that fear slash like this the feeling of helplessness, right? How how do you defend yourself? So I made it like a, you know, one of my ideas was I don't want this to happen. I want to protect people and systems at scale, right? Not just one or two or ten. It has to be at scale. So this idea started forming in my head very early on, right? This was, I don't know, less than 15 years, maybe even less than that. I don't exactly remember. But that idea just never left my head. That, okay, like if this happened to me, it can happen, or it might be happening every day to somebody, either knowingly or unknowingly. So that was a trigger, right? A starting point. I was just interested in systems and tinkering with them anyway. But this the pivot to like, oh, there's something like security, and there's there's something like cybersecurity. Because we all knew as kids, like physical security and stuff. We see that. But the cyber aspects weren't uh, you know, at least to me, they just came at that that instant. Very, very clearly remember. So that's how I I I don't know, accidentally got into it if I if I recall it, but that really shaped me very like personally and professionally. So I started figuring out like, oh, who's in this space? And we are talking about an era, like you and I both know, right? Where HTTP was the common protocol and everything was plain text, right? This is like dot com bubble time frame. So there's no such thing as, oh, if something is secure, we see that green padlock, we're like, oh wow, that they're doing their thing. So you know, I started exploring like chatrooms and DNS and things like that. Just okay, this exists. Like, so how am I reaching this website? How is this working? You know, at some point I actually started writing all the domain names, and I know that's a weird exercise to do, but I'm like, how many of these exist? Let me try this. Again, somebody who did not know DNS at the time would just explore, right? Brute force my way. But then I learned, oh, there's this registry and there's like millions, so there's I could not have written them in like any amount of like reasonable time. But you can kind of see the common things is is the curiosity-driven approach that a lot of us are in in this field have sprung up from the very beginning. And then what I started doing was, hey, like I want to learn this from the foundational level and not just like the surface level. So I said, you know, I I want to study computer science. I want to go deeper. I want to understand how systems work, how networks work. So I did a you know, a bachelor's in computer engineering and computer science and engineering. And then, you know, I started working. I was a software developer for like a year or two. And then I realized that's not enough. I was just not getting it. Right. So I was like, no, I need to study more, I need to know more. It's why I actually did a master's in uh information security. Once I did that, then I came to like a bunch of companies in the Bay Area and stuff. So I started working. So tying the journey together on your question of how it all started, that was how.

SPEAKER_01: 7:56

What do you think might have been the tipping point? Because you're you're doing security engineering over at Google now. And, you know, so personally, I've actually interviewed for you know product product lead security roles at at Google before. It obviously didn't work out, otherwise we'd be, you know, talking on a different medium, right? But you know, it it it takes quite a bit of work to get to Google. They don't just hire anyone and everyone. You know, they they really only want the very best, right? And I, you know, I always got the feeling too, whenever I've interviewed with Google, that they were more concerned with your level of knowledge and how you know customer-centric you were, rather than fitting, you know, your responses into some format that you know something like Amazon would require, right? I mean, like I've never been, I've been heavily coached for Amazon interviews, right? And they they I mean they just drill it into you, this star format, and you know, these are the kinds of things that you want to be thinking, and all this sort of stuff, right? I mean, like my notes for my Amazon interview is substantial. It's probably the biggest OneNote page that I have. But with Google, and maybe things have changed, right? But with Google at least, they were like, look, we prefer it in the star format, but it needs to make sense to you when it's coming out. You know, you shouldn't be trying to force yourself into this thing, right? Like, this is what we're looking for. We prefer the star format, and then just go with it, right? How did you how did you make that jump? Do you think that it was your master's necessarily? Or what was maybe the turning point in your own training and education that brought you to Google that you think that maybe just like took you over that edge? Maybe, I mean, because it's honestly personal curiosity, right? Because I'm wondering myself like what it would take.

