Si: Welcome friends and enemies to the Forensic Focus Podcast. Today we are very fortunate to have with us, not one but two guests. By a very strange piece of coincidence, both of us, both Desi and I said, “oh, we’d like to do this thing on education, and I know somebody who has been through secondary education, tertiary education at a later date (not straight from school and has got some background), and they both work for CrowdStrike.” Very weird twist of fate!
So this is going to be a little more incident response based and forensics based for a change. I make Desi listen to a ton of very unfair forensic stuff, and so he gets his chance to have his revenge today. But today I will let them introduce themselves.
Gavin: Yeah, sure. So yeah, hi everybody. I’m Gavin Prue, currently working at CrowdStrike. As Si said there, I took a less linear path with getting into cybersecurity, long journey to it. But yeah, glad to be on the podcast and talking to you guys today and we’ll dive into a bit more about my experience a bit later on I suppose. So yeah.
Selim: Hi everyone. I’m Selim Kang. I have taken quite unconventional pathway to cyber as well, so yeah, I can talk more about that on the track and I’m still fairly new to the industry.
Desi: Cool. So yeah, thanks both for joining us. Si and I always have conversations about the different education pathways and the value that they have, particularly when you’re trying to break into the industry with how much education there is out there, the different courses there are to kind of entice students to do the course without really knowing…and you talk to a lot of people and they’re like, “I’m doing this course, but I don’t really know which cyber job I want to get out at the end of it.” So, we’re really happy to have you both to talk through what you think about your respective courses and we probably won’t call out institutions if you think it’s shit, but definitely just…
Si: Not allowed to talk about how shit his respective institution is.
Gavin: Well, Si actually worked at mine, so I have to watch what I say!
Desi: Oh, okay, I completely understand then if you had Si, he was trying to push you into digital forensics and you’re like, “no Si, I want to go incident response.” Understandable.
Si: I listen to you talking about it. I don’t want…no way am I doing that.
Gavin: Yeah, ironically, I then worked there for a year as well. So again, I put myself in the same boat. No, cool.
Desi: So, I think the first question that we want to ask both of you to answer is kind of just to explain a little bit about the type of education that you had, which country it was and how it was structured. So you can go as in-depth as you want to, how the degree or the diploma or the certificate, whatever you were doing was, and then how it’s structured within the country, if that makes sense. So I guess we’ll go Selim with you this time first.
Selim: So, I guess mine was the formal education related to cyber, was been search for in cybersecurity I did at TAFE. So TAFE is like vocational education institution where you go after you graduate from high school. So if you decide to become a trainee, like electrician or a plumber, you’ll got a place called TAFE in Australia. And they’ve got many different courses, but Cert IV, it’s like a one year full-time course where you can…it’s focused on certain areas and I chose cybersecurity, so it was supposed to be one year full-time, and I studied over part-time and long story short, I didn’t even actually get to finish the course because halfway through the course I got offered an internship and I was still trying to manage study and internship, and eventually I’ve been offered a position. So I couldn’t manage both, so I ended up just postponing it and then never went back. Yeah, that was my formal education into cyber!
Desi: That’s how good it was: you got a job after doing half of it.
Selim: Yeah, true. Yeah. It was very practical and some of the topics were really practical, which I liked. And many topics were intro to how you could find information and where you can get more resources from…and in a way, so that was really helpful and that’s what I liked about that course.
Desi: Nice. Yeah. And Gav, you want to talk through yours?
Gavin: Yeah, sure. Mine…looking back was quite a journey. So obviously in the UK we do things like what are called GCSEs, which you do at the end of your secondary school education. Then you might go on to do A levels, which then allows you to access a university to go and do such course, like your degrees and what have you. But for me, mine was not a linear kind of path, which most would take to university to study cyber, if you like.
So when I left school, I left school with no qualifications. However, at the time, I like to think I had a kind of half decent understanding in which to go into a job in cyber. However, naturally without the bits of paper, if you like, it proved to be a little bit more difficult. So, long story short, I ended up joining the military. I spent 10 years in the military, got to 27, and then decided I want to get out and do something else.
So one of the good things that the army does for you if you like, is they look after you really well while you’re in. So, they give you a house, they give you all the perks that you probably want and need, therefore you’re not needing anything else. But when you come to leave, effectively it’s like going back to day one because you leave effectively with what you joined with. And for me in this case it was…I had no qualifications.
So I did 10 years in the army and I might have got…I got my driving license I think, or something. But effectively you leave with no…oh, and I got a license to pull a trailer as well. So yeah, if anyone needs a guy to pull a trailer, then I’m your guy! So you effectively leave with no…or I left with no formal education. So at 27 went back to college. I studied maths and English GCSE at night, so I was doing night courses. At that time as well I was married with a child, so that was a quite unique experience as well.
Going back to college at 27 years old with 16, 17, 18 year olds doing your GCSEs again, so did that. Did what we call an Access to Higher Education course. It’s something that basically allows those that maybe don’t have the standard linear path of GCSEs, A levels, degree, it allows them access to go to university. So the Access to Higher Education courses, I think it’s the equivalent of about three A levels, I think. So, basically you do this course for a year, and effectively you get the same kind of ability to go to university if you like, as if you would’ve done your A levels.
