Christa: To paraphrase a popular career title: What color is your digital forensics parachute? What path are you on currently? Is it the one you want to be on? And how do you know, when the field might look very different in five years?
Welcome to the Forensic Focus podcast, where monthly we interview experts from the digital forensics and incident response community on topics ranging from technical aspects to career soft skills. I’m your host, Christa Miller.
Careers in digital forensics and information security is a hot topic right now. Gaps in skills, gender, and representation from underprivileged communities are all being discussed and to some extent, even debated. With us today to talk more about that is Douglas Brush, an information security executive with over 26 years of entrepreneurship and professional technology experience.
Doug is a globally recognized expert in the field of cybersecurity, incident response, digital forensics and information governance, and serves as a federally court appointed special master and neutral expert in high-profile litigation matters involving privacy, security, and e-discovery. In addition, he’s the founder and host of his own popular podcast, Cybersecurity Interviews. Doug, welcome. It’s a pleasure to have you with us.
Doug: Christa, thank you so much for having me. The pleasure’s all mine. I’ve been a long time Forensic Focus fan and contributor, and probably started my career there.
Christa: Oh, I love hearing that. Thank you. That’s good to hear. So in the 10 or 12 years since we first met on DFIR Twitter, how has digital forensics and your personal path in the industry changed? Have you seen any surprises?
Doug: Yeah. You know, there’s… it’s funny. I was telling somebody yesterday that I feel like we are still solving a lot of the same problems, but with that, you know, when I coach and mentor people, I’m like… but there’s a whole bunch of other new problems too. So it’s this weird dichotomy of, you know, still dealing with things like vulnerabilities, RDP port issues, just bad password and credential management, phishing emails. I mean, that was my first, I think probably my first investigation, 12, 15 years ago, I was doing, you know, phishing investigations. And hell, it was probably still stuff I look at and it’s the all problem. It doesn’t go away yet.
On the other hand, there’s a wealth of new technologies that offer their own challenges. When you look at things like microservices, cloud services, containerization, there’s just a new set of issues that come up with that, when dealing with how to respond and, heck, even how to detect when there’s an issue, where to alert it, how to gather that data and information, you know, it’s not one of those where you can easily sometimes just go grab that telemetry information about that particular data source. It might be an another data source that you don’t have access to, and then conduct an investigation.
So while there’s a lot that I would say there’s still some underlining core principal problems when it comes to poor design, access controls, user awareness training. Now, on top of that, you add a new technology. So while there’s new problems, some of them are just based on a lot of the old issues that we haven’t solved.
Christa: So last year you were on a panel at Techno Security in Myrtle Beach, talking about certifications and how they either drove, or were driven by, career choices. And so, going back to what you were just saying about those changes, you move through different tiers of core vocational or tool-specific certifications, advanced and managerial. It seems like there’s a chicken and egg thing going on there. Which comes first? Are certifications sort of — given the landscape that we’re in — a dressing for the career you want versus the one you have?
Doug: A little of both, you know, I think it’s how you approach certifications. And a colleague of mine that I work with, who’s a peer of mine, heck, he’s probably got more years’ industry experience than I do. He and I worked together at Splunk and he’s another Doug, so of course a great name, but Doug Loda, and he and I were talking about you know, certifications. And one of the folks that I’m mentoring actually later today — and I’m a mentor on the blue team village for DFIR through Defcon — and one of the folks I’m mentoring, he’s taking the CSSP exam today. So walking him through yesterday, you know, how did you prepare for your CSSP or what did you do? You know, part of it is learning how to take the test.
And I think that goes for any certifications and is knowing you’re going to be stuck in a room for three to four hours sometimes are very uncomfortable room. For example, you know, just to sidebar a little bit, when I was taking some of my early comp TIA cert exams, you know, 10 or so years ago for network plus and security plus, it was hot as hell in this room in January city, it was a box, it was a testing center. And so imagine like 13 floors up in the small rickety tables with bad lighting, no ventilation, just cranking old school, pre-war heat in a building. It throws you off and like, yeah, you want to know the material, but you almost have to be like in a testing mindset.