SPEAKER_00: 9:54

No, no, I get this asked a lot. And then I've been asked a lot of a lot of similar, you know, worded questions in the last like almost a decade. Because I've been here about eight years now. It's been a while. So obviously, you know, like people don't comment on the hiding stuff too much outside. I always like, you know, I I've written this in my book as well on like getting started in security and stuff. But essentially, like, if you ask anybody these type of questions, it it's, you know, I don't want to make this like a really like, oh, a huge thing. What I want to say is I think for me, what I felt like was the key to really not just this role, but like even my previous I was at Yahoo before, I was at Honeywell before, and I've like obviously interviewed a bunch of other fangs and like gotten a yes and then said no and stuff like that, right? So fair to say that I've kind of like walked through several different processes. So what I observed was like basically, Joe, I think what I figured out was it's about that commonality of concepts. So figuring out that it's one thing to understand, you know, it's one thing to know a concept, but it's another thing to understand it. And then it's another level to deeply understand it that you can actually change it. You know what I mean? That's one aspect. So, like, you know, you can pick up any simple example, pick up any protocol or pick up any like technology. There's there's different levels of depth of understanding. And I think it's about mastering the fundamental concepts in a way that you can not only apply them, but you can critique them and figure out how to make a change such that it opens up a new way of using it or it overcomes gaps, right? So that's one part. The second part in as I talk about, you know, I slightly alluded to this concept of I want to help people at scale, right? I want to help a lot of people, and a lot of just the impact should be high. That sort of aligned with companies like these fan companies, other large-scale companies, because they have the scale of users, right? Products have billions of users. So if I have an impact there, it's gonna directly affect that many people. So that was my thinking of why these types of companies, why why internet companies, right? So one of the other aspects is very important, I feel, which people don't focus on in the beginning for good reason because they're learning, is how to do things at scale. It's a very different concept. Very simple example is when you solve a problem using a for loop, right, it can only go so much in a certain amount of time, right? You you can do I don't know, 10,000, 100,000, and the moment it goes further, right, scale comes up, you have to start thinking differently about problems. This is why a lot of companies, I think it was Yahoo who came up with this idea in 2003 over 2002, right? The whole idea of map reduce, if you remember, right? How you can distribute, like it's a very different way of thinking in that era, right? Oh, we are not doing this sequentially. Well, guess what? We're distributing this uh problem to different like machines, right? So we are like first we are mapping it and then we are solving that, reducing the problem, and then putting theses together, right? And guess what? It works at scale. So just that shift, right? Like thinking about those problems at scale changes how you approach them, right? And you and any one of us cannot actually make that what I call as mental leap to think differently if your concepts are not very strong. Does it make sense? So it's not rocket science, but it's about the depth of like knowledge and the depth of understanding. So three components, right? I always talk about this when when people say, Oh, how do how do we start in security? Right. One is knowledge, obviously. Second is skills, third is experience. So initially, like when you and I do understand anything new, we don't have the skills and experience, right? So that's out. What do we have? Knowledge. With the knowledge, we build skills. And with the skills, we get experience, and experience feeds back into both. So it's that cycle. And the deeper you go, the better you are. That's kind of what I realized early on. So there's no textbook that says, like, here's how you do things at scale. I mean, there are some that solve, you know, technology at scale, and they talk about that. But it is really about like that, it is about understanding concepts about understanding them at scale and applying them at scale, right? And which is why nobody like teaches you this stuff. Like it's after a while, you know, if you do like even a PhD, right? There is still like something you need to do extra on top to build yourself up, right? To be able to be useful for these folks who work at scale, right? And that diff is a personal thing people have to figure out, which is why it's hard, I guess. That's what I hear from people, right? Does that make sense? Like I'm trying to put it very simply.

SPEAKER_01: 14:41

No, that that makes a lot of sense. It's interesting how you explained it, right? Because I've I'm definitely going through that myself with my PhD, where it's just, you know, I'm getting it in deploying zero trust into communication satellites to repair them for post-quantum encryption, right? So I don't know anything. I mean, I still feel like I know nothing, but I knew a whole lot less going into it about satellites and quantum. I knew zero trust, you know, like I use it every single day in all of my jobs for the past like 10 years, right? But still didn't know anything about two-thirds of the topic for my PhD. And so it's interesting how you how you explain that because it's like you're laying that knowledge foundation. And as I'm going along in my own research, you know, I'm saying to myself, oh long, how long does this command take? Right. Because the length of the command, the power consumption of the command that it requires, right? All those things play into key factors with the satellite. And then it also has to be fast enough to support post-quantum encryption because quantum is very, you know, sensitive to timing, right, in in those ways, right? So it's it's fascinating, right? Where I'm I'm like building the foundation and then I'm saying, oh yeah, I need that, I need that number or that requirement for quantum over there. Let's just plug it in. And I don't need to know the insane amount of quantum knowledge out there, right? Like I'm sure if you ask me to explain quantum, you know, cryptography, right? Like I could get you, I could get you the fundamentals, right? But I'm sure someone with that expertise that's actually getting their PhD or doing research in that area would be like, you're an idiot, you barely got through it, you know, and they're not wrong, right? But I also don't need to know the intricacies. I need to know the different operations, I need to know the different time requirements. I need to know, you know, if this laser is going through a cloud, what's the you know, differential that we're gonna get at the other end, right? Like stuff like that. And it's only as I need it. So it's almost like you're you're building the plane as you fly, but I feel like you have a lot more tools, you know, while you're building, if that makes sense. Yeah, and it's a little bit also with your own analogy. You gain more as you go.

SPEAKER_00: 17:03

Yeah, yeah. I was gonna say it's also a little bit of a self-exploration. And I you had you had a little, you alluded a little bit in the beginning about like community stuff. I think one thing there is you learn a lot from other others, right? This is now, we are in an age where information is easily accessible. So there is no reason for anybody not to know something. The initial, at least the initial part, right? You pick any topic today. Let's say you and I don't know anything about geology, right? We could we could go, we could read. In a few hours, we'll know something. But the difference between us and somebody who has done it for a decade, like us in security or more, right, is the fact that they've seen and and gone through a lot. So they have that experiential differentiating factor, which a simple query cannot like help us stand out. And when you do that at such a scale where you know the all the global rocks and all the sort of formations, now they're really standing out. So it's that second part when applied to security makes you stand out. That makes sense.

SPEAKER_01: 18:38

So, you know, talk to me about security engineering at Google because I feel like it's almost like a totally different field compared to the rest of the industry in security engineering. I've been a security engineer for you know 10, 12 years at this point. But I feel like it is completely different because you're dealing with, like you said, billions of users. You know, even just like simple Chrome patches, I feel like you're you're using something different. You have a different format of pushing out, you know, all those updates, even, right? I mean, that's just me completely being on the outside, you know, speculating, right? Talk to me about what it's like to do security engineering at that kind of scale. What are the unique challenges that you have?

