George Bailey is the director of Purdue University’s Cyber Technical Assistance Program (CyberTAP), which provides cybersecurity advisory services and corporate education to organizations in Indiana.
A summary of the episode
CyberTAP focuses on helping small and medium-sized businesses build a strong cybersecurity foundation through risk assessments, gap analyses, virtual CISO services, and hands-on training.
The program aims to improve the cybersecurity posture of organizations in the state and help them become more resilient to cyber threats. CyberTAP also engages with the local cybersecurity community through initiatives like the Indiana Executive Council on Cybersecurity and the State, Local, and Tribal Government Cybersecurity Program.
George Bailey advises aspiring cybersecurity professionals to pursue relevant industry certifications, build a portfolio of projects, and actively network in the local cybersecurity community to gain experience and make connections.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is George Bailey. George is the director of Purdue University’s Cyber Technical Assistance Program or CyberTAP. We’re going to be talking about building a strong cybersecurity foundation and I think George is the perfect guest for the show to manage through that conversation.
So let me tell you a little bit about George before I bring him in. George Bailey is an accomplished IT security professional with over 25 years of experience spanning systems administration, network security, incident response and more. A two-time graduate of Purdue and a PhD candidate at the Purdue Polytechnic Institute.
George leads a team of cybersecurity experts and educators delivering technical training and advisory services to organizations in Indiana, and beyond. He’s an active CISSP credential holder, a member of InfraGard, and serves on the Indiana Executive Council on Cybersecurity. George is passionate about risk assessment, security, education, and helping professionals transition into cybersecurity careers. We are thrilled to have him with us today and share his insights. And with that, welcome George. Thank you for joining me today.
George Bailey:
Thank you Steven. Thank you for the introduction and the invite to be on the podcast.
Steve Bowcut:
You bet. We appreciate your time. This is going to be a fascinating conversation. Let’s start as we always do with helping our audience understand you a little better and more specifically the journey or the path that you took to get to where you are at and what that looked like.
George Bailey:
Sure. I’m a military brat, so I traveled the world attending mostly DOD civilian schools, which curriculums were generally a little bit more technical than what we probably would’ve seen in public school during the ’80s and early ’90s. Graduated from a school out west and like most college-age kids, students these days, you apply to a bunch of schools and you apply sometimes to schools that you’ve never heard of before.
An-d I knew I was going to study computer science. So who has some of the most established, so who’s got the oldest computer science program in the nation? So Purdue popped up, so Purdue was one of the schools I applied for. I knew nothing about cyber when actually when I graduated from Purdue in 97, I didn’t really have much exposure to cyber. I thought I was going to teach cybersecurity, or excuse me, I thought I was going to teach computer science education and in the late nineties, the high school curriculum for computer science just wasn’t where it was where it needed to be frankly. It’s just now really getting there 30 years later. And so I took a CIS admin job.
I took a typical entry-level IT job managing servers and networks and doing a lot of end-user engagement. And what I found was I kept, these were Windows XP Service Pack one day. So if you thinking your timeline of what technology was out there in the world right before Windows in T four kind of broke the scene where we had the first wave of active directory services and my environment kept getting compromised. I couldn’t get the Windows PCs patched fast enough before they were compromised. And I was like, there’s got to be a better way.
This was back with the “Melissa virus” and the “I Love You virus” and the “SAS” or “Worm” and “Blaster”, all the things that today we would likely just call “noise”, right? Just malware, that would be a nuisance. But back then in the early days of the internet, it really caused a lot of havoc. So I went back to graduate school focused on cybersecurity. Well, back then it was information assurance because I wanted to be able to build and maintain more resilient environments.
And shortly after graduating with a master’s degree in 2003, I took a role as a security engineer. So that’s when I started doing cybersecurity or what we would call cybersecurity today, full-time. It wasn’t an adjacent or an add-on task under my system network admin duties was your role was to proactively protect the environment? I was working and I changed business. I changed organizations and I did that role for seven or eight years while I was still pursuing advanced degree and the commute got too much at that point. I had gotten married and had children, so it was time to come back home.