So in a year I did my GCSE in math and English, and my Access to Higher Education then allowed me to go on to university and study cybersecurity, which again is a whole other experience within itself. So, as I said earlier, Si also worked at the institution that I chose, but it was quite unique because the course that I did, the undergrad, was a brand new course for that institution. So it was the first year, effectively, that the course ran. So I think some people used to call us the pioneers. We, kind of, looked more like the guinea pigs. I think that might even have been Si’s words at the time as well!
Si: I think we called you the guinea pigs. Yeah, some of the marketing people might have called you pioneers, but…!
Gavin: Yeah. But the flip side to that though it being a new course for that institution was that the course size was quite small as well in comparison to, I know once I graduated and worked there for a year, the course size is kind of ballooned as you’d expect because at the end of the day, university institutions are kind of there to turn over money. So more students means more money, thus we want more people in. So yeah, long story short (well, not quite so short), but yeah, that’s how I kind of got to do cybersecurity, if you like, from a nonlinear kind of path. So yeah…
Desi: That’s probably a good question to ask you Selim as well is what were you doing prior to your TAFE certificate and what made you choose the path into picking that as a career and starting that education pathway?
Selim: Yeah, so before I started cyber, I actually had a couple of other degrees. My first degree was back in South Korea, which I am originally from. So I studied Bachelor of Arts in philosophy, but soon I found that you couldn’t really get a job with a degree in philosophy, especially as a migrant to Australia! And I had to study English as well around the same time and ended up studying another degree, doing master of teaching in early childhood, which led me to become a early childhood teacher. So teaching in junior primary and preschools, or they call it kindergarten.
So I was a kinder teacher for about seven years, and during that time what I found that was a lot of teachers, kinder teachers in general (could be school teachers too), they found anything to do with IT really scary! It was so foreign for them. And whereas I enjoyed working with IT and fixing things, anything to do with the computers and I didn’t mind it at all.
The problem was many kindies didn’t have onsite IT person…and it was state run kindies (kindergartens), so if they had any problem with their wifi or any IT problems, they would send a person from the department and sometimes it would take a couple of weeks or three weeks, and even trying to talk to them about what the problem was, they would find it really challenging. And I naturally became the person where when kindie has a problem, they would just reach out to me like, “oh, can you come and just have a look at what’s wrong with our website?
Can you come and what’s wrong with our wifi connections?” So I started doing that and then I realized that I actually really enjoyed doing this and troubleshooting stuff for people. And talking to IT people at the department, I realized, yeah, there’s all these troubleshooting steps and I really like it. So I had been a teacher for about seven years and I decided to study something in IT.
It was also around the COVID time as well. I needed a change and like Gavin said too, I also had a young child at the time and it was really interesting time trying to study with a young child and also having a job as a teacher since there was a lot to juggle, but lots of early mornings and late nights I did pull through and yeah, that’s how I transitioned eventually.
Desi: Yeah, I think I remember we were out at some cyber event in Adelaide and we’re sitting there listening and you were getting all these texts from teachers being like, “I don’t know how to connect to the wifi”, or the printer wasn’t working or something, and you were trying to provide tech support. And they’re like, “I don’t understand”. And it was just a funny situation of you weren’t even IT support and they’re messaging you on a Friday or something for it. Yeah, it was pretty funny.
Si: Were you doing anything tech related before you left service, Gav or was it…?
Gavin: No, so my military career, so just to put it into context, I was what they call a paratrooper. So my job was, in a brief sense, was jumping out of planes and shooting things. That’s kind of what it was in a nutshell. But similar to what we were saying there, I always found myself being shoehorned into the role of, “oh, something isn’t working, can you fix it?”
So naturally over time you kind of pick up stuff, but as I said earlier on, I already had a keen interest prior to joining the military. It’s just not having the right bits of paper to pursue it, which I know there’s a lot of talk around, I suppose, do you need a degree to do cyber, if you like? So yeah, I’m sure everyone’s got an opinion on whether you do or whether you don’t.
But I think it definitely, for me anyway, helped with a commitment to actually go in and doing it, because it is quite a big commitment leaving the military, right? And saying, right, “I’m going to give up this house that I’m living in with my kids and my wife and basically start again”. So if you go down the route maybe that I did, you really are committing to, “right, I’m going to do this, I’m going to make it work”. And yeah, don’t get me wrong, you need a bit of resilience on the way. But yeah, so in short: no!
Desi: It sounds like you both…sorry, go ahead.
Selim: I think…I can definitely say that when people say you definitely need a degree in cyber to get a job in cyber, or there’s huge debate about it. I think what really deterred me from jumping onto another degree to get a job in cyber or in IT in general is that my experience with uni by then, having a degree in bachelor art and master’s degree in teaching, it was not that positive.
I found both degree didn’t really teach me what I needed to actually work in a workspace, even as a teacher. And there was a lot of theory, there was a lot of discussions and et cetera, but there wasn’t much exposure to the actual practical side of it. Luckily, I think in cyber there were so many free learning platforms that I could access and whilst studying, like search for, and there would been the shortest degree, shortest course that I could have chosen and in then that’s the reason that I went with TAFE rather than going to university. And it’s also costs much less.