So that’s one aspect of it. You know, when you’re going to learn how to test, I think it’s also incredibly important to on the other hand, really do kind of absorb the material. Like there’s certain things I was telling Doug about. And this other gentleman I was mentoring. It’s like, when it comes to things like the OSI model, it’s an incredibly dry subject, particularly when you get through layer one… like, learning how to do IP subnetting is God awfully boring to me. But if I didn’t have to learn it for an exam, I would have never sat down and forced myself to learn how to do it, because you really have to know how to do it. And you get some value in that.
And so there’s some aspects of getting ready for certification exams that you should take away as, you know, what can I get out of this, not just to pass a test? So, you know, there’s got to be some core things that you’re just, you’re never going to learn unless you sit in practice for it for an exam. And use that as a takeaway and, and try to retain that knowledge in a way that you can actually make it meaningful in your career.
I mean, overall certification should be viewed as a driver’s license. It shows that you have — and I’m stealing this — but, you know, it shows that you have the minimum viable skills to perform that task. It does not mean that you, you know, all of a sudden, because you passed your driving test, you should be driving a Formula One car, you know? It just shows that you know, hopefully you’re not going to kill somebody when you take this thing out on the road. And that’s kind of how you should use certifications is that it gives you some base groundwork, but there’s still a lot of work that needs to get done.
And so in that, I really emphasize when people get certifications is to look at it as kind of an ordering principle of, or what are your core foundations? What can you learn from that? Talk about intelligently? Add onto that specific areas of career paths. You know, whether it’s going to be DFIR, whether it’s going to be blue team and SOC, whether it’s going to be threat hunting, whether it’s going to be red team, auditing, you know, whatever other kind of fork that you go off of that base of learning some of that core knowledge, it kind of gets you ready for that mindset around that as your career.
And then say, okay, what’s the next, you know, viable cert that I might want to get, that I can learn something from and looks good on paper. Because I’ve seen people also spread out their certs in too many areas and it doesn’t build a cohesive story of what they, what they might have core knowledge of.
Christa: Which was actually going to be my next question. What is the balance between being a generalist and being a specialist, especially given this rapidly changing landscape?
Doug: I think it’s so funny that they ask that because you know, my title at Splunk is Security Specialist, but it’s really to be a polymath of security. It’s like, I’m really good at knowing a lot of things, 80% of the way. Like I’ll never be the best red teamer hands-on-keyboard guy. Do I understand all the key principles? Can design a cool pen test exercise and kind of guide junior analysts and senior analysts? Absolutely. But when it comes to writing, you know, a new package, not going to happen.
I could probably learn it, but I don’t think that’s the most valuable use of my time. I look at that too. It’s a bit of time arbitrage is, you know, where does it make more sense to be proficient enough to get that task done? And where are the ones where I really do need that deep level of expertise? And there’s been times where I’ve kind of waned in and out of that in my career, where there have been times where I’ve… I do have to know how to manually parse an MFT table, because I might be asked about it when I was doing a lot of testifying.
In a lot of things, I had really core technical skills. I just needed to learn that down to a greater depth. And again, it’s like riding a bike. I can probably refresh on it, but it’s difficult to just say at one point, Hey, I’m going to have to know this for the rest of my career. Things change.
So I think part of that too, is, is being flexible at times, be a specialist in certain subjects, take what you can from that. Don’t get too beholden to it, but be ready to learn something new. Because, you know, like I said, I mentioned with cloud technologies that happens all the time, too, where all of a sudden you might be thrust into a new arena of cloud infrastructure and then have to learn that very rapidly. And everything you might’ve known about core networking and knowing about, maybe, after directory services might not necessarily apply one for one and you have to be flexible and be ready to say, okay, I don’t need to know that anymore. I have to go learn something new.
Christa: And on also on that note, you had mentioned earlier about telling a story of your career, where do career changes fit in this? I mean, when you have those kinds of new technologies that come up that you have to learn really quickly, when somebody either has that kind of career change, or is more planning a career change, how can certifications help with that? And how should professionals prepare? How do they get that hands-on experience they need to succeed with a given cert?
Doug: Well, this is where I get to be the old man screaming out there, please stay off my lawn! Get off! These kids today, they don’t know how easy they have it. I used to have to walk through 10 feet of snow to my lab.
Christa: Both ways!
Doug: Both ways, but like I had to like, Oh my God… Apartment where I had a small office in New York City when I started Digital Forensic Group and, you know, first 10 years of 2000, it was hot as hell in that room because I had a server for computers, all running my lab equipment because in a test lab and I was having to learn things. Ironically, one of the first applications was learning Splunk, you know, on these boxes, 1am in the morning.