So I came back to Purdue where a role in the technical assistance program. So the organization I work in now opened up and it was a brand new role. I got to build the team, I got to build the service and it was about providing cybersecurity advisory services to folks businesses in the state of Indiana. I hadn’t been a consultant before, so it was something new that I had to learn and I’ve loved it. I’ve been here ever since.
Steve Bowcut:
Okay, awesome. So in a nutshell, I guess you could say cybersecurity came under your radar as trying to find a solution to problems that you were facing as an IT professional. And now here you are the director of the cyberTAP. So let’s get an idea of what exactly that is. Give us maybe a high-level overview of cyberTAP, the mission and the broader goals.
George Bailey:
You bet. So the technical assistance program is the business unit at Purdue University. We traditionally have very little to do with formal academics at the university. Our goal as a land grant university is to give back to the state of Indiana. We exist because of benefactor donated a bunch of land in the mid 18 hundreds to establish the university. And we are recognized by the state of Indiana. It produce a state school, state funded state supported, but the TAP program is even supported in addition to the university as a whole. So we get a little bit of tax revenue every year to, we call it keep the lights on money.
And we take those funds and we have about a 10 times impact factor. So they give us a couple million dollars. We do about 20 million of impact across the state of Indiana. And how we measure impact is number of jobs saved, amount of business generated by the companies that we serve. So we’ve been doing technical assistance for small business since 1986. In 2009, the Hospital Association of Indiana came to Purdue and said, we love the TAP services that you’re providing to manufacturing and science and industry. Can you do that for healthcare? And we said, yeah, absolutely we could. So that was where, and of course when you think healthcare, you think, well, this is the first thing you think of. You think of HIPAA, right? You think of privacy, think of security, you think of confidentiality of patient records. So obviously TAP had the folks that joined the team to do quality improvement, healthcare delivery, all the things that make patient care better. But what they didn’t have was the cybersecurity information security focus.
So that’s when I joined the organization in 2011. We built out that service. And so we’ve been doing advisory consultative services for the state of Indiana in cybersecurity since 2011. We do about anywhere from 150 to 200 projects a year. In most organizations, these would be considered micro-size organizations. We’re talking 50 employees or left less is kind of our typical organization we assist. That sweet spot of organization is a 350 to 500 headcount of employees or less. You get much larger than that. And we find that those organizations either have strategic relationships with outside service providers or they got a security partner already, and sometimes we just aren’t able to enter into that sort of dynamic to add much more value. But when you get to that organization where they might have some it, they’ve got an IT integrator on the outside, but they don’t have any IT or security leadership, those are the organizations that we see that we serve and get most value out of our services.
Steve Bowcut:
So that’s interesting because in my mind that is so many organizations that I’ve run across in my career that they have some IT. They have a guy who knows IT and keeps all their computers up and running, but it really doesn’t have any cybersecurity background and he’s learning what he can and then sometimes they do a fair job. So is the goal then of the TAP program to help them graduate out of and grow to a point with their cybersecurity posture and knowledge and understanding so they no longer need your services? Is that where you’re headed with them or does you establish
George Bailey:
That’s kind of our goal. So there are clients businesses that we serve year after year after year because they have a compliance obligation to do something or another, whether it’s regulated, they’ve got to do a periodic HIPAA security risk analysis or they need to do a self-assessment. But as you said, they’ve got the guy and he’s passionate, he does a good job, but he’s a little biased. Being able to grade your own work sometimes can be difficult.
So getting that unbiased third-party outside perspective is helpful. We don’t sell product, so if we come in and say, Hey, your firewall is really antiquated, it’s unsupported, it’s time to upgrade that we’re not going to just turn around and say, Hey, guess what? We can sell you a Palo Alto or Cisco or Checkpoint. We don’t do that. So we can help you write an RFI to go out and find an integrator or VAR to come help you do that. But we want to be your value trusted partner in making good decisions, not necessarily selling you additional products and technology and tools and things. So yes, that is what we hope to achieve. So we want businesses to stay in Indiana, so we need them to be successful. If you happen to be victimized by ransomware, that’s going to jeopardize your longevity as a business in Indiana, which obviously affects jobs, it affects households, it affects tax revenue, economic development hurts if businesses leave or get shut down.
Steve Bowcut:
Exactly. Okay. Well this is great. So maybe we could drill down a little bit into the specific offerings. You’ve talked about a few of ’em, but risk assessments or what do those offerings look like?
