Dr. Garrett Whelan earned an Educational Doctorate in Community College Leadership from Cal State Fullerton, a Master of Science Degree in Computer Science from Michigan Technological University, and is an Offensive Security Certified Professional (OSCP).
He taught at ITT Technical Institute before joining Long Beach City College where he is a a full-time assistant security professor. Faculty profile.
Listen to the episode:
Here are the key points
- Cybersecurity’s growing importance: Dr. Whelan highlights how cybersecurity has increasingly become a critical aspect of IT. Initially, he noticed a surge in security-related questions in job interviews for his students, leading him to integrate cybersecurity into his teaching.
- Integration of cybersecurity in IT education: Dr. Whelan emphasizes the inseparability of IT and cybersecurity in current education. He incorporates practical cybersecurity applications into his teaching, such as explaining TCP protocols alongside potential cybersecurity exploits.
- Certifications and continuous learning: Stressing the importance of certifications like CompTIA A+, Network+, and Security+, Dr. Whelan advocates for continuous learning and re-certification to stay updated in the rapidly evolving field of cybersecurity.
- Educational focus at community colleges: He discusses the focus on education over research at community colleges and the importance of adapting teaching methods to meet industry demands and student needs.
- Cybersecurity job market and skills gap: The discussion touches on the cybersecurity job market, the variety of roles available, and the skills gap. Dr. Whelan points out that while there is a demand for cybersecurity professionals, the specific skills required can vary greatly between jobs.
- Advice on cybersecurity education choices: He provides insights into choosing the right educational path, whether it be community college programs, online courses, or boot camps, based on individual circumstances and learning styles.
The following is a full transcript of the podcast interview:
Steve Bowcut: Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and editor for Cybersecurity Guide and the podcast’s host. Thank you for joining us today. We appreciate your listening.
Today, we have a fun and exciting guest. Our guest today is Dr. Garrett Whelan. Dr. Whelan is a full-time assistant security professor at Long Beach City College. We will discuss cybersecurity opportunities for students and early to mid-career professionals.
Before we get into that topic, let me tell you about our guest.
Garrett Whelan earned an Educational Doctorate in Community College Leadership from Cal State Fullerton, a Master of Science Degree in Computer Science from Michigan Technological University, and is an Offensive Security Certified Professional (OSCP). He taught at ITT Technical Institute before joining Long Beach City College.
Welcome, Garrett. Thank you for joining me today.
Garrett Whelan: Thank you for having me, Steve. Glad to be here.
All right. So this is going to be fun. I’m looking forward to this. So before we get into cybersecurity educational opportunities, tell our audience a little about you. So let’s start with how you became interested in cybersecurity. What got you pointed in this direction?
Cybersecurity really is something that just took over everything. Cybersecurity has, since I got into technology, been creeping up. When I first graduated from Michigan Tech, I think it was 2002; I had friends who were going and interviewing at Microsoft and Amazon and stuff.
And the big thing they were always coming back with is, “Oh, they’ll give you a code and you have to figure out where the buffer overflow error is.” That was the big thing back then, as they were looking for these buffer overflow errors. And that was the first type of attack that these big companies were really struggling with.
And it’s just been becoming a bigger and bigger thing ever since. I was in programming and IT for a number of years, and then I started moving over to teaching. And when I started moving into teaching, my students kept coming back from job interviews, where there were more and more security-related questions.
So I’d be teaching networking fundamentals, computer fundamentals, how to administrate a Windows environment, and a student will come back, and they’d be like, “What’s a SIEM?” And I’m like, “I don’t know. That’s a good question. What is a SIEM?” So we’d go look it up together, and we’d find, “Oh, it’s a security information and event management system.” Splunk is a common one now.
The industry was really asking about these things. Everywhere I’ve ever worked, I’ve always worked on the vocational side of things, that is, with people who want to change careers or start a career in cybersecurity and IT. So we’ve always had a lot of industry feedback. Every year we have what’s called a program advisory meeting where people from the industry come in and tell us, “This is what we want people to know. This is where the industry’s going.”
And just more and more, cybersecurity was becoming a part of it. So I had to teach myself cybersecurity in order to teach it to my students so they would be ready for these types of tasks. And even, as I said, IT and cyber security, I really started out teaching the IT side of things, but now you can’t separate them. Right?