Desi: Yeah.
Gavin: Yeah.
Desi: So I know…you go, Si.
Si: University education is exorbitantly expensive. And it’s funny because in the UK it’s almost an expectation of teenagers now that they will get to go to university, but the costs are astronomical. It used to be free if you could get in. It used to be harder (not harder to get into; it’s still hard to get into), but it used to be less seen as a career thing, but it used to be free and now it’s seen as desirable and now it’s expensive. So it’s hardly a fair playing field.
Gavin: I think it’s…sorry, I was going to say a tag onto that as well. It’s a bit of a…it really depends on where you go as well, because effectively the degree course as a whole is pretty much, from my opinion, defined by the people that teach on it. So therefore it’s a real mixed bag of who you might get. So I think finding a university that suits you and your needs in terms of what it is you want to learn and get out of it is a massive thing.
But I think they’re massively dependent on the skillset of maybe the staff. But yeah, in my opinion, where you choose it’s more emphasis on who’s teaching the material…and again, maybe I’m wrong to share this opinion, but again, university is strange as well in the sense that it’s an academic institution. So you’ve got people there who may be (and no disrespect to them), will have been in academia for 20 years, say, and their knowledge is maybe based off textbook, for example.
At the end of the day, things like networking, they don’t really change, they stay as they are, so you teach them. However, if you want to teach things that are maybe closely related to what we do, unless you’re kind of doing it day in, day out, it’s very difficult. And that’s one of the things I liked about our institution where Si worked was that we had the standard lecture/lecturer, but we also had external people who were doing the job coming in to kind of give that knowledge i.e. that kind of, “this is what’s happening right now” kind of thing. And that really helps. I think there is a lot of emphasis on how the course is delivered and who’s delivering it in terms of a university course.
Si: What Selim was saying was that hers was very hands-on, your training was very hands-on. And I think to me, it seems to make a world of difference to students. Is that something that you would agree with?
Gavin: Yeah, a hundred percent. Again, purely based from me saying “yes, I would agree with that”. Again, everybody learns differently. Everybody’s different in how they approach stuff. For example, I don’t like reading papers, so I could never be a decent academic anyway! But again, for me, practical, I use the quote (and I’m sure Si’s heard me say it) is “I’m a very much a monkey see, monkey do kind of person”. You place the monkey, you tell him what to do and he replicates it. I’m very much of that kind of…the way I learn, but again, everyone learns differently, but for me particularly hands-on was always the key thing.
Desi: So it sounds like there was…both of your pathways through your education had the practical hands-on with you, which you both enjoyed and liked. So I’d be interested to get your opinion on the level of practicality that both of those had and how you think it prepared you for your first job in cybersecurity.
Selim: Yeah. So I had a couple of topics that I thought that was really practical and quite useful. For example, one of the topics that I did during my course was programming. And then so we got to learn just one, which was Python, and throughout the topic we had to create password validator. So basically you program this software, so when you type in, it will ask you to type in a password and then you type something in and it’ll say “well, it’s got two less characters” or “it doesn’t have special characters” or “it doesn’t have numbers”, et cetera, et cetera.
So I thought that was really useful skill to have. So that was one of them. And then when I did pentesting topic, they incorporated Wasp, is that right? W-A-S-P. Yeah, website. And again, that’s something that I could just keep going afterwards when the topic was finished. So that one was quite useful too. And I’m sure there were a lot more, if I can remember on the top of my head. And I also tried to choose mostly topics that I was interested in and left all the theory based ones as late as possible, which I didn’t even get to do. So it worked out really well for me!
Si: Knowing who taught Gav programming, I’d be surprised if he says anything complimentary to say about it at all!
Gavin: It was definitely fun. But no, I think for me, there was a thing that stuck with me in terms of my kind of degree or course at university was that we had, one of the lecturers (Si will know who he is and maybe who I’m talking about) is that it was kind of geared towards becoming, in his words, “a deep general specialist”. I.e. it gave a really broad sense of everything within cyber.
So there was no, kind of, predefined…there were avenues to go down and rabbit holes to go down in terms of course content and stuff like that. However, it was a general, kind of, overarching, we have a look at this, we have a look at that. For example, like programming, it was kind of…they weren’t there to teach you how to be a software dev.
The underlying principle was to get you to a point where you could look at some code and understand it. You might not be able to program some super funky programs, however, you could pull up a piece of code, be able to read it, understand what’s going on, and that was enough in which to then build upon, if you like, towards some kind of more complex ideas.
I mean, in terms of the stuff that helped me in the role that I do now, again, like most university courses you go and choose final dissertation or a final piece of work is your kind of pierre de resistance, your culmination of “here, look what I can do”. So for me, that was quite good because mine was kind of more geared towards the blue team stuff.
So I did a automating attack techniques to MITRE ATT&CK framework. So effectively set up a honey pot, got some attacks coming in and mapped it to the framework. And that was really interesting because when you work on a final dissertation, you get to kind of go round all your lecturers and stuff and basically get different angles and different views on what you can do.
So, in terms of what helped me, it was probably getting the different viewpoints of people with probably a bit more knowledge than myself. But like I said, the general core concepts of what you’d expect from a cyber degree were in my degree. For example, understanding operating systems, we did programming.