And it was… just because they can spin up a virtual machine and you can have on a Macbook Pro 10 different builds of different operating systems and set up a whole active directory environment and test things. So I think the availability to set up test and lab equipment is extremely valuable now. And I can’t emphasize that enough for people that are starting or even pivoting in their careers, you know, with things like AWS, Azure GCP, you can go [inaudible] and for a low cost start practicing, you know, start learning.
And there’s a ton of things out there too. And SANS has a tremendous amount of resources for things. You know, when you’re looking to kind of hack the box and you’re trying to learn some of your red team skills, which could also help… Certainly that’s another thing, is cross training. So key component, if you’re in IR and digital forensics is, you know, learn what red teamers do.
But yeah, those things are out there and you can go test your skills on them and learn. And so do not squander those opportunities. That’s the one thing that I, when I mentor people, I tell them that you do not know how lucky you are today to have this access to so much test equipment and knowledge. Absorb it all, and really, you know, practice on these things that are available, set up virtual machines in labs, in your home, and just break things.
That gives you the most hands-on things. Because I think so many of us that have been doing this for so long. Started our career — and I joked about this with people on my podcast, or just in conversation — that it started by like fixing a printer or somebody’s home computer. Somebody goes, I can’t get this thing to work. Let me take a look at it. And you hack at it and you play with it because something should work. It doesn’t, then you fix it and you figure it out. And then you become that guy or gal that, Oh, he or she is the one that knows how to fix this. And then you go to that, and that’s almost how you progress in your career.
And later in life in forensics and security, as well as you find something that you get stuck on one day, I think there was a time even on Forensic Focus, people were referencing some, either Mac or Yahoo email capture thing, that was still seeing it a couple of years ago. They’d be like, Oh, Doug, you know how to do that? I was like, I think I posted kind of a, how to guide. I don’t know if I’m the guy about that.
But once you figure it out, you know, people kind of lean on you. And that’s how you eventually might find some specialization. Again, a careful on that is it has to be something you really enjoy. So if all of a sudden, you, you know, you start with Mac forensics one day because nobody else is either on call that day in the lab, or that case lands in your lap, you know, take some time to learn it, definitely get some depth in that.
But, you know, if it’s not the thing you’re really going to be passionate about, don’t become that person in your organization that becomes that Mac person. And you find that you hate it, but then all of a sudden, you know, every single Mac that comes in comes your way, because you’re that person, you know. But set your guidelines very explicitly about what you want to do. And when you get those opportunities of, it is something you’re passionate about, double down on it and really dig into it.
Christa: We’re talking about setting up different environments to test in and so on. It sounds like between that and the certifications themselves, there’s a potential for maybe some funding challenges, especially if different professionals are looking for their employer to pay for their certification, or to kind of shepherd them along that career path. What if that’s not necessarily the direction they want to go in? Like, how do you counsel your mentees to kind of overcome some of those challenges?
Doug: Yeah. Funding for certifications is no joke. Most organizations do not have the necessary budgets when it comes to training individuals on core, and even intermediate and advanced, certifications that I think set a good level of return on investment, and a pre-work prerequisite, particularly for advanced and junior level IR people.
You know, if you look at SANS courses, they’re my kind of go-to, I feel that it’s great that they’re tool agnostic, you know, the body of knowledge there’s unparalleled. But it’s a cost. And so organizations that have only $2,000 to $3,000 in training budget per analyst are going to have a hard time spending $8,000 to $10,000, sending somebody away to do full boat certification. You know, when you add in all the costs of meals and hotel and things like that. So I get it.
So some of the things that I’ve tackled with this? So say for example, you do have to go to that well, and get the investment is, you really have to kind of think like a business person. And I think this is a critical skill that happened that you need to develop early on in a career, is thinking about the business. And thinking like a business person. Don’t expect people to understand what you’re doing on the DFIR side, you know, expect them to understand the problems that you’re trying to solve and put it in their terms.
So if you say, Hey, look, our caseload’s backing up. And I’m just struggling with a lot of these things that I’m having to either do repetitive tasks, or spend an enormous amount of time researching, doing whack-a-mole research on a bunch of different things. If I went to this five day course, it’s going to accelerate my time to get the caseload through because I’m going to be more efficient.