Steve Bowcut: Right.
Garrett Whelan: You cannot do IT work without doing cybersecurity work. And now, it’s integrated into everything that I teach. So when I teach students about TCP and the three-way handshake, we also go into how Nmap can do a scan and not complete the three-way handshake to find open ports without telling anybody who they are, a silent scan.
So we integrate how the underpinnings of the technology work and how that can be exploited and how you, as an IT cybersecurity professional, stop that from happening, but it’s integrated into everything now.
Okay. Well, it’s interesting, and I find that perspective a little refreshing. It hasn’t been that many years ago when a lot of us in the industry still grumbled about the idea that cybersecurity wasn’t part of everything. It was bolted on after, “Oh, and now, by the way, yeah, you got to protect this stuff that I just taught you about.” So to me, it’s refreshing to hear that it’s from the very core of what you teach; cybersecurity is woven through that all the way through. So very cool. Thank you.
Tell us, if you can, if there’s anything that you’re currently working on or researching that our audience may find interesting.
Well, I work at a community college. So we are not research-focused. We’re education-focused.
Steve Bowcut: Got it.
Garrett Whelan: So I work on how to better teach my students and skill myself and my fellow faculty members up to be better teachers and professionals in the industry. You mentioned that I have the OSCP penetration testing with Kali certification.
That’s one I got six months ago, but one of the things I constantly have to do is get these certifications, some of which I already have. A lot of my students start off with a CompTIA A+, Network+, and Security+. Right?
Steve Bowcut: Sure.
Garrett Whelan: That’s a great entry-level cert for people wanting to enter the industry. And I find I have those certs; I have to keep taking them because they change them every few years. And even though the books and materials are updated, if you’re not taking the tests yourself, you don’t really know what your students will be in for.
For example, I’ve had my Network+ for 15 years now, but about five or six years ago, I took it again, and I realized, “Oh, I’ve really got to emphasize subnetting,” because I covered it, but it’s really not a thing that you’re going to do in your first job very much. If you’re not a network engineer, subnetting is not a skill that you need, but it’s on the exam. All of a sudden, we made sure, “Okay, let’s emphasize that and let’s really give these students opportunities to drill and integrate that in our higher level courses.”
So what I work on is how to teach students their skills better and how do I skill myself up. So right now, I took a Python class, mostly because my Python knowledge was outdated. I learned Python 2.7, which is the latest old version of Python that you might see.
If you’re using Kali Linux or something, you might have a script you’re trying to run, and you have to back off to Python 2.7. I was Python 2.1. That’s what I learned. And now, with Python 3.0, everything’s totally different. So the class is an opportunity for me to increase my skills. That’s what I work on, mostly.
That is interesting, and I’d like to explore that just a little bit. On our website, we’ve covered professional certifications for the cybersecurity industry quite extensively. I think we’ve written about everything that’s out there. And you’re not offering test prep, I assume, but you seem to advocate for these certifications. That’s something that you steer your students towards quite regularly, and you help them decide which ones they need, depending on where they want to work in the industry.
Our program is really set up for, like I said, people that are getting started. And we have three classes that map to those CompTIA certs. CompTIA A+, which is hardware fundamentals; CompTIA Network+, which is network fundamentals; and CompTIA Security+, which is security fundamentals. Any one of those is great for anybody. And I strongly encourage all of my students to try and at least get one of them.
And they ask me, “Which one should I get?” And I say, “Get the one that you feel most comfortable with. If you really felt strong in that security class, go for the Security+. If you really felt strong in the networking class, go for the Network+.” But one of those is a really great way to start in the industry because it demonstrates potential.
One of the things, and it’s hard as somebody trying to get a job and it’s hard from an employer’s end, how do I know this person knows anything? Because a lot of times, the guy who’s interviewing you doesn’t know. Right?
Steve Bowcut: Exactly, he doesn’t know.
Garrett Whelan: He doesn’t have the skills. So any certification signals to the employer that you have some technical skills. And those are applicable anywhere. You get more into the specialized ones like CompTIA has a Pentest+ certification.
They also have CySA+, which is their blue team, and red team, side of it. Then it becomes more debatable whether you’re definitely going to get a big boost for getting those because not everybody in the industry is looking for those particular things, but the entry-level ones, if you don’t have them and you’re trying to get started, it’s a no brainer.