SPEAKER_00: 19:26

Yeah, so I'll preface this by saying obviously I can't share internal stuff, right? Because again, personal experience. So let me talk a little bit about the part of your question that says, like, how are things different at scale? I think that's a really good question. And I think it's a common theme across a lot of places right now. So one aspect which I already alluded to is the way of way you approach a problem at scale and not at scale are very different. I I gave that for loop example. But if you apply that to how how you even store data, where you store it, what sort of consistency do you need, right? So again, I'm gonna go a little bit deeper because I think this people might like this, at least some, right? When you go deeper into how do you it's a simple example, how do you even store data and maintain it across the board? Guess what happens, right? You start, security now becomes a thing where it's really relying on your distributed systems working correctly, right? So how do you reach consistency? Are you looking for eventual consistency? Are you okay with something in the middle, right? It'll impact your read and write at that point. And if you get the wrong information, right, from a from a place where you read it from, it's gonna impact the decisions you make. So as you see, fundamentally, I think the way I've seen it across the board, right? Like wherever I work, is the fact that it not it's not just about security engineering, it's about good engineering fast, right? So having a good way to scale data, machines, system, and that includes your updates and patches you talked about, really are the building blocks. So the fundamental shift I'm trying to communicate is we think of securing like things as we always think about one machine. How is like authorization happening? Okay, the user signs into this website and does this. We're always having this idea of one laptop and one server because it's that's how we are taught, right? But it's generally not the case at scale, right? The scale is different where you can actually have a front end that actually redirects, load balances the traffic first, right? Which then redirects to an authorization service, maybe, which then talks to some other database at the back end, right, which authorizes, which has a key signing thing. You see how quickly it becomes complicated? The major like key idea with securing things at scale, not just at Google, but like in general, is having good engineering that lets you accomplish like things that are possible not otherwise possible through one system. Right? You'll face bottlenecks really, really quickly. So that is, I think, uh a very, very key and foundational thing I've seen across the board. So you'll not believe this, right? Uh whenever like I work you know different at these different places, whenever I have, I've spent a lot Time understanding the tools and technologies. First few months, I'm like learning. Literally, like, so how do you do this? Right? What is your system for like storing like passwords, right? So how do you rotate them? Like what methodologies exist? How do you prevent like DOS? Everyone has their own tech, right? And if you look at and if you kind of make a gist out of it, how they have solved that problem is really like splitting components, distributing the problem across the board, and then combining the results together, thereby solving it at scale. They just call it different names, right? They have different interconnections. So once you understand this, right? That's why I didn't go into security right away. That's why I said it is important to first understand tech and how tech is done there. Then you add the security layer on top. So then you say, oh, now I know the flow of user request. What happens at each layer? And then you start threat modeling. So some of the things that I've learned, I would say, is your your again, your basic ideas of how do you do threat modeling correctly doesn't change at scale. It doesn't. It's just it's the same concept. That one has zero change, I would say. Almost zero change. Like there are some aspects that change, obviously, where are you grading this correctly? What sort of, you know, how do you like assess this risk and stuff? When you actually write it on a diagram or a drawing board or whatever, right? That doesn't change. And I want to get to the part that doesn't change eventually. And that is the fundamental difference. So you go from learning the tech, you go from your concepts to learning how they solve problems and how they build their tech infrastructure and stuff like that. And I talk about any company here, by the way. And then you layer the security thing on top. And then you zoom in to the point where you can say, oh, now this is my textbook problem, or like this is a problem I can write it on paper and solve it without the variations of scale. And then you scale out. Does this make sense? But it's a little bit complicated, but I'm trying to describe how I think about security at scale, right? Not just how Google does it, by the way. This this has nothing to do with Google, but how you can think about at scale. And this fundamental building blocks don't change. So you have to get to those blocks that don't change from the blocks that have changed. And this is pretty abstract, but if you think deeply, this is true from what I've seen.