I’m going to learn skills. That’s going to allow me to do business faster and therefore generate more revenue. So if you spend $10,000, you know, I think you’re going to get this many more hours a year. I mean, if you’re not a billable hour thing.
And that could be an incentive. Now, some, some organizations I’ve dealt with say, well, I don’t want you to be faster. I want you to billing more hours. Start looking for other organizations. Efficiency should be the driving key, not just running up the belt. But a lot of things we even did with that is what I did a lot of fixed fee security engagements.
So say I’m just arbitrarily like $20,000 penetration testing engagement for a mid-size organization, fixed fee. And I would reward the pen testers if they can get things done faster, because I had a certain amount of hours and costs built into how much I thought that should take. And you know, my margin on that, if they should do it faster, why not give them a share of that? And so by doing that, incentivizes them to say, well, shoot, if I learn these skills faster and I go get training, I can get more work done in a shorter period of time. We can have more margins and I can be incentivized to get a little bit on the back end of that.
So everybody becomes, you know… look for those win-win situations where it’s not always a zero sum game of, wow. You know, if we do this, we’re all gonna win and we’re all gonna get more money. So frame it that way.
If you don’t have those other opportunities, there’s many other ways to kind of hack the system. And I’m using SANS as a particular example, but this can work for — and I’ve reached out to a lot of other organizations that do what I talk about — is offering training facilities or other types of things to facilitate community learning.
You know, many of these organizations, SANS, X-Ways, Cellebrite, you name it, has classes. And we did this with, actually, Nuix. You do a whole bunch of them now, but where I was in New York City particularly was a really expensive market to get training. And when I reached out to folks like Rob Lee, I’d be like, Hey, how come we’re seeing community training for some of these core IR forensic courses in New York? He’s like, it’s too expensive. We can’t put people up in that. And I go, okay. And I went back to the well, and I kind of hacked on that for a couple of years. And I finally got in touch with the community people at SANS. I said, how about this? I’ll give you 30 person training place in a conference room. We don’t use that frequently in our office. You can have it for the full five days. Me and my team will help set it up, get the facilitators already, we’ll help in any way with the class or provide internet, we’ll order all the food and lunches, make sure that’s there. I mean, they’ll pay for it.
And they were like, that’s awesome. Thank you. Like we can never find space. It’s always too expensive. I was like, it’s a free, I go, the only ask is I was like, can I get one training seat? Right. And they’re like, yeah, sometimes we can negotiate too. But I basically ended up with about anywhere from 60 to $70,000 in free training a year just by becoming a facility in that program. And it’s being replicated in a lot of other areas. I ended up doing out here in Denver. It’s funny, some of the Denver community teachers would go out to where I was doing New York City, come back and say, I just taught at this place. I think he used to work there. I was like, yeah, I set up that program. I was like, Oh, I knew I heard your name from out there. And I was like, yeah.
I’m a big, big fan of giving to get. And that’s another way to where I build stickiness with inside the community, with inside these organizations, you know, it gave me access to a lot of people without able to ask another further questions about mentorship knowledge. It’s just any opportunity you can look to contribute and give. Son’t always think about, again, it’s just a zero sum game. It’s like, how can I help somebody and do it almost unconditionally? And you’ll see these things start coming back. And be strategic about it. But that’s a… this is a great way to try to find ways to get free training is: how can I help this organization that’s trying to struggle to make this happen, you know? And again, whether it’s facilitating teaching, whatever, you can get a lot of free training out there if you put your skin in the game.
Christa: So in terms of giving to get, what is your take — and I’m cognizant of being a white woman asking a white guy — but diversity initiatives like Share The Mic. What is your advice specifically to our white listeners on how to be a more responsive ally in amplifying the voices of our colleagues of color? How do we practice self-awareness and know when to step aside?
Doug: I’m going to address the elephant in the room particularly. Well, two of them, I’m going to start with the first one, that I’m a cis white middle-class male who lives in Boulder, Colorado. And if you look at my profile picture on LinkedIn, you would never believe it. I know.
I really look like some kind of awful howdy doody eugenics experiment. It just, it’s just too white. And for a long time, I projected that view of success: of that’s what you look like, because that’s what all my counterparts… and for me is like, being kind of a hacker mindset. I was like, this is how I get in organizations. I look as professional as possible; because the joke was always with my pen testers, too. They’re like, it’s not fair that you can walk right into a building and sit down in front of a computer.