Steve Bowcut: Got it.
Garrett Whelan: And I’ll also tell you, I have a brother-in-law who was out overseas. He wanted to come back to America and realized, “I have no skills.” He was a professional golfer, which is a job you can do in Asia, and you’re not making that much money, but you can live nice because things are inexpensive over there, but when you come back over here, oh man, things are expensive. So I just told him, “Hey, get the Security+,” and he also did a little Linux cert to demonstrate his Linux skills. He was back here for a month, and he had a job offer.
Steve Bowcut: Wow.
Garrett Whelan: And he is currently working. He’s actually working for the PGA. They liked the fact that he was a golfer.
Steve Bowcut: Oh, that’s very good.
Garrett Whelan: He had technical skills. So he’s working for them now. So a single cert and nothing else, none of the other foundational things, demonstrates to the employer that you can teach yourself and that you have some technical knowledge.
Yeah, interesting. And that brings to mind – here’s a whole cottage industry that has sprung up over the last decade – I guess sprung up is probably not the right term – that caters to cybersecurity training and education.
There are boot camps and accelerated courses, and sometimes they’re offered by universities. More often, they’re offered by private organizations and may be sponsored by a university, that kind of thing. Do you have any thoughts about those? They’re not as well-rounded as getting a computer science degree and specializing in cybersecurity, but what are your thoughts about that kind of thing?
Caveat emptor, buyer beware. And some of them are not bad programs. I like that some of them have situations where you don’t even have to pay them until you get a job. I think that can’t be a bad deal because they’re invested in you getting a better job. Right?
Steve Bowcut: Exactly.
Garrett Whelan: I’ve seen that more with the web development type ones because there’s such a clear pathway to that. I’m not going to name them, but a local university has a private entity running out of them that uses their name for advertising their program. And it’s six months. And the analogy I always use – do you remember that old movie, UHF?
Steve Bowcut: Okay. Yeah.
Garrett Whelan: Do you remember the guy is like, “Oh, you won the prize. You get to drink from the fire hose?” That’s what those programs are like. It’s drinking from the fire hose. I’ve looked at their content and their curriculum. It covers everything, but it’s like here, here, here, here, here.
How much of it sticks, right?
Yeah. And I understand there are certain people for whom that might be a really good fit. If somebody has lost a job and they’re like, “I need to get working in a short amount of time and I can dedicate my entirety to this. I don’t have kids I got to watch at home. I don’t have a job I got to work. I can just learn and I have to do it quickly,” those might be a really good fit.
Steve Bowcut: Got it.
Garrett Whelan: So I’m not like, “They’re never good.” Some of them are really good. Another one focused on increasing the number of women in cybersecurity, so they had scholarships for women. So instead of being a $40,000 program, those women were paying $10,000, and they were getting a lot of help getting employment. This one was out in New York. I don’t know if they ever spread that model further. So there are some of them that are good, but you really got to do your homework on them.
One thing about education is that it’s hard to know until you’re there. People can give you reviews of a restaurant, but you don’t know until you eat the food, you don’t know. But if you have a bad meal, that’s not a big deal. If you have a bad educational experience and you’ve signed on for many thousands of dollars in debt, and it’s not helping you, or if that learning style isn’t working for you, if they don’t have the support out the door to go help you find a job, it can make your life worse, which is the opposite of what we want to do in education.
Steve Bowcut: Exactly.
Garrett Whelan: So you really have to examine your options in your area and really look at yourself in your life and what fits into your life. If something that’s really intensive fits into your life, that might be the way to go. Most people, most of my students, have to work full-time jobs. A lot of them have kids. They can’t do that kind of thing. And also, we are very blessed to live in California, with a very affordable community college system and community colleges everywhere. Not every state has that.
Steve Bowcut: Exactly.
Garrett Whelan: So there might be places where that really is your best option. I’m going on a little bit of a tangent. I’ve seen a lot of students who think, “Oh, my life is very hectic. I’ll sign up for an online program.” And that’s not always a good pathway for people. The thing that they won’t tell you, it’s going to come out now since we have all this data from the pandemic; success rates drop a huge amount when students go online.