George Bailey:
So I definitely want to mention what we call TAP in dev traditionally called TAP 40. And that is where the state of Indiana will sponsor 40 hours of assistance to Indiana businesses. So if you’re incorporated in Indiana and you’ve got a discrete problem, you can come and we’ll assign a team of folks to help you work on that problem. So traditionally it’s been things like additive manufacturing. Hey, I want to print 3D print titanium to make this new widget for an aerospace customer. Great, we will hook you up with a PhD metallurgist and we’ll figure out, now 40 hours isn’t going to solve your problem, but if we can get you on a path to resolution, it’s free to the organization. And not very often would they get that level of research or a graduate student team who can really deep dive into their problem. Again, 40 hours is just the tip of the iceberg, but it gets them in the direction.
So folks, a lot of folks have cyber problems, but a lot of those problems don’t necessarily fit the culture of the in-depth program. So we want to solve a problem under the TAP 40 model. We don’t necessarily want to check a box. So a lot of the regulatory or the assessments that we do don’t necessarily qualify for that because it’s at the end of the day, your posture may have improved. So you may be a stronger, more secure, more resilient organization, but you’re not necessarily being innovative in problem-solving. So we have two major service lines at Cybert Tap. We’ve got consultative advisory services, and then we have corporate education. So under the advisory services, we do a lot of strategic just planning risk assessments, gap assessments, technology assessments, those types of things where, okay, we want to be NIST CSF ready or compliant or can’t really use compliant with that because it’s, you want to adhere to that standard, but you don’t know where your gaps are.
eSo we will come in and we will interview the appropriate stakeholders. We will review all your policies and procedures, documentation, if any of that exists. We will do a technical evaluation, things like doing benchmark reviews of your servers and your workstations to give you an idea of let’s say there’s 330 group policy objects you could turn on or turn off within Windows. And guess what? You’re only about 22% of them there. So you could do a lot of hardening in that environment without spending a single penny other than your time to push those group policy objects out to your environment. Firewall policy analysis, a lot of folks don’t, particularly if you’ve had a firewall that is several generations old, you’ve added rules, but have you really thought about the efficiency of those rules and is the policy as tight as it could be? So we’ll do both a desk audit of those policies as well as running through some automation to figure out how to make your firewall policies more efficient.
So just a whole battery of tests like that, we want to get an understanding of, right, you don’t have any policies because you’re small and you haven’t really formally thought about cyber from a governance perspective, but hey, you’ve got some really good operational practices and the battery of technical tests will tell us that, right? You can tell me what your password policy is, but then when we do a password hygiene assessment, and I can tell you your users are way surpassing what you expect them to do or they’re not even following, seeing what your verbal general guidance is, your passwords really stink. Let’s focus on some user education so that before you go out and spend a bunch of money on a technical control, people understand why we need robust passwords. And so we do a lot of that stuff and at the end, we take all of that data and we simulate it and we give them a formal report and those reports and our theory and our hopes that they will stand up to a compliance scrutiny.
So we’ve had a number of organizations, particularly in the healthcare side who unfortunately have had an incident over the years and the Office of Civil Rights come calling as they do when you have HIPAA, an alleged HIPAA violation, and they produce a risk assessment report that we give them. And if you follow any of the corrective action plans from HIPAA violations, and one of the number one findings is they haven’t had a robust risk assessment. None of our clients have had to make that defense. They’ve all come through pretty cleanly on those types of investigations. So we’re pretty proud of our thoroughness on those. Sometimes it’s a little bit heavy for small organizations to deal with when we give you a fairly lengthy report that really details where you are on the spectrum and where you need to go.
But then we have advisory services. So virtual CISO is kind of the term you see in the industry today where you can’t afford a subject matter expert to be full-time staff. And frankly, you wouldn’t need to employ them 40 hours a week. You need either project work or you need a coach to get you through drafting an updated, acceptable use policy, or how do we do this X, Y, and Z? And so they can just buy a block of hours from us and we will sign an analyst and they’ll work with them. It’ll be part of their team until their problems are solved.