SPEAKER_01: 24:38

Yeah, no, it makes a lot of sense. You know, whenever I go into a new environment, like you said, right, and now I'm more on the professional services side. So when I go into an environment and I'm talking to, you know, the people that built the systems and whatnot, I'm asking them, hey, why did you do it like this? Right? I I'll give you an example. I was working for, you know, a really big company. And my purpose was to not only learn this other individual's role because he was retiring at the end of the year, yeah. But also to identify areas of improvement, you know, and things that we could be doing better internally, you know, that he may have owned, right? And so he designed this entire I can't rem I cannot remember the name of it. Microsoft coined the the term or whatever, and this company paid Microsoft a lot of money to come in and build it all out for them and everything. But it was, you know, just basically like a true zero trust environment, completely sequestered, only a handful of IPs allowed in and out, and everything else like that, right? Like it's like the most highly secure environment that you could find outside of the government, which made no sense because they didn't have like top secret information or anything. And so it was a very old way of doing things. It worked, you know, it worked kind of barely, but it worked, right? Yeah. And so, you know, the first thing I did when I came in was I didn't tell them, hey, we're gonna tear this whole thing down in 12 months, you know, and and build something better. The first thing that I asked them was, hey, what was the mentality behind all of this? Why did you do it? What happened to make you want to do it like this, right? Why did you put everything behind three firewalls and you know, have like these special laptops with these special certificates on them to get in and all this sort of stuff? Like, why did you go down that route, right? And he talked to me about the breach that the company actually had that led to where the the hackers were able to just get through the environment unvetted, unfiltered. No one really knew how to stop them or anything like that. You know, so it it reinforced the decision that they made to actually build it like that because they're like, well, we're gonna put all of our crown jewels into this environment. There's only gonna be five physical laptops in the entire company that can get into this environment that have the certificates on it, and then it's a special account and special MFA and all this sort of stuff, right? So I understood it a whole lot better, right? And then from there, I was able to actually like truly solve problems without ruffling feathers and whatnot, because it's like, hey, this is great, this is a fantastic architecture. You did a great job, man. This is what I'm thinking for like phase one of a new iteration, right? Like coining it as that, so I'm not offending this guy as he retires, you know, taking away or rebuilding his baby, so to speak, right? That's an important factor whenever you go to a company is to just learn as much as you possibly can, you know, and go into it with an open mind, even even now in my professional services, right? Like whenever I see something, and this literally happened two weeks ago, I'll be on the phone with a with a client and they'll be going through their environment and they'll say, Oh, why don't you check this menu over here? Right specifically, it was in GCP. Like, hey, let me see this, let's see this network, this network segment or whatever it might be. And, you know, immediately I'm seeing, oh, this is open to the world. Hey, do you guys, is there a reason why it's open to the world? Because, like, from my point of view, if I'm seeing this without seeing it through your eyes, this is gonna be a critical on my report that I create. Right? Like, this is top of the line of what you need to resolve. There's no point to it, it's open to the public, it doesn't need to be, all this sort of stuff, right? And then they gave me the background. Okay, from that background, let's build in a solution. I understand why you did it. It's not gonna go on the report that same way. Let's resolve it right now. You know, that's a much easier and different conversation to have at that point.

SPEAKER_00: 28:53

Yeah, exactly. And I think I think I skipped one of your earlier questions about like how did you start about the helping the community parts, but I'll probably get to it at some point. But uh, you're spot on with the background part, which is why, like I would say this doesn't even apply to companies, even it can apply to your personal projects. So the way you operate is with curiosity. And again, I'm tying this back to question number one you asked me. So because I was curious about can this person really do this? Like they are trying to like say, Oh, I can take over your profile. Like, how is that possible? If so, like how long can they have access? What can they do with it? Right. It's that same idea applied to a role, a job, or a project. Yeah.

SPEAKER_01: 29:37

Yeah, absolutely. So I'll I'll talk about my journey a little bit with trying to give back to the community a bit. Right. Because it's a it's an interesting thing, you know, to have it in your head, like, oh, I can give back, I can provide value and that sort of thing. You know, before going into it, I always felt I don't know enough to give back, right? Like I don't, I don't know enough, I'm not knowledgeable enough, I don't have a name, I don't have a brand, you know, all these things. There's a million doubts that go through your head going into it. The one thing that kept me going down the path was the constant questions that I would get on on LinkedIn, right? Is he how do you get into cybersecurity? Is this certification worth it? Do I need this? Do I need to go get this degree? You know, all this sort of stuff. How did you make it happen for you? You know, and that's when I started to realize, like, okay, you know what, like maybe there's value in my own experience and whatnot. Like, let's let's dive into this a bit more, right? And so then from there came different courses that I created, came the podcast, the blog, you know, everything that I'm doing now, right? Like all that was like seven years in the making from today, or seven or eight years in the making, right? What was the tipping point for you to say, like, I know you had that experience, but what was the tipping point for you to say, you know, maybe, maybe a course is the right way to go about this, right? Or maybe whatever it might be, right? X, Y, Z, blog, podcast, whatever it is. When did you say, okay, this is what we gotta do?