And it’s not that you’re a bad person; it’s just that you’re a human being, and we’re not wired to sit there and teach ourselves many, many hours a week.
A lot of the work my students do is outside the classroom, but just knowing, “Okay, I’ve got to show up tomorrow to Whelan’s class and he’s going to ask me. I better watch all the lecture videos or I better do my reading,” that helps you stay on track.
Steve Bowcut: Got it. All right.
Garrett Whelan: Everybody has to think about their options in their area and yourself as a learner. Really think about it.
Yeah. So that’s a perfect segue because I want to get into our primary topic here. Maybe I’m a student just coming out of high school, or I’m an early to mid-career professional. In that case, I’ve been working in IT for a few years, and I’ve decided I want to focus on cybersecurity, what kind of opportunities will I find at Long Beach City College?
We have a number of programs. We have certificate programs and associate degree programs. We have certificates of achievement, certificates of accomplishment. So we have a certificate of accomplishment and associate’s degree in computer networking and security.
And that is our program that is currently an NSA Center of Excellence, a two-year-approved program. That is the one that we submitted to the NSA a couple of years ago, and they looked at it and said, “Okay, you cover all of our criteria for a solid security program.” Even if you’re not looking at Long Beach City College, one thing to look for when you’re looking at universities and colleges is an NSA Center of Excellence.
Steve Bowcut: Okay, good.
Garrett Whelan: They’re not necessarily a bad school if they’re not, but it is a nice stamp of approval. At least you know the curriculum meets their standards. So those big ones, which, if you were doing that certificate, it’s about 30 units, it can vary a little bit depending upon your class choices, and then which, if you’re going full-time, you could get that done in a year, a year of a full-time student.
If you go for the associate’s degree, it’s about 30 more units of general education. When students ask me, “What should I do?” I tell them, “If you have a degree, do the certificate. Just get the skills, if you have a bachelor’s.” I get that a lot. I have a lot of students that are reskilling.
One of my early success stories, [a young lady] had gone to a local university and got a degree in fashion, and then found there were no jobs in fashion.
That’s what I was going to say. They learned that a degree in history doesn’t really pay the bills.
So she came back, did the certificate, and then she also took advantage of a lot of other opportunities, got a bunch of SANS certs through a scholarship for women in tech, and she did it. She really focused and took full advantage of it. And now, she’s a security engineer at some big bank, making twice as much money as I’m making, which is what we always want to see. That’s the goal.
And it is definitely possible, but having a degree checks off a lot of boxes. If you don’t have a degree, I recommend you get an associate’s degree. I just had one of my former students, who’s taking my programming class right now, he’s working as a systems analyst for the City of Long Beach. And he said, “Yeah, once I got that associate’s …” He had applied there for years and knew people there, but until he got the associate’s degree, they couldn’t check the box, “Has a degree,” so he couldn’t get hired in at that government level.
Steve Bowcut: Yeah, exactly.
Garrett Whelan: Having any degree checks that box.
Steve Bowcut: It’s a requirement, oftentimes.
Garrett Whelan: Yeah. And then we have a few certificates that are a bit more specialized, that are more for people who already work in the industry, have foundational skills, and might want to learn a little bit more in a particular area. We have a Linux/Unix administration certificate.
We have a cybersecurity certificate, which includes a little ethical hacking, a little forensics, and Windows administration. Those certificates have a smaller number of units, but they’re not for somebody getting into the industry. They’re more, “I’m in the industry, but I still want to skill up in certain areas.”
Okay. Excellent. So next, I wanted to ask about what your students are interested in, but I think, from what I’ve gathered so far, I think most of your students are interested in finding a better job. So I think we could start there and say, the students that you see coming through, are most of them headed for an analyst in a SOC, or are they interested in pen testing? Is there some commonality you see there, where the interest in the cybersecurity field, where they want to work?
I think they’re very open. One of the things about cybersecurity jobs is nobody has agreed upon the titles yet.
Steve Bowcut: Yeah, that’s true.
Garrett Whelan: A systems analyst might be doing pen testing, or they might be doing SOC work, which is the blue team defense, or they might be looking at standards and procedures and doing a gap analysis.
So you could be a systems analyst or a cybersecurity analyst, level one or two, and be doing a wide variety of things. And a lot of these jobs that I’ve seen, that my students are going into, it’s usually inside a type of SOC, but it’s a little bit of everything.