Steve Bowcut:
Oh, fascinating. Okay. And this is interesting because I kind of wanted to ask you next about sometimes there’s a rub between regulations and compliance and doing real risk assessments in the industry generally I’m talking about, but from what you’ve just described, it sounds to me like maybe the people that are working with your organization don’t have that problem because you are in fact teaching them to do true risk assessments, not just checking the boxes in a compliance framework. Is that fair to say?
George Bailey:
We’d like to think that anyway. So there’s a number of projects that we do that really turn out to be gap assessments. There’s no stratification of risk. But for organizations like healthcare and those serving the defense industrial base where they have to do a periodic risk assessment, that is not a gap assessment, that is not trying to figure out where you are deficient on a particular compliance framework that is trying to make an informed judgment call on. We have these vulnerabilities, we believe these are threats, or our threat actors, what is the likelihood and impact that those two are going to marry? And then we have residual risk.
You don’t have risk if you don’t have a vulnerability or a threat, you might have weaknesses, but if there’s not a threat actor who that could compromise or exploit that weakness, you have no risk. So a gap assessment can be good because if you are really low on the maturity model, you’re not going to have metrics, you’re not going to have information that you could share with us that would give us a bit of information to say, okay, this is your typical threat actor, so we can help you do some threat modeling to figure out what the threats are.
There certainly is a long list of threats that we all suffer, right? We’ve got phishing and social engineering, and we’ve got theft and loss and the potential insider misconfiguration and mishap, those kinds of threats, which are huge. Most of the incidents that we experience as an industry, it can revolve around a very small subset of threats, but at the end of the day, they haven’t really thought about that. And so a risk assessment is about stratifying that risk. Can you tell me with, and in many cases it’s qualitative, but can we back it up with some technical data in the sense of, yeah, we scanned your 800 endpoints and you are suffering from a very bad patch management practices because it doesn’t, regardless if it’s a Windows or HP printer or your networking core, they all seem to have the same process-oriented vulnerabilities.
You’re always about 8 months behind on your patches we need to fix that. That dwell time needs to be from 8 months to 6 to 12 weeks. We’d love it to be in real-time, but the reality is you can’t do that. Many organizations can’t do that across all of their technology assets, so trying to strike a balance. So yeah, risk stratification is something we take pretty seriously because most people will see risk assessment as just coming up with a laundry list of things to work on, which is good, but it should be informed by your business practice and what your threats are and all of that good stuff.
Steve Bowcut:
Excellent. Okay. Alright. So let’s maybe turn our attention a little bit now more toward the corporate training and education. I’d be interested to hear more about that and particularly if there’s any element of that that helps people maybe transition into cybersecurity from other fields.
George Bailey:
Sure. Corporate education is one of our newest offerings at cyberTap. In 2018, we had a fairly large Purdue partner come to the university and they wanted to upskill and reskill a large number of their workforce. And if you know anything about higher education that felt like work for hire because Purdue, we have world-renowned degree programs and graduate certificates and other things that the faculty work really, really hard to keep that curriculum modernized and reasonable. But this obviously a corporate learner or non-traditional adult learner doesn’t have time to come back for another degree. They may not have time to even do a MicroMasters through an online MOOC like Coursera. Lots of great valuable online learning resources now that we didn’t have when I broke into cyber in the late ’90s.
And because we’ve done a lot of awareness and educational programs at the individual business level, we report up through the office of research at the university. So that opportunity kind of fell on our plate and we said, yeah, we like hard problems. Being able to train 2000 people in two years on the foundations of cybersecurity sounded like something we really wanted to do. We did. We built some of the curriculum, we went over to the academic side of the house, we went to our Purdue Polytechnic where our cybersecurity undergraduate lives. We went to computer science where some of our graduate computer security or cybersecurity curriculum lives. And we said, Hey, can we, what you teach in your classrooms, can we source some of that material? And that’s what we did. And we built out basically a program that’s about 320 contact hours. So it’s not for the faint of heart.
And over the years, this was pre-COVID, but during COVID, we broke those 320 contact hours into four 40-hour modules that spanned over four weeks. So we took a 16-week program where those original corporate learners came to campus and we taught them in person in our cyberTAP classrooms 8-hours a day covering cyber foundations and in private security, vulnerability management and ethical hacking as those broad topics. And when COVID hit, we was like, oh, we weren’t allowed to be in the classrooms. They couldn’t ship their students to us. So we transitioned to online, which was synchronous. So we did some lecturing online. We have online lab environments so they could really engage with us from anywhere.