SPEAKER_00: 31:17

Yeah, I I think there's it was a little bit gradual, as in it's a mix of like what I saw, like you mentioned, like questions, but also where you find joy. And this goes a little bit personal, but this whole podcast is personal, so why not? Right. Discovered that, like, you know, as I was working throughout my career, like different places, you get a lot of satisfaction. You know this, right? You solve a complex complex problem, you get a lot of satisfaction. You're like, okay, I was the one responsible. You know, you know what I mean? Yeah. You get that. And then there's a different level of, I want to call it happiness, right? That you get when you help others who solve problems. And then you're like, you know, I'm like, I'm contributing to this person's life now, right? They are they're growing and I'm seeing that happen. And they come back and say, you know what, thank you. I saw the difference. Like, you know, thank you for mentoring me and thank you for helping. When I saw that happening in my career, this is like maybe two years down the line when I started. So it's not like after 10 years, I have to wait 10 years to do this. It starts happening in the beginning itself. If you look at smaller ways of giving back. So, like, you know, I was training people. I remember at the place I work, I was just conducting trainings and helping people on board and just speaking, doing some public speaking there. And actually, it was not public, it was internal, but still talking to people who are joining the company and talk to them about security and stuff, right? I was doing all of that. And you'll be surprised how much I learned from that. I'm like, okay, great. Like people have these questions and they have these misconceptions, and here's where they really know their stuff as well. And here's the image of how they think about security. So I started getting these signals from people. And I said, okay, now this is how here's how we can go about changing this. Here's how we do build a better security culture, right? And then one thing led to the other, as I keep seeing this, you know, obviously doing things at work, but then I saw similar to you, honestly, very, very similar. There was a point in about 2020, right before COVID, right? I was getting about 150 DMs a week, actually a month. I don't think a month. Simply, and I have a dog. I sat with a friend of mine where I'm like, he was getting something similar. He doesn't work where I work with a very similar role in a different place. And we studied together. I said, are you getting, are you seeing this, right? Are you seeing what I'm seeing? And so he was getting similar, like maybe not the right, maybe not the exact same number, but a similar set of questions where you know he was interacting with people. And so we said, like, can we like put them together in a doc and start categorizing what's happening? There's a limit to how much you can respond right away all the time for everybody, right? And it then becomes a copy-paste exercise. Again, the question was, how do you scale community work? So now it came to the point of scaling this. And I was like, well, one on ones is great. I build connections, people know me, great, and stuff. But looks like here's a common theme of questions. Back in 2020, 2021, we actually started writing a book, right? And we said, maybe we can address this in a very accessible manner, right? We can have a really quick, like a 200-page book, right? That goes through here are the domains in cyber, here's how you get started, here are the concepts you learn. It's very conceptual driven, by the way. So we start with systems. We don't start with cyber, right? We start with systems, then we then we talk about networks, then we say learn about security on top. Right. So we we wrote like five chapters, literally, five chapter book, 200 pages. And we actually ended up publishing it in 2023, I believe. It took a while because we're working and doing everything else as well. And then we said, okay, you know what? Now, whoever asked us this, here is a link, right? It's like 10, 15 bucks, whatever, super affordable, right? We had pricing across the board that helped people get it. So that should not be a barrier. And it's on Amazon and stuff. So that was one effort. Then I said, okay, the questions shouldn't be the same anymore. Well, not exactly, right? The questions were were starting to change because people are like, okay, now we get this stuff, but we want to like, I started seeing the value of, hey, like talking to people in person and like actually, you know, sessions like this where you and I are chatting and people view it later on. People value the human aspect also in security a lot, right? So I said, okay, like how do we scale that? How do we get started with this? So, you know, one of the ideas was, you know, doing things like this, which is ad hoc, right? When you maybe folks like you and I connect, we make things happen, but it's not like a consistent thing. So I said, let me like, you know, I started writing on LinkedIn pretty frequently, and this is like 2023, end of 2023. So like every day. Like I was doing five days a week, now I do seven days a week, right? Just to kind of, and we have like 16,000 people now close to on LinkedIn that are like very much in cyber and like just are there too as a community, right? And then from those people, I realized look, it's not just about a book, it's not just about text, but people want to learn from me and from others. And that's where I started jumping into like, you know, you know, I taught like a class for free this time, and it was a coding bootcamp for cybersecurity profession. I've I figured out people, you know, had this hesitation of like scripting and coding a little bit. So they're very good with concepts, right? Exactly. I think you and I chatted around it. They have this hesitancy, right? I was surprised, I was overwhelmed with the response. Like there's like 3,500 people or so who actually signed up from like 50 plus countries. Yeah, from like 50 plus countries. It was insane. Like, I'm like, how is this? Like, this is not possible without the the scalable technology, I guess, right? Like the power of the internet and anybody can join from anywhere. So I said, you know what, I'll do it for free, right? Like it's fine. And it was really insane. I learned a lot on how to run that such that everybody is like on board, they get the idea, they can watch the recordings and stuff. And then I said, okay, because you know, if you do it for a long time and you do it for free, you kind of get tired. As a creator, also on the side working full-time, it's you know this, right? You need some incentive. At some point, you know, you could do a lot of, I've done lots of free stuff. I think that course itself was multiples of six figures if I have to actually charge people. I said, no, it's fine, right? Yeah. So like in January, I'm actually teaching another cybersecurity bootcamp, right? That's for people who want to get started, but also are in the field and want to kind of update their knowledge and learn a little bit more and get some hands-on exercises in different domains and stuff. Kind of adapted from my book, but the difference is like I am teaching it live, right? Plus, like you get to interact, then we have a Discord community, right? It's very much hands-on interactive, which is different from like just studying it in college, right? Like, you don't get that community of thousands of people, not just like your 50, 60, like 100 people in your in your course, right? So that's coming up in January, and I'm doing it for 10 weeks, right? I'm like, you know, I would love to teach this for free, but my time has a value. And you also want to filter people out who are not so serious. I've seen this, right? People they take an appointment, but they don't show up, right? So this has to be some filter of like charging such that people like to. So I figured out, okay, serious people can put in some skin in the game, right, and learn. So actually, for for viewers of this podcast, I actually have uh created a code if people want 50% off for like security unfiltered, you know, viewers and who follow you. Here is a link I can share this if you want. I can put it in your comments and stuff. Yeah, absolutely. If you just directly just directly go to this link, this is where I I host the course that people can sign up. So they use the code security50, they basically get 50% off on it. I think it's a pretty sweet deal because I generally don't give crazy discounts all the time. But I think given it's Black Friday season and stuff, and I want to incentivize people. Like, look, it's not about like, it's not just about one course and it's not just about like this, you know, a few hundred dollars, but it's more about the exponential learning that people like. So a lot of people from my you know free courses have come up and say, hey, like we love that one, right? Can you like give us a scholarship? And I did end up giving people scholarships. I'm like, okay, I want to support you and stuff. So, you know, to answer your question, just going back all the way, like how did it all add up? It's just gradual like signals you get from people, from you know folks around you and folks like you, like you shared your stuff. I'm like, okay, he also got questions from LinkedIn, and now he has all of this. It's super inspiring, right? So it's that. It's there's gradual steps which you build on one on top of the other, and then you go 10 years and you look 10 years back now, you're like, okay, look how far like I've come from in this journey. And that's what people want to know at the end. So, how do you do this? And you're like, well, it started 10 years ago. Yeah. I don't think it's rocket science, but it's it's that happiness, man. It's that just like you see people grow and and you love that. So you want to keep doing that.