So yeah, it was quite a broad spectrum, but I think that really helps then because then you can start to, like I say go down the avenues, go down the rabbit holes in…because I remember speaking to everybody on my course when it got to year three, which is your final year at uni, and I guarantee you go around 90% of them and say, “so what do you want to do?” And nobody had a clue. They had no idea what they wanted to do! So the course enabled them effectively then to when they got closer to the end, obviously is kind of going to different things if you like. Yeah.
Si: One of the things that I noticed a lot about you guys when you were there was that you were very, very good at extracurricular stuff, aside from the drinking, which you were also exceptionally good at, some of you more than others! But there was a fantastic…I mean you were doing really, really well in the CTF competitions.
Gavin: Yeah, so I think again, the institution where we were at there were number one in the world on Hack The Box for I think it was a good couple of years. I mean, we regularly entered teams into the kind of Hack The Box championships, if you like. The university kind of competition. I think they came second one year and I can’t remember what they did there, but they did really well.
They always kind of got to the final stages. But that was born out of, again, like you say, the extracurricular stuff. Going back to the previous points is that you go to a lecturate university, but if you are expecting to know, i.e. walk away from that lecture and know everything you need in order to get a job or, kind of, pass an exam, then you’re in for a big shock because effectively, as much as you want to think “I’m paying X amount of money for this course”, it’s not always the case that you’ll be spoon fed everything you need to know.
So as you said, one of the things we were good at doing is after the lectures and stuff is getting together as a group, because we were quite a small group as well. I think there was only about 20 of us in our degree, which by modern standards I think it’s quite enviable in order to have just a group of 20 of you on such a degree. But yeah, so there was things like…we’d organize, we’d at least do CTF and, like, beginner CTF, so stuff like picoCTF and stuff like that.
And we’d go down to Costco and we’d order these massive pizzas that were absolutely huge, get a couple of them in and basically sit there till late at night doing the CTFs and working together. And I admit, I tended to learn far more from my peers i.e. by asking them questions than I did in any other kind of aspect is that…if I didn’t know something, I’d ask someone to the right or the left of me, and chances are they had an inkling…and it was always vice versa.
So yeah, never be scared to ask questions of your peers, because I know it can be quite intimidating, right? Effectively you are, kind of, admitting, “oh, I don’t quite know”, but that’s fine. I think that’s the mindset you have to be in is that once you can admit to yourself and say, “oh, I don’t know this, I’m going to ask him or her”, you’ll start to realize the amount of doors that open in terms of…or your knowledge, the amount you gain from that is huge. So yeah, extracurricular stuff, I was all for it. It was great. It was really good.
Si: Did you find the same, Selim? Did you have an extracurricular aspect to your education or…I mean, you said in the beginning that there was lots of things that taught you about how to learn more. Was that sort of an aspect of it?
Selim: Yeah, I agree. I did think that actually I learned a lot more from doing the extracurricular stuff like CTFs and going to conferences and playing CTFs there as well! Because that’s the space where I got to really solidify what I have learned from TAFE and also find what are the areas that I like to learn more of and I like to get into.
And TAFE would expose me to so many different areas of cyber security, but I started really enjoying doing Hack The Box, and within Hack The Box they had a few different types of challenges and there were digital forensics ones and there were…what are those ones that you look at an image file and then you can hide?
Desi: Stenography.
Selim: Yeah, stenography. And there were also different types of challenges and I really like that as well. Yeah, but TAFE was a place where it showed me all different areas and then I would go Hack The Box or TryHackMe. I even did a CTF once with OSINT…what was that? This OSINT organization.
Desi: Was that Trace Labs?
Selim: Could have been Trace Labs, yeah.
Desi: Like the missing persons one. Is that that one?
Selim: I think it was that. Something similar, yeah. Yeah. And doing that was real interesting as well. But I wasn’t as lucky as Gavin. A lot of times I find myself doing it on my own and…TAFE, it was all online based, so I studied on my own and we did have a bit of team project, but we never actually got to meet each other. And I think the only actual face-to-face CTF that I did was through this company CCX.
They did this annual CTF. And within Adelaide we met up a team and we went to a place and we played it together. And I found that one…that was really helpful actually because like Gavin said, I could just ask…talk to a person next to me, “what do you think?” And “what’s going on here?” “How should I go about this?” And it was so much easier that way rather than having to Google everything on my own. I mean, I learned a lot that way as well, but it was so much quicker just being able to ask peer next to me.
Desi: I think that was an AWS incident response CTF. I think we went…I remember you telling me about that. And then I had a case come up at work where I had to do an AWS incident response and it was one of those moments where I’d never done it before and I was like, “oh, Selim’s just at a CTF”.
So I remember messaging you and I was just like, “what can you tell me that I need to look for based on your CTF thing?” And it helped kick off the research of what I need to look for because in all cloud things they’ve decided to name things differently amongst themselves and completely different from normal endpoint. So yeah, it was one of those uphill battles to learn AWS incident response.
Si: Now I’m going to take the opportunity to step in here and big you up. You gave a talk on creating CTFs only two days ago!
Desi: I did.
Si: Was at AdelaideSEC, is that right?