And of course we’ve kept that material updated. So now we have basically a catalog of classes. They all kind of stem from that core, which we call ace, applied Cybersecurity Essentials, which is those four-week modules. We like people to go from CF to enterprise to vulnerability management, ethical hacking, but the reality is they are self-contained/self-standing. So if you are a person who maybe graduated from an undergrad with maybe some cyber classes or even a cyber degree, but maybe you went to a smaller school and you had less opportunity to do hands-on training, you could jump right into enterprise security or vulnerability management, where those classes, we utilize online lab platforms and one of the environments that we use is “Hack The Box”. It’s very common. It is a popular training platform. It works great remotely, but it gives us the opportunity to give people challenges and they have to basically remote into an environment and work those challenges just the same as if it was in their enterprise.
Steve Bowcut:
Right and obviously people are going to be driven towards the courses or classes that meet the needs that they have in their workplace. But as kind of an interesting, aside from your perspective, do you see any of those courses or classes that were kind of stand out in their popularity or how much they resonated with the students or not?
George Bailey:
So a series, people generally enjoy them, but I think our defender and our rater series that we utilize our cyber range for those are completely live interactions. Where some of the ACE modules, synchronous is asynchronous. There’s some of it you’re doing on your own, some of it you’re in a virtual classroom with an instructor, the defender and the rater series, which are range-based immersive hands-on training. There’s no theory, right?
There might be a little bit of a lecture to introduce a topic or a concept, but we’re talking 5 to 10 minutes. And the rest of it is you are in a live fire environment where you are simulating either a SOC analyst or a SOC team and we’ve fired off an attack and you don’t know what it is, right? Part of it’s, we don’t tell you, you don’t show up at work on Monday morning thinking, oh, I’m going to fix this SQL injection attack that just happened 30 minutes ago. You don’t know what’s going to be on your radar.
So they’ve got to work as a team and they have all of their commercial tools up, the firewalls, the active director management services, all of these things that you would have in a small enterprise, and we might give them a tip. If they don’t identify that initial indicator of compromise or that patient zero misbehaving, we might simulate, Hey, the help desk just called and user Tom is having a word message on your screen. So they’ve got to investigate and do that instant response students rave about that, right? Because a couple of different things that it really reinforces. One is that you don’t want to experience your first cyber attack while on the job.
It would be very nice if you had at least a little bit of exposure on what a web defacement looks like. How do you identify it? How do you get some attribution, how do you contain it, how do you eradicate it? How do you recover? You don’t want to do that in your production environment for the first time. Unfortunately, most, and that was the case for me as most cybersecurity professionals, the first time you experience a possibly devastating cyber attack is while you’re on the job.
So education needs to change. People need to be more, there needs to be more experiential learning in cyber education. So people rave about that because they get to experience all slew of different attacks, both and offensive-minded folks. We can put them in the role of the attacker so that if the defenders are savvy, if we have an experienced SOC team that is on their range adversary, the student playing the adversary role can change up the tactics. They can see, oh, whether they’re already onto us, they’ve got their SIM query down, let’s change our IP address, or let’s do something different. Let’s do something that basically is going to nullify what they already know, just like an adversary will, they’re going to change their PS, particularly if they know that you’re onto them.
I think and the team building aspect that and the soft skills, the way we run our classes is we like to for the students, and sometimes they know each other and sometimes they don’t. They’re all from different corporations, all different backgrounds, and they’re interested in the class and we put ’em together and we ask them to nominate an incident responder, like sort of a coordinator, instant master, if you will. And in many cases, if that person is being too, I don’t want to say overbearing, but if they’re not allowing others to communicate and express their desire to take this scenario in a certain direction, we might say, Hey, guess what? You just got caught off on paternity leave. You can’t talk for next 35 minutes or something just like you have in the real world. So we might do objections to force some of those folks who are really talented, but they’re not necessarily vocal communicators or to force them to develop some soft skills that they normally wouldn’t get an opportunity to do.