They’re doing some of the analyst stuff. They’re looking at their SIEMs and whatever and doing reports. They’re also doing gap analysis and looking at standards they have to meet because they have patient data or whatever.
They’re also doing a little bit of penetration testing. As you bring on new systems, you’re firing up Kali and doing a quick probe and then looking for vulnerabilities and those types of things. So they’re doing a little bit of everything. After their first jobs, that’s when you tend to go in a direction.
You figured out what you like and what you’re good at. You can kind of focus.
And a lot of its just opportunity, “Hey, these guys wanted to hire me to be a SOC analyst for Netflix. I’m going to go do that and learn how to do that.”
Steve Bowcut: Sure.
Garrett Whelan: And right now, because there’s such a gap, such a dearth of people, you can do that. You can move into totally new areas and retrain.
Okay. Well, that’s another great segue. You’re good at these segues. So I wanted to get into this concept of a skills gap. So it’s something that I’ve written about pretty extensively, something that comes up in the industry a lot. So I’d be really interested in getting your perception; from where you sit, do you see an enormous skills gap in cybersecurity? And if so, what kind of evidence is there that this shortage even exists, and is it having any impact on educational programs?
So when you say skills gap, the big skills gap is there are not enough people. It’s really a people gap.
Steve Bowcut: Yeah, that’s true.
Garrett Whelan: You don’t have enough people who know the things that you need them to know. And then, once you decide to hire people, you never have everybody who has everything that you want. I’ve been having this conversation with my students for years because, “Oh, I didn’t apply for that job. It says that they want two years experience,” and I go, “Rather than think of it as a job requirement, think of it more like a dating app.”
What do you put on your dating app? You put what you want, but you get what you get. If you’re five foot nothing, chubby and bald, and you’re asking for a supermodel who’s going to stay home and also be independently wealthy, you might have to make some compromises.
And so the employers, when they put out there, “This is the job I want to fill,” they’re doing it usually well-meaning, they’re looking at what they want or what this job will do, but the fact that you can’t find 20 people right off the bat who have that exact skillset isn’t necessarily a bad thing, particularly when you think about how quickly skills in cybersecurity change. What I teach today is very different from what I taught even five years ago.
Steve Bowcut: Sure.
Garrett Whelan: The joke has always been … And it’s funny because I hear my students complain about this now, and I remember complaining about it when I was graduating from college 20 years ago. When I was graduating from college, the job advertisements said, “Wanted, Java programmer with 10 years experience as a Java programmer.” Java had only been out for five years.
Steve Bowcut: It hadn’t been around. Exactly.
Garrett Whelan: And the same thing is happening today. They’re listing these brand new technologies and skill stacks, and they want ten years of experience, and they haven’t existed for ten years.
So there is definitely a skills gap in that you don’t have enough people to get in the industry, but once you have that kind of foundational skills and once you get started, and you’re like, “Oh, this is what it means to be a SOC analyst,” you can learn the particular skills, the particular products that this company uses, but companies when they list the job, they just put the particular software and, if they can’t find anybody who has that walking in the door, to them, it’s like, “Oh, there’s a huge gap.”
Steve Bowcut: Interesting.
Garrett Whelan: There’s got to be a little bit of give and bend on both sides of it.
I think I know how you’ll answer this, but let me ask the question, anyway. If you think of hiring in the cybersecurity industry as a pyramid, at the bottom, you’ve got maybe SOC analysts or people where you need lots of people to fill all the way up to the top. Is the industry clamoring, or have you seen evidence one way or the other, that the industry is clamoring for more just basic skills so they can get them into their organization, getting them working, or is it nation-state threat intelligence folks that they’re looking for at the top of the pyramid?
They’re looking for nation-state threat intelligence, but what they need is basic skills.
Steve Bowcut: Okay, got it.
Garrett Whelan: It is a bad process to tell everybody, “You should go all the way up to the top in nation-state threat intelligence,” because you don’t have a huge need for that many people. If you bring them in at the lower level, then they’ll move where they’re needed. “Oh, if we need those people, they’ll move up that way.” If we need more penetration testers working for third-party companies.