Desi: Yep. I just recorded it to be published next week actually. So it can be online and people can see it.
Gavin: I was going to say, is this the bit where you go “link below”…
Si: Yeah. So you can find this link…
Desi: Cross-promotion between the two channels we’ve got! Yeah, we’re actually running a beginner CTF this weekend from that talk. So a few people…I did a workshop as well, but a few people are helping put some questions together and it’s very basic like picoCTF level. Yeah. That’s the idea is to try and get more and more people involved or at least interested.
Gavin: Yeah, I think it can be quite daunting, can’t it? I mean we’re talking three years ago now, maybe a bit longer than that actually, when I first went to uni and things like Hack The Box and stuff were still around, but I remember Hack The Box actually because you may or may not remember is that in order to get onto Hack The Box, you actually had to…
Desi: Yeah, the invite code.
Gavin: Do the invite code. So it wasn’t actually, and again, loads of people just didn’t do it, because they didn’t know how to, therefore obviously they’ve got a lot better now and there’s a lot more material on Hack The Box that are beginner friendly and stuff. But yeah, it can be quite daunting I think as well. We’ve definitely, as an industry, I think we’ve got a lot better at the not gatekeeping things, which is one of my pet hates.
We’ve definitely got a lot better as an industry I think at doing that. But also as well, I think in the earlier times, again two, three years ago, a lot of the stuff was always aimed at Red Team, pentested stuff, the kind of sexy Hollywood, what people perceive it to be, I suppose. But we’ve also got a lot better at kind of moving away from that. I don’t know if you’ve seen Blue Team Labs, it’s kind of a Blue Team version of Hack The Box, if you will. It’s more aimed at IR and digital forensics and stuff. It’s a great resource.
Desi: Yeah. Another little plug there is I actually make content for Security Blue Team.
Gavin: Yeah, I did see you on the leaderboard actually. Just as a…
Desi: Yeah, I am going to have to take myself off because it’s a bit of conflict of interest if I’m still on the leaderboard, but working for them…
Si: Are you working your way up the leaderboard by answering your own questions? That’s the honest about it. You can stay, but otherwise it’s a bit much!
Desi: If I make enough labs, no one can beat me.
Gavin: Funny, again, actually there was a student from our institute who, I think he made quite a lot of content for it as well. He was quite high up the leaderboard. But yeah, no, it’s a good platform. Again, it’s something that I wish would’ve been a year or two earlier when I was doing stuff as well. So yeah.
Si: So as you’ve opened that little chink for me to progress the conversation, what do you wish was included in your education that wasn’t? (And he says writing it down to make notes for the next students he has.) But what do you wish you had had, both of you, that now, you’re in the real world and you are actually facing these problems on a day-to-day basis, what is it that you wish you had had that you didn’t get?
Gavin: It’s quite difficult because I think if you’re quite proactive about it, what you feel you lack, you kind of go and search for. But in terms of what I wish I had from the degree, I think it’s, again, it comes back to this choosing the right institution and again things like career support maybe. Again, I kind of toot my own horn and think, say “I was quite all right” because I did the whole networking piece.
So I would go to conferences and go to things like InfoSec Europe, which are great by the way, because when you’re a student, the amount of free stuff you get is amazing. You get free tickets to here, there and everywhere.
So I would always go to these conferences and just speak to people and be really, kind of, forthcoming if you like, in terms of “what do you do?”, “have you got any jobs?”, “have got any positions for interns?” Just again because I’m of the belief that if you don’t ask, you don’t get.
So I think for me it’s career support, but it’s quite difficult for universities to deliver on that because I don’t know about other universities, but normally what happens is you have one, like a career rep or something for…maybe one or two career reps for the whole university, but the university delivers, I don’t know, a thousand courses, something ridiculous.
They can’t facilitate the niches of certain industries. So like cyber, you say cybersecurity, how many job descriptions are there out there? And so, career support is definitely a thing, but again, I feel like you kind of have to do a lot of that yourself. Again, coming back to that…you’re going to university expecting to pass and expecting to just roll out the other side with a job, I think you’d be quite surprised. But yeah, career support is something that I wish would’ve been better.
I know my institution did get better. So like I said, going to the conferences and events, it was always off my own back or we’d go together as a small group. It was always self arranged as in where we thought maybe the institution is (again, it comes back to money I suppose) is that they could perhaps organize it and it’s kudos to them as well, because they get the pleasure of saying, “oh, we took X amount students to Black Hat this year or…” for the sake of a coach.
So stuff like that I think could have been better. Yeah, that’s a very kind of specific thing, if you like. But in terms of content, it’s very difficult. Like you said earlier, it’s difficult to put your thumb on. I think if you go for a course that’s, kind of, more tailored towards a specific area of cyber, you can kind of be a bit more picky I suppose.
But because the nature of the course that I did was quite a general broad perspective, you could say, “well, we didn’t do enough of this, we didn’t do enough of that, or we could have done this”. I don’t think that’s quite how it was aimed and built. So yeah, it’s quite difficult. Until you actually get into the industry and you figure out what it is you want to do. In hindsight, you look back and you go, “ah, I wish I’d had learned that or I wish I’d had done this”. But until you’re probably in the position of doing stuff. Yeah, I wish they gave us hindsight!