Steve Bowcut:
Yeah, it’s interesting. I really like what you said about having the opportunity for some students to work in an offensive role because we hear all the time that the best way to learn how to be a good defender is to understand how the adversary’s thinking. And that’s a great way to learn that is to play that role for a little bit in a cyber range. So that’s really good. Thank you.
Let’s talk a little bit about community engagement. So we mentio-ned that you’re involved in the executive council on cybersecurity in Indiana and also the InfraGard. So is there some overlap there between those organizations and the community that they represent and what you’re doing at CybertTAP?
George Bailey:
There’s not a whole lot of overlap between those two organizations. IECC, the Indiana Executive Council for Cybersecurity, which is a committee that crosses most of the 16 critical infrastructures in Indiana, it was initially developed by Governor Pence and then Governor Holcomb under executive order kind of renewed that committee. So we’ve had that group in place for several years now, and the goal is to develop tools and resources for Indi-ana critical infrastructure businesses so that they can improve their cyber posture because there’s some information-sharing there. One of the ways that we vet members is that we want them to be InfraGard members, so let the FBI private partnership do that background screening for us. And if you’re eligible for InfraGard, then we deem you eligible to participate in IECC.
Steve Bowcut:
Oh, good.
George Bailey:
And so even across multiple administrations, that team, and it is an unfunded, right? So it’s made up of all volunteers. There’s a core committee of voting members, so they get to vote on things that the committee strategy focus on, and then there’s advisory positions. So I’m an advisory position on the committee. So I provide subject matter expertise on a couple of different working groups. One is the workforce development group, so how do we make Indiana’s workforce more cyber-safe and secure by producing awareness and cyber hygiene readiness materials? And then the other one is on the healthcare committee. Having been in pretty much every healthcare system in Indiana, I’ve got a pretty intimate knowledge on how things are done on the cyber side. So I provide a lot of guidance there in that regard, but not a lot of overlap between InfraGard and IECC. And recently I’ve joined the SLGCP which is the State Local Government Cybersecurity Program.
Every state has one. It’s part of the infrastructure and job acts. So the Jira money that Biden passed early on in his administration to basically give hundreds of millions of dollars back to the states to improve their cyber posture. So every state has to have an SLGB committee and every state has to figure out how to best spend those funds. So I’m a voting member on that committee. And so there’s a number of initiatives that we look for. We really want to improve MFA across the state of Indiana for local government. We want to improve endpoint detection and response. So having a good EDR solution is paramount to having a good cyber program. And there’s a few other programs strategically. That’s where we’ve taken the funds that the federal government has given Indiana, which will be about 20 million over four years to strengthen those protections. So I think what we’ve learned from IACC has greatly informed some of the strategies that the SLGCP is initiating.
Steve Bowcut:
Okay, excellent. So now we’re getting close to our time, but I want to wrap up with a couple of advice questions. We like to leave our audience with some practical actionable advice. So the first one would be regarding industry certifications. We know that you’re a CISSP and probably have some other certifications. So what are your feelings or thoughts toward professional certifications and maybe which ones people should really pursue or look at hard and your opinion?
George Bailey:
Good question. I waffle a lot on this, and I don’t want to sound like a hypocrite because I have lots of certifications. So I tell folks that I mentor and students that come through our programs and even Purdue students that I interact with on campus is try to find an ideal job posting your first job and what do you want to do and look at the job requirements.
Hopefully they might have things that you can relate to, right? So if you look at the knowledge, skills and tasks, things that you’re going to be responsible for doing, and certainly looking at what’s required from a certification path. Because in many cases, certifications aren’t going to make you a better cyber person. As a person who hires cyber-minded people, what a certification tells me is that you are committed to the industry, you are committed to being a professional. You could be a very successful, you could be one of the best cyber persons this world has ever seen and not have a certification. I see them all the time, particularly people in my age, they’re in their 50s, they graduated from college 30 years ago. Certifications really weren’t a thing then, but they’ve had a very fruitful career without them. The reality today is to get into cyber, to get breakthrough, that HR class ceiling, if you will, you kind of have to have one, right? Because everyone else does. And it could be a differentiator between you and another candidate.