SPEAKER_01: 40:19

Yeah. Yeah. No, that's that's a really good story. That's a great story. You know, that makes a lot of sense when you when you said, you know, you got to look back, you know, five, 10 years, right? That's where it started, and now you're now you're here. You know, sometimes sometimes I get into like a mental rut, you know, or mental gutter where it's like, man, I'm not I'm not progressing like I should be. I don't know this stuff. I probably should have learned it five years ago, you know, all this sort of stuff. And I have to remind myself, hey, look back, look back five years ago. Where were you? You know, like you were just getting married, you were living in an apartment, you know, all of your goals that you had then that you didn't think that you would achieve within five years, you thought by the time, you know, maybe 10 years that you would achieve it. Well, if you look present day, they're all here. All your goals were met, right? Yep. And as soon as as soon as I see that, I'm like, you know, well, I guess I gotta set new goals for the next five years, you know, because like it's it's really important and it's very easy to just look where you are, because you are where you are. You're in present day, you're not in the past, you're not in the future, you're physically in present day. It's hard to see even that 1% progress that you may have made, you know, from Tuesday to Wednesday, right? I I mean that that's hard, you know. But if you look back a year, you could say, oh, you know what? Yeah, I am a little bit better than I was the same exact time last year, right? Maybe journaling even helps a little bit with that, right? Is just trying to get your thoughts down from the day. I'm not as good at it at it as I should be. I don't do it every day, but you know, it's still there and I still do it. But maybe that helps a bit.

SPEAKER_00: 42:11

I was gonna say, like, for you, it might be a little bit easier. Easier because you have all these podcast episodes, you have your LinkedIn, like you have so much like and maybe a little bit me as well on LinkedIn, especially. This this a lot of data is just public. So go back like five years and like just look at the look at the stuff you produced and like wrote. I'm sure it's a lot better now. Just because you've done it so many times, you kind of know the game a little bit more. That itself is progress. And a lot of people, especially the ones that are like really passionate about this, forget what to do. So that's a really good point. Like 100% agreed and it's echoed.

SPEAKER_01: 42:51

Yeah, it's a that's a really great point. You know, like I I try to, there's like a recurring circle of guests that I'll have on, you know, within a year, right? Where I always try to talk to, you know, a certain group of people like once a year, you know, on the podcast. And over the years, like some of them I had on year one, some of them, you know, I I still have, you know, coming back on and whatnot. But the ones that followed me through it, they all say the same thing, like, hey, it is a completely different experience from episode one. I mean, it is not the same podcast or anything, you know, which is honestly my goal. Like, this is the time of the year where where I'm reassessing the year and I'm saying, what went well, but more importantly, what went poorly, and how do I fix it for 2026? Right. I do it, I do it every year where I take a very hard look in the mirror and I say, hey, this episode shouldn't have gone live. It shouldn't have. It wasn't ready. I shouldn't have done it. Maybe I was off that day. I have to learn how to say no, right? I need to learn how to say no. Like I'm sure that there, I'm sure there's people, you know, listening to the podcast that are in my inbox, you know, right now, waiting on me to respond. But, you know, like you said, like it's it is so hard to stay on top of it when you're getting a hundred emails a day saying, hey, we we want to come on, we want to come out, we want to do like all this stuff. And it's just like I appreciate it, I love it. I get to my emails once a week, you know, just to be fully honest, right? Like I get to it once a week, and if you message me directly on LinkedIn, I get to it a whole lot faster, hopefully. Yeah, but it's like, you know, there has to be a filter there. But you know, I I have always found taking that hard look, you know, at the end of the year and saying, hey, what went well? Did I did I pass that certification that I wanted to pass? No. Well, what do I need to do better? You know, what happened during that time frame? Did someone interrupt my my study time or whatever it is, right? You know, so I I have an interesting question. I know someone that, and they've they've been on the podcast before. It was several years ago. If I said his name, you'd probably recognize him immediately. But he has just about every cert under the sun that you could think of and in the cloud security, just security overall realm. I mean, it's it's actually insane. Uh, the the amount of certifications that he has and then his recertification time frame, I wouldn't, I would never do it. Yeah. In terms of certifications, where do you think that sweet spot is? You know, like maybe you don't have to list off the specific certifications. I do, right? But that's that's just me. But like, where do you think that sweet spot is? Because I I ask it because, you know, whenever you're thinking of someone at Google, you immediately think, oh, they have 15 certifications, right? Like, I mean, they have 15 certifications, they probably have a PhD or a master's or whatever, right? But people really want to know what that sweet spot is of getting, like, hey, do I get the CISSP and then I go and get a couple of these other certifications? Or what do you recommend people do or maybe even aim for for themselves in the terms in terms of certifications?