Si: Oh that useful one. Yeah. Selim, what about you? What do you think could have been…not that you finished it, so I mean you missed out on all that…
Selim: Exactly! I don’t know, as a drop out, I don’t know if I can actually answer that question correctly because did didn’t actually quite do it all the way!
Desi: You could just could say you wish that it was half the length so then it could have just been…
Selim: I could have, right? Yes. Well, I do agree with what Gavin said. You can’t expect going to university thinking that at the end of the course it’s going to come out with a job. Especially working in cyber too, I realized that it’s an industry where if you’re not proactive and if you’re not constantly learning and if you haven’t got that tendency, you will just be behind.
And I think going through a TAFE or university or any institution will be similar if you don’t have some sort of motivation to get through and know what you want, and you just want to be spoon fed, you’re not going to be successful in this industry.
So what’s the point? You might as well just drop out! Not like me. Yeah. Can’t really say much about what I wish could see, because…I mean part of me thought it would been really good if I could see so many different areas of cyber before I joined cyber security course. But then there could have been so overwhelming too, because now I realize that there’s so many different fields in cyber, there’s red, blue, purple and pretty much all the spectrums in rainbow and that would’ve been really overwhelming for me to know that.
And then that would’ve even confused me even more. So you know what? It was good that I just picked and chose the topics that I wanted to do at the time and something that I thought, “oh yeah, that sounds interesting, I’m just going to do that and see if that’s the thing that I would like to continue”. So, having the choice was good, but then I knew if I had to continue study, I would’ve had to do some of the courses that I wouldn’t have enjoyed so much.
But then I know because I didn’t actually do it! So university, I think any institutions, it’s a bit like that. You can’t just customize your degree or your course, there are always compulsory topics you have to do whether you like it or not. But then why is that the case? Who makes the decisions and why is that so essential that we learn those things when we feel like it’s not really necessary?
Si: Actually I think technically that’s my fault, but…! Having drawn up courses that go, “oh, you must do this as a prerequisite”. Yeah, I think that’s actually my fault.
Desi: We need to change the title of this episode to “the reason the education system’s broken is because of Si”!
Si: It’s not too late! I mean before it goes out I think it can be done. I think the trouble is that actually in all seriousness…and Gav literally had no choice in what he did. There was a course designed from year one to year three and he was told what subjects he would be doing whether he liked it or not. And it was very interesting actually from a teaching perspective because there are clearly so many characters. I mean, even with the 20 in Gav’s year when we finished in our final year, we were doing 80 students. But there are those that want to do risk. There are those that want to do risk and compliance and policy and would be very, very happy sitting with a word processor for the entirety of their course. And there are others…
Desi: Weirdos.
Gavin: I wasn’t going to say anything but…
Si: It’s been done now. And then there are the others who were brilliant and they were…not to say that the policy…carefully backed up, but really, really talented programmers, really in depth, low level compromises they were finding and exploiting in operating systems and again, they were then having to go and sit the risk courses and they didn’t get them and they didn’t understand and they didn’t want to be there.
What was universally true is that none of them ever read what the coursework actually asked them to do and then just did the thing that they wanted to do anyway and then was surprised when they got the slightly less than decent mark. I’ll compliment Gav on this. Gav is actually truly a generalist.
He has done very well across all of the modules because he did…I think coming into it more mature than a lot of his peers, he did actually take the time to read some of the things he was being asked to do. To this day, I remember…so we did the forensics piece and we gave him a disc image and he had to do it and he had to write a report and then we did a viva. So we actually cross-examined as if they were in court.
Gavin: And I remember this!
Si: I told the story during the lectures of the fact that I’d been caught out. I turned up to court without a jacket and I got told off by the judge. Gav was the only person that turned up for his viva wearing a full suit and tie. Everybody else just came along as a student, but Gav actually really just…so that we couldn’t mark him down for not being dressed properly. That level of attention to detail got him a long way. Yeah, good stuff. But yeah, it’s difficult to…because otherwise you end up running 50 courses to allow everybody to do it and I actually pushed a lot for there to be a bit more choice at the institution we’re talking about, and I hope that in future that will be listened to in other ones.
Gavin: Yeah, I think without getting into the technical details of it, in terms of how university courses are set and what modules are what, I mean it’s probably different in most of other countries if you like. But in terms of cyber, one of the things is the NCSE accreditation, which basically a course will be put together and the National Cybersecurity Center of the UK, kind of, stamped its approval, but it’s also…in that regard, it’s great that you get this kind of approval from this organization within government or the public sector if you like, wherever. It’s great.
However, it also hamstrings courses as well because they then become inflexible. So when they stamp…rubber stamp a course in terms of cyber within the UK and they say, “yes, this is great, this has got all the things we think students should learn in order to go into industry effectively”, it then stops the institutions from changing i.e. evolving and updating as the landscape, kind of, changes. So then what you end up with is a course that’s kind of rubber stamped, approved and sealed by UK government.
However you then end up with a course that’s about three years, kind of, out of date in terms of…in order to get it reapproved exactly that, if you want to update, you’ve got to get it reapproved. And of course when it comes to marketing the course, it’s a big thing for universities I think to say, “hey look, our cyber degree is NCSE approved. Look, it must be good, it’s been rubber stamped”. However, actually it just means that the course may have not changed for two or three years. So yeah, a bit of an insight in there I suppose. But yeah.