Generally, I tell folks, if they’re breaking into cyber, if it’s their first cyber credential, look to come to you. They’re a solid program. They’ve just been bought by private equity. So it’ll be interesting what happens in the next couple of years with them. But right now their certifications are fairly obtainable. They’re some of the most least expensive ones that you can acquire. And the security+ if you want to work for the US government, it is a must have. So, but if you look at the job, so go to cybersseek.org, so an organization that tracks jobs and sort of what certifications they’re looking for. There’s like 63, I looked this morning, there’s like 63,000 job postings that are asking for the security+.
Steve Bowcut:
Wow.
George Bailey:
But there’s 275 sec plus job seekers. So unfortunately certifications are way oversubscribed, right? It’s become a very, I don’t want to say it’s a money grab because like I said, I have them, they’re expensive, they’ll acquire, they’re expensive to maintain and I’ve chosen to do that. But I think you need to think about what roles you want. And sec plus is good because it’s very generic and whether you want to be a defensive, an offensive, someone who is in GRC or investigatory type cyber work, it’s a good foundation to have. And again, it’ll support job roles in the US government.
Outside of that, I would like probably grab a generic cloud-based. A lot of organizations are moving workloads and services to the cloud, so having a general understanding of cloud computing and what the security stack is available is pretty important. It doesn’t mean that you need to be AWS or Azure or Google Cloud professional where you can build and architect environments, but you certainly need an understanding on how identity access management works and how traffic flow and firewalls and all of the other things that from a generic nature is important.
So I think having a cloud cert, having a sec plus is important. And one that I’ve been watching a lot is the Google cybersecurity certification, right? Again, it’s very generic, it’s industry or vendor-agnostic. It’s not going to necessarily teach you how to maintain a Google environment, but it’s generic enough and it covers quite a broad technical concepts. So that might be one to put on people’s shortlist as well, because it’s going to be fairly manageable to obtain from a financial perspective.
Steve Bowcut:
Okay. Perfect. Alright. So industry certifications, relevant industry certifications, relevant to what you want to do or important any as we wrap up here, is there any other advice that you could give to someone that’s just starting their academic or career path in cybersecurity?
George Bailey:
Yeah, I would say network. Go to your local BSides conferences, go to your local meetups. If you’ve got professional associations that meet in your region, whether it’s as ISACA, whether it’s IC Squared, whether it’s OWASP, all of these organizations generally have professionals that get together on a monthly, quarterly basis go to those meetings because part of acquiring that first cyber job might very well be knowing someone who has some level of trust in you as a professional.
The problem we have with breaking into cyber, there’s the common problem of, hey, we want to see SSP five years of work experience for an entry level position as hiring supervisors, we have to do better. I have to do better because our generation, Steven and I, you or I, we’re a lot closer to retirement than we are from the start of our career. So we’re going to have a vast number of folks leaving the workforce.
But the reality is people don’t want to hire someone who maybe they’ve got a credential but they have no work experience. And fairly soon in their tenure on the job is, Hey George, I need you to go out and connect our Azure sync to our Micro 365 tenant, create a bunch of OU and make sure our certificate authority services are on par so that we can, and it was like, oh man, I never did that in college.
But they’re forced because they might be working on a small organization, and not only are they providing technical aptitude to securing things, they may be the only cyber person who has to provide strategy and leadership and advocation for doing things better. So we do need people with work experience, but if you’ve got a passion and you can communicate that, so network, definitely get out there and network work.
Start building a portfolio for yourself. So if you’re a bit of a coder and you’ve solved some problems, put up a GitHub site. Start to show people that you can do these things. You can build environments, write a blog. Again, it’s not overly technical, but it’s going to further develop your soft and your communication skills, which that might be the shining point in an interview. They might have a cyber unicorn that they’ve just interviewed before you, but if he can’t look you in the eyes and he can’t articulate a sentence, and that might be the point that lands you that job.
Steve Bowcut:
Right. Okay. Well this has been very useful and we’re out of time, but George, thank you so much for spending some time with us today. Our audience is going to be blessed from the things that you’ve shared with us today, so thank you. I appreciate it.
George Bailey:
Well, thanks for having me.
Steve Bowcut:
Alright, and a big thanks to our listeners for being with us, and please remember to subscribe and review this podcast if you find it interesting, and join us next for another episode of the Cybersecurity Guide Podcast.