The big growth in the past two years has been, this is a terrible name, but this is the name I hear everybody use, cyber-assurance, which is cyber insurance. So that’s these companies that they come in, they say, “We’ll insure you in case of a cybersecurity attack. You pay us a couple hundred grand a year and, if you get hacked, we’ll pay for whatever the costs are, the ransomware.” And then they come in, and they do an analysis, and they bring you up to their standard.
That’s a big need right now. And as more companies sign up, that need’s going to grow. So if you train everybody for nation-state threat intelligence and then they’re asked to go, “Okay, check out the review password policies and device management for this small company that’s paying us a hundred grand,” you’re going to be like, “Well, why did I learn all that other stuff that doesn’t apply?”
Steve Bowcut: Right, exactly.
Garrett Whelan: So it’s better to come in more broad and specialize as you go through your career.
Got it. Okay. Very cool. Thank you so much. I appreciate that. All right. So we’re going to change our focus here just a little bit. I thought it would be interesting to our audience to hear from you some of your top picks if you were building a cybersecurity reading list. So that could be books, papers, lectures, websites, and maybe conferences that you recommend students go to. What kinds of recommendations do you make to your students?
Okay. So conferences, I think, whatever’s in your local area, check it out. And hackers tend to have small groups. We have a LinuxCon in Pasadena every year, and the same people do the SoCal Cybersecurity and Cloud Expo in … What is it? San Pedro [Santa Clara]. So we have a couple of local conferences that happen. And I highly recommend whatever’s local to your area, or you go on meetup.com, those little weekly meetups, those can be really useful to people getting in the industry.
I had a student who was a great student, but he had no confidence. He would sit in my office for hours, asking, “Am I learning this right? Am I doing?” and just no confidence. And he went to one of those local meetups, where it’s just somebody demonstrating, “Hey, here’s a way that I hack websites,” a fun little thing, and he ended up talking to the guy afterward, and the guy worked at Rapid7, and then he turned that into a job at Rapid7.
So those little meetups, those social connections, can be really, really useful. Then, of course, the big conferences, like DEFCON and Black Hat, are great if you can afford it, or you can get out there.
As for reading lists, I think that’s the old-school way of learning. What do I know? I read books. I have lots of books. I only have a few of them here. I’ve got the Rootkit Arsenal. I got a million books, but I tell you, I learned a lot more from doing things. If you want to learn about cybersecurity, I recommend you start doing things.
And there are amazing websites, like TryHackMe and Hack The Box. I actually think TryHackMe is much better for students because they walk you through the entry-level stuff. Hack Hack The Box is just like, “Good luck,” but Hack The Box actually has Hack The Box Academy, which has some really good free resources.
You’ve got to start building your skills, your Linux skills, your scripting skills, and your probing skills and understanding of web applications. And they’re each separate areas, and you don’t have to be an expert in all of them. You got to start building it up, and you do it by doing things, getting virtual machines running.
I always tell people Amazon has a free student-level account. There’s no reason for you not to have a website running up on Amazon just to say, “Hey, look, I built a website from scratch.” Even if it’s a dumb little website, if you’re not going for a web developer job, just, “Hey, I installed Linux and Apache and I set up PHP and, look, here’s my little website that I did all by myself,” and it’s free. So there’s no reason not to be learning these skills out there.
Got it. That makes good sense. I like that. And books are great. I’m like you. I’ve got a huge library, but once you get past the basics, a lot of this stuff expires too soon. Things change so quickly in the industry that the book that’s been on your shelf for a year may not be as applicable as maybe a website or some kind of conference.
Okay. So I want to finish up here with one last question. This is a fun question. I’ll ask you to pull out your crystal ball and knock the dust off of it and give us a look at the future. So what do you think the cybersecurity industry landscape will look like in five to ten years? And primarily, what I’m going for here is, what should students be doing today to prepare themselves for jobs in five or ten years? Is it AI? What is it? Where do they need to go?
So there’s certainly going to be a huge leap in AI. And the huge leap in AI is mostly due to the lack of people we have. We’re, I think, currently 700,000 people down. That is, if you look at all the open job openings that they cannot fill, there are 700,000 open job openings that we just cannot fill.
So AI is definitely going to be one way they fill the gap. So if you are more programming-focused, if you’re going to go on the computer science route, you’re going to get a four-year degree; AI is definitely something you need to delve into.