Desi: I think that’s common in Australia as well. And probably true for most universities, it’s a lot of effort to develop courses, so you can’t be…without being in an agile environment where you’re just making profit on making courses, it’s very hard to change rapidly.
So what I wanted to ask both of you now is I want you to put yourself in the shoes where you have someone approach you that has potentially a similar background to where you both came from, but it’s today. What kind of recommendations would you give them? Would you say, “hey, you should go do the path that I did”, or would you give them a different path? Whether that’s kind of just the courses that are out there. I know we mentioned at the start that you don’t necessarily need a degree. I don’t know whether that’s in the UK necessarily, but definitely in Australia you don’t necessarily need a degree to get into the industry at all. Yeah, just keen to hear your thoughts of what kind of advice you would give to someone like you today.
Gavin: Yeah, I’ll have a swing at it first. As I mentioned earlier, I think one of the things that really enabled me was, as I said, the networking piece, because I think…I speak…it’s kind of true for most industries is that when people go for…so basically if your end goal is to progress through cyber and then hopefully at the other end get a job, I’d say 8, 9 times out of 10 when you go for a job (or at least in my case), I always kind of knew somebody in the organization before and it was always because of going to events and networking and meeting people and speaking to people and just basically submerging yourself in the, kind of, let’s say the culture of it, if you like.
So I think networking’s a massive piece and I’m always a, kind of, a big advocate for it. And I get that networking involves speaking to other humans and as an industry and conversely, actually it’s not something I truly enjoy. (Obviously I’m enjoying it today.) But it’s not something that everybody’s comfortable with doing. But if you’re able to do that and put yourself out there, go to events, speak to people, like I said, the amount of opportunities that doors that are just left open, just a tad and you can kind of hopefully push through and push the door open and take advantage of them.
I mean, for example, when I was, prior to just joining university and I’d just about to leave the military, there was a local digital forensics company only about, I think it was about 5 miles, 4 miles away from where I lived. And actually I obviously went and had a look online and looked at it and seen what they did and who they were. And it turns out the guy that owned it or the chief exec or whatever was actually ex-military. So just on a whim I just fired over an email saying, “look, I’m leaving the military, I’m really kind of hoping to get some experience.
I’ll come and sweep the floors and make the tea. I’ll do whatever you want. I just want to be in and around people doing potentially something that I want to get into”. Thinking nothing of it. And got an email back saying, “yeah, sure, we’ll put you through the vetting. You can come and sit with some…” I mean, some of the work they did there was really cool, and obviously you can’t do everything like a volunteer or whatever, but that was purely off the back of 1) just kind of being cheeky and just ask for stuff. I know me and Si, we’ve mentored a few of the students and I think it’s fair to say that’s what we advocate to them is that: don’t ask, don’t get. Don’t be scared to ask basically.
You’ll always get a no for all the questions that you don’t ask. So yeah, networking, don’t be afraid to ask questions. And also having a bit of resilience along the way as well. Because like I say, there will be things you look at and you go…I mean there’s stuff that, again, I think it’s true for everybody in this call. I think anybody would be lying if they said every day if they don’t look at something and go, “I don’t have a clue what that is!”
So being honest with yourself as well, in terms of having a bit of resilience to go, “right, I don’t understand this, I’m going to make it my, kind of, objective to try and get better at this”. So yeah: networking, being honest with yourself, being cheeky. And I’d say that kind of breeds a good attitude and that’s effectively what underpins everything. If you’ve got the right attitude and you want to get where you want to be, then you are already, kind of, halfway there.
Again, there’s people that have, I know personally that have…again, Si might attest to this, you’ll get people that go to do degrees at university, but are they there because they want to be or are they there because are attracted by the potential of: I can earn lots of money, get a cool job? Or are they there because I actually want to be engaged and learn the subject matter. So, I think having a good attitude underpins everything in terms of your success within the industry. You can get quite a long way with a good attitude. You might not know everything. You might not understand everything, but if you’ve got the right attitude, I think, yeah, that’s kind of a big sell for me anyway, so. Sorry I rambled on a bit there, but…
Si: No, that’s fine. It’s fine. We’ll cut you later. It’s not a problem.
Gavin: Yeah, yeah, sure!
Selim: I think Gavin pretty much said everything that I would’ve said. I cannot emphasize enough how important it is to go out and networking with people in the industry. Eventually what led me to my job as well, my first job in cyber, and I think it was actually two years ago at like SEC that had this one day filled with events and everything, and I was working as a teacher at that time and I just said, “I’m just going to take the day off because I just want to go and meet people in the industry”.
And they said, “yeah, that’s fine, go.” Took the day off. And it was at one of those events during training, I was sitting next to this man and then we start chatting and then he asked me a few questions about what I was doing and I said “I’m studying cybersecurity and also working as a teacher.” And then he said, “well, I think my company might be interested giving you internship positions”. Like, “oh, okay!” Just like that was, I did not expect that to happen that day.