SPEAKER_00: 46:26

That's a good question. So, and I would probably even say, like, I don't think there's a Google component in this because I've actually very vocally talked about this, irrespective of any company, because people ask me a lot about it. So, so much so that this was one of the FAQs in the DMs. So, I actually wrote it in my book as well. And we actually have a kind of a roadmap and a and a and a mindset. So, we talked about mindset a lot in this. So, I'm gonna go slightly into that because I want to teach people how to make that decision. So they eliminate the question of cert A or cert B. They can actually self-answer that. That was the goal I had when I was writing that. So the way I've thought about this, I've done all my fair share of certification. I don't have like, I don't know, 15 or whatever, but uh in the beginning, like I did some. And here's why, right? If I look back now, the idea of certifications is, you know, you remember the knowledge skills experience thing I shared, right? It's a very fundamental idea. That's why I shared it in the beginning. Because we have to think, what do certifications fill? Like, what do they give you, right? They give you knowledge, some of them give you some proof of skills, if I may call it, right? So some certification, I think OSCP and a few others who have a practical aspect where you have to perform some skills and test in an environment or stuff like that. I've not done it, but I've heard about this, right? But those cover some skill aspects. That's it. Those are the two pillars they touch. So when do you do them? Well, when you clearly have to get some knowledge and prove that you have that knowledge, right? Second is when you really want to make sure you can attest to a skill. Right? So if those are the only two goals, then I would say, have you figured out your path in security? So a lot of people, and this is where like getting all certs is like I'm not really fully bought into that idea yet, but if you have a path, so let's say you are in, I don't know, you're in blue team, red team, GRC, whatever, you're in some domain that you're specializing in, for example. You now know the beginner, intermediate, advanced stages, right? So yeah, you can have beginner certifications that talk about security in general and like cover that aspect. So you're set there. But after that, you kind of can clearly decide right which one works for you and how it will add value to you. So I've written this a lot on LinkedIn, by the way. This is one of the things where I've I've continuously kind of hammered back. I would say not hammered, but like continuously talked about the same thing over and over, the same drum, right? Beating the same drum, saying, hey, don't like go for like random certifications, right? Here's how to think about certification. Does that make sense to you? What purpose do they solve for you? By the way, I know some like, and this is where they become requirements. I think we have to differentiate that one. There are some, I guess, some roles in the public sector where they say, no, you need to have the certification. And if so, great, right? Okay, it's made clear why they need it, right? It's probably some compliance reason or some other, you know, their internal reason. Now you have a clear idea. Okay, if you are going for those stuff, then sure, you have a clear reason. I'd, you know, go do it. No problem, right? But you shouldn't know that why. I think a lot of people miss out on the why and the critical, uh I would say critical thinking about certification X, right? And they just want to do it for the sake of the names and the letters they can add. And I'm like very cautious of that because I want to know what they learned so that they can apply it, those those fundamental principles, right? Concepts. They can apply it so they can solve problems now or at scale or whatever, whatever, right? That is the goal. The problem solutions is the goal. The goal is not to get just to get letters, right? There has to be an application of that aspect. So I would always encourage people to tie it back to their personal goals, the requirements that are fulfilled, and what are they getting out of it. And then shell out the cash because a lot of certificates are not cheap these days. They cost a lot. So in fact, I'll give you an example. The what the course I taught for free, I actually had a certificate option, which I said, hey, you can make a small sum of money and really like very less, right? 20, 25 bucks, whatever. You will not believe this, Joe. Like a lot of people took that very seriously, and I was very happy to see that because I made it like a okay, I'm gonna give you this, I will sign it, but you have to fulfill these requirements. And the requirements I set were not like show me that you know this, right? I said, show me that you can do this. So did you solve these five assignments and did you get an 80% or more on these? Right? And if you did, and we have a grade, we had a grader, and if it did, and I verified it, then I will say yes. Right? And we never deviated from those criteria. We said, no, that's the bar, right? So I know everybody who came and learned from me has that bar now, right? At least in that area. And that's gonna like help them throughout their career, right? No matter where they are. And it was a generic one, so you they can be in any, I guess, any domain in cyber. I guess that is the idea that I am trying to up level, like in the community, I'm trying to up level people in a way that other people haven't done it. If it makes sense. So that's my quick take on certificates. Like, just don't do it for the sake of doing it. Do it because it makes sense and do it because it aligns with your career trajectory. At least that's my view. I know people can disagree, that's fine, but I'm just sharing what has worked for me and what has not worked for others as well.