But if you look at more the IT side of things, the skill side of things, in the next five years, we’re going to need more of everything. The most important thing is not that you pick up any particular skill; it’s that you pick up some technical skills and that you’re interested because the real skill that you need for this industry is the ability to teach yourself because I can teach you entry-level skills, you can walk in my door knowing nothing and, when you walk out in a year, you will have the skills for an entry-level cybersecurity job, for sure. But after that, you’re on your own.
So when they ask you, “Oh, we’re moving to the cloud,” we actually do have some cloud classes. You might be able to pick up some stuff, but there are going to be particular issues with your organization moving to the cloud and the security that your organization needs that’s going to be different from anybody else. A lot of my students are now working for LAUSD because I don’t know when this will be broadcast, but as of today, about a month ago, LAUSD experienced a really massive hack.
Steve Bowcut: Yep, I remember.
Garrett Whelan: And it’s funny because one of the things I always tell students is it’s great to work for school districts, but it always takes a long time to get hired. Because of that hack, they gave emergency powers to the superintendent so he could hire cybersecurity people like that.
Steve Bowcut: Very good.
Garrett Whelan: And they’re finding that they’re getting in there, and they don’t need them to run advanced tests, internal pen testing, or things like that. Those things need to be done, too, but the big thing is you got to go and manually update all these teachers’ Mac laptops.
And some of them are M1 chips, some of them are Intel chips, some of them are old, and some of these teachers have installed crazy things on them. And we don’t have any classes on Macs. Nobody does anymore. Nobody’s taught Macs for 15 or 20 years because it’s so hard because they change stuff so much. So those guys have to go out and teach themselves.
So once you have the foundational skills and you understand how things work technically, then you can teach yourself the particulars of any system. And that’s really what you’re going to have to do for the rest of your career, is teach yourself how this new system works, how this new way of doing things works because we’re always shifting.
Yeah, but the basics don’t change. So for a student just getting into it, they don’t really have to worry about the fact that, “Oh, I’ve got to hit this moving target and predict where I need to be in five years.” No, go get the basics, and you’ll know. After you get the basics and you start working in the industry, you’ll see where the need is. And probably inside your own employer, they’re going to say, “I need more people that can do this.” And so there’s a progression inside your own employer or certainly in the industry.
You know what? I will say this, and this is something nobody teaches. What I see with students who are not successful and people who get into the industry and are not successful long-term, it’s never that they’re not smart enough. It’s usually that they lack confidence, and they talk themselves out of things. So the guy who gets the job running a database and he’s like, “Okay, I run this database, this old SQL database, and that’s all I do, is I run it,” and they don’t want to learn how to use NoSQL or Mongrel or any of the other ones.
The security guy who knows how to do penetration testing with Kali and he doesn’t want to pick up Parrot, or he doesn’t want to learn new ways of doing things because he doesn’t want to feel stupid. It’s very easy in this industry to feel stupid because you’re dealing with people who are experts in every minute technical thing. And every time I go to a conference, I hear somebody talk, I walk out of it feeling like an idiot.
“What did he just say?”
But you must understand that that’s just a feeling. It’s not the truth. It’s a feeling. And the people who are able to separate that, “It’s a feeling that I feel dumb, but that’s part of the process of learning,” those are the people who are successful.
The ones I see who don’t make it through a program or, even if they do make it through the program, they’ll be in the industry for a few years, and then they’ll move on to something else, it’s the ones who really can’t feel comfortable feeling stupid. I’ve been doing this for 22 years.
You mentioned penetration. I have a million certs. I’ve got Cisco certs. I’ve got a million certs. And every day, I feel stupid. Every day, there’s something I don’t know. And I’m like, “Why shouldn’t I know that?” And it’s because that’s just part of the process. So you have to get comfortable with that.
Steve Bowcut: I like that. That’s good advice. Get comfortable with feeling stupid, not being stupid, but feeling stupid. I like that. All right.
Thank you, Dr. Whelan. This has been a fascinating conversation. I think we’re out of time, but thank you for giving us some time out of your busy day. We appreciate it.
Thank you for spending some time with us. And a big thanks to our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting, and join us next time for another episode of The Cybersecurity Guide Podcast.