And I messaged the managing director of the company next day and then it just happened so quickly that within a couple of weeks I was offered an internship position. And also never be afraid to ask what you need and what you want. Because at the time there was no way I could have done full-time internship. I was already studying, I was already working as a part-time teacher and I had a little child at home and there were so many things I had to juggle and they would’ve offered me a full-time position without knowing if I didn’t say, “hey, I can only do one day a week, that’s all I can spare.
And I can manage that for now, but perhaps maybe next year I could be more”. But within a month of doing that for a day, like weekly, they happened to have a position available. And again, they catered it for me that as soon as I finished my teaching contract, I could start and just three days a week and that’s what I needed and is what I could at the time.
And so, just like the transition sounds really smooth, but then it was also the initiative that I decide that I’m going to go and meet these people even though I don’t know anyone, and just try to have that confidence somehow, whether I had it inside me or not, I just had to bring it up out of…and another thing would be that be prepared to put some hard work in, especially if you’re coming from non-cyber background because there’s a lot to learn.
And I remember those mornings, so I’ll wake up four o’clock in the morning because I had to catch up with all these TAFE lectures before I start my workday. And that was only time, like a couple of hours before my son wakes up and before I start prepping him for his childcare and prepping myself for work. And those two hours I had to do it for maybe several months. Really tough, but then it was worth in the end. And so I think everyone will come from different situations and circumstances and whatever situation they’re in, you will find the time and you’ll have to find the time if you really want to get into it, I guess. Yeah.
Si: So after all of this massive effort to get to where you are, both of you, and you are now successful, employed incident response analysts, what do you actually do to unwind from this? I don’t generally do incident response. I’m doing one at the moment. It’s stressing the hell out of me. So I’d much rather that criminal cases, way easier. So what do you guys do to unwind to calm down at the end of the day? And is it blow away things in Minecraft (he says, looking behind Gavin’s head), or is it…so Selim, what about you?
Selim: I think the straight answer that I’m going to give you probably have to edit, so I won’t say that! I start drinking a lot!
Si: You have an opportunity at the end of this when we send it to you to have that removed by choice if you like. But we are not in the position to criticize…could a single one of us for that coping strategy.
Selim: I wish I could put it more elegantly, but no. That’s one way that I unwind. Now, I exercise a lot, so I do…I used to run a lot, especially since I joined CrowdStrike, I noticed that need. I had to be more physical because my work became quite sedentary that I’m just sitting in front of a computer all day and my body just…I don’t think anyone’s body can really do that much of sitting down in front of a computer and they shouldn’t. And yeah, I’ll go for walks. I used to go for a run a lot, but I’ve injured my ankle recently, so that hasn’t happened. But I also do pole dancing, which I have done for the last several years, so that was even before joining cybersecurity. Yeah, exercise definitely helps me unwind. And hanging out with my kid.
Si: Yeah…
Selim: I mean because work in very different way!
Si: As parents, both…and I am as well. And Desi has dogs, which is nearly the same thing for the amount of attention they require!
Desi: It’s definitely not. I reckon dogs are probably way more fun than kids.
Si: Well, we’ll have this debate later, but yes, I appreciate that there are other commitments for both of you. What about you, Gav? What are you chilling with at the moment?
Gavin: Ah, yeah, I mean similar boat. Yeah, lots of drinking. For me…in fact, it’s probably something I shared with you. So I like gardening, which is really kind of strange for someone that’s probably spent 10 years in the army, or whatever. But yeah, no gardening. I’m quite lucky that the place that we have has a nice big garden. So we have a place we grow potatoes and corn and all that kind of stuff. But I mean here in the UK at the minute, it’s summer holidays for the kids.
So my free time is just absorbed by…you laugh and you say “blowing stuff off a Minecraft”, but pretty much is that with the kids. So yeah, it’s funny actually, you mentioned about keeping fit and stuff. I do absolutely nothing, to be honest. Having spent 10 years running and jumping out of planes and stuff, yeah, I have no interest in it. I mean, I sit here for 9 hours a day and then probably sit here for another 5 in the evening.
Desi: Same.
Gavin: So yeah, unfortunately I always say to myself, I sit there and think, “oh yeah, I’m…” It’s always tomorrow when it comes to running or any kind of weight training, it’s tomorrow, “tomorrow’s going to be the day”. And tomorrow comes and goes. So yeah, for me it’s nice, simple life. A bit of gardening, a bit of drinking again, mostly it’s always in the rain in the UK so it’s never sunny. We’re still due a summer at the minute. I’m still waiting for it to turn up. But yeah, nice and simple.
Si: Good stuff. Excellent.
Desi: Nice. Well, we’re coming to the top of the hour and just wanted to say thank you so much for joining. It’s definitely been a topic that has been on Si and my’s mind for a while now to talk about education and get people on that have been through different pathways and come from different life experiences, especially both of us came through when those type of degrees didn’t exist before we came into the industry. So thank you both so much for your time. We really appreciate it.
Gavin: Cheers.
Desi: Thanks to…awesome. Thanks to all listeners. Everything that we spoke about will be in the show notes and we will post this up on YouTube, our website, forensicfocus.com, and anywhere you can get your podcasts from. But again, thanks for joining us and we’ll catch you all next time.
Si: Brilliant. Thanks guys. You’ve been wonderful.