SPEAKER_01: 51:58

Yeah. No, that makes a lot of sense. And that's also like right in line with what I tend to recommend to people asking me that same thing, you know, because they always ask me like what cloud security certifications should I go for? Should I go for Microsoft or AWS or Google? You know, and I always start them with what is your company in currently? Like, what company are you working for and what cloud are they in? You know, and they'll say whatever cloud, and then I say, like, okay, well, you know, what specialty do you want to have? Right? Go deep in that specialty and maybe go and get like that solutions architect level cert too, once you go deep to show that you have a broad range of knowledge and then you're deep in one area. That's when it makes the most sense, right? Not getting just every cert under the sun, that doesn't make any sense. That doesn't, as an as someone that hires people, that shows me actually that you don't have very much direction, right? Because people that have direction, they're very precise, they're very concise in even how they speak, they're straight to the point, you know, they have a direction that they're going and they just go down it, you know, which I want more than someone that has, you know, extensive knowledge, say in all three clouds, and now we're on a 30-minute phone call that's turned into 90 minutes because this guy can't stop, you know, asking questions when it's like, hey, there's things that you have to assume. There's things that you have to find out later, you know, the that sort of thing, right? Especially in like the professional services world, you know, where it's like, it's like, hey, time is quite literally money to these people, you know.

SPEAKER_00: 53:39

Yeah. And and you're spot on about the direction because a lot of people don't have that, which is why. Think of us like you're diagnosing something, right? We have these symptoms. So symptoms of being lost, symptoms of not having a clear like path you want to follow, or a domain you want to enter, or a domain you don't want to continue. Like these are just symptoms that show the lack of direction. The root cause is the lack of direction. It's it's showing up as that confusion or set of questions they have. And we take that very seriously. Like both you and I, I'm like, okay, like, does this make sense for you and why and why it doesn't? So it's that it's that diagnosis that we kind of drill down with them and figure the answer out. But there is no one answer, I think. It's very personal to people. But uh the approach is the same, right? We can see it through and through just from the answers or even from the questions.

SPEAKER_01: 54:33

Yeah. No, that it makes a lot of sense, you know. And so like I I got the AWS security special specialty certification, right? And it's it's like, at least at the time it was AWS's like second hardest certification, but it was the only, you know, security focused specialty one. So that's the one that I got. And then when I go and I, you know, interview for like AWS or Amazon, you know, they see that certification, and it'll it eliminates, you know, that I mean they this is them telling me it. They told me that you having that certification eliminates the vast majority of the questions that we were even going to ask you on a technical interview. Like, you know, I got on the interview with this technical interviewer and he looked at my certification and he goes, Okay, I mean, like, there's nothing that I can ask you that'll even be hard for you if you have that certification. Yeah, so like this is just a conversation now, you know, like you obviously know your stuff, which you know, that's like the for me at least, that's the true value. When you get a certification that's so widely respected like that, even internally at the organization that is issuing that certification, to where when you're on the job market and you're looking for a job, you know, the last thing that people are asking me about is my AWS experience. They're like, yeah, we know, we know you have that.

SPEAKER_02: 55:57

Yeah.

SPEAKER_01: 55:58

Can you spell Azure? Can you spell GCP? You know, like that sort of thing.

SPEAKER_00: 56:03

Exactly. Yeah, they they know the knowledge component is generally satisfied. They want to know how you apply it and how you talk about it. Exactly. That's that's the goal. Yeah.

SPEAKER_01: 56:11

Right. Well, Karan, you know, we're we're unfortunately at the top of our time here. And I've really enjoyed our conversation. I really appreciate you taking the time out of your day to come on and you know, give me, just give me your time, right? To kind of pick your brain on these different topics and hear hear your story. So I really do appreciate it.

SPEAKER_00: 56:32

No, no. Thank you so much for having me. It's a pleasure just to talk about cyber, right? In general, it's awesome to talk about these concepts and stuff. And I was gonna say, like, if people want to connect with me on LinkedIn as well, happy to share that. Put it here, and then you can put it in the in the description, however, you want it. But just very super open to connecting with people in the industry because I feel like there's a lot of value that you and I add, not just kind of outside of these podcasts. Then I think that's the consistent ongoing medium, at least for me at the moment. And so I encourage people to just reach out, connect, and I'll be happy to chat.

SPEAKER_01: 57:07

Yeah. Yeah, absolutely. I mean, I was gonna I'll definitely put your links in the description. Besides LinkedIn, if someone was to find your content, where would they go to find your content?

SPEAKER_00: 57:18

Link is the primary one for now. And then the other course link I I pinged, I think that has a lot of like upcoming things I'm teaching. So that's the learn.com cyberinstructor.com. Learn.thecyberinstructor.com. Yeah. That's my, I guess, uh, personal like project on the side, right? Not associated with Google, where I kind of do this community work and kind of teach people. And that's where like we I put on new courses, right? So there's this, we have a lot of exciting stuff coming. I'm super excited to kind of build this material. So the more people are excited to learn, the better. We get a lot of feedback and work with the community. So highly encourage people, just whatever medium they want, they can reach out. And then people want to see more video, you and I should figure out to do a lot more in the future. Yeah, for now, those are the two.

SPEAKER_01: 58:01

Yeah, absolutely. Well, thanks everyone for watching this episode or listening to it on whatever platform you're on. I really hope that you enjoyed this conversation. You know, I really hope that it helped you in some way. And, you know, if you're looking to scale up in 2026, which, you know, with the job market, how it is, how it's looking, everyone should be looking to scale up, you know, to really make themselves more valuable and learn more, you know, on the area that that you're trying to get into, right? So if you want, go ahead and use the code security50 to go ahead and get that 50% discount on his upcoming courses for 2026. And with that, you know, I'll leave you guys to it. Bye, everyone. Thanks all. Take care. Bye.

Joe South

Host