I was like, yeah, cause it’s social engineering because I’m using cultural and social norms to exploit vulnerabilities from, you know, the front desk down to the door guards. I can just walk in, white guy in a suit. Like honestly, you can walk into almost any building in New York City. Walk them through. I know how to get into the elevator banks and all that. Nobody questions you because it’s usually somebody of color that’s not going to speak up to a white guy in a suit.
And that’s a security vulnerability, but I exploited it to get to prove points where I was doing physical penetration tests. So that exists. Part of that has been amplified certainly by the current, you know, the current political climate. Unfortunately now we have leadership in this country that really has doubled down on this white power stereotype. And it’s made it incredibly hard for people that are not of that view, that don’t look like me, to try to get a foot in the door.
You know, it’s immediately being associated with some kind of quote unquote movement. Oh, you’re just trying to do this or that. And what I found most appalling and have disassociated myself from some of those people that would say, when I started speaking up, accused me of virtue signaling. I’m like, how? And this particularly happened on some social media posts. And it really pissed me off because I was like, the thing that I had posted was I was in the beginning of the pandemic has a lockdowns had happened, I was like, you know, for all the people that are sitting down, out there complaining that, Oh my gosh, this is so terrible. You know, that you’re quarantined inside your beautiful house with all these things and your family, think about the people that are in the low income side of the spectrum that might be in financially, physically, or verbally abusive situations, or these kids that are in abuse situations. Like, before you start complaining, shut up.
And someone’s like, Oh, you’re just virtue signal. I’m like, no, actually I posted that on an organization. I put a lot of time and effort into being aboard with this organization for justice in New York City. Because I’ve always been very altruistic like that because I believe I’ve come from a lot of areas of privilege. My background has had a lot of diversity, people of color, gender, gender identity, sexual identity, whatever, you know, I’ve really had an amazing support system.
So yeah, it pisses me off when, when those people get hurt by a current kind of political worldview. So don’t accuse me of virtue signalling. And I kind of took that back and then I really kind of fell in almost doing an imposter syndrome. Like, should I be saying anything? And I start thinking, is this happening systemically now, are there a lot of people like me that are feeling kind of almost shunned by these people that are just going to kind of try to bully them into not saying anything?
And I said, you know what, let me test the water. So I started with this idea of covering a couple of things, you know, particularly neurodiversity inclusion and mental health talking about the podcast, talking about it in my public talks now. It’s now one of my talk tracks. And really I was fearful that people are gonna say, how dare you, a white male privilege with everything that you have in your little castle in Boulder are gonna sit there and tell us how it is?
And I was like… complete opposite reaction, big sigh of relief, because people are like, thank you. We need more people like you speaking out, you’re the problem. And until you talk about it and address it and own it, it’s never going to change. And I was like, I never look at it that way. I cannot encourage people that have had the ability to walk into any building in New York City and sit down in front of a computer, open those doors behind you for other people, because it’s not fair just because you look a certain way and you’ve hacked this model that you should be able to continue to get that.
I mean, if we’re going to look at that with that hacker mentality, if we’re going to see, okay, here’s a vulnerability, let’s patch it. You know, we have to stop that, because when we talk about the talent shortage and skill shortage in this community and in this industry, it’s not going to work if we try to mold everybody into the same kind of framework of what success looks like.
So anyway, I’ve started this whole thing of really kind of pushing diversity and inclusion. I’d love to share the mic in cyber on the next round of podcasts. I plan on doing five on diversity inclusion, at least, you know, like a series that are focused specifically on that. Five that’ll focus specifically on neuro-diversity and mental health. Because if we don’t talk about it and if it’s not people like me that talk about it, I don’t think it’s going to change. So it’s almost become this feeling of obligation to have to stand up for this.
Christa: And on that note, you’ve mentioned mentoring several times. You mentioned the career skills gap, and some of the other gaps that we’re talking about. Talk to us a little bit more about mentoring. How does that factor into a digital forensics career trajectory? How should professionals identify and approach a mentor who seems to fit them, and what do you look for in a mentee?
Doug: Hmm. That’s great. Yeah, mentoring in itself is great. Great for me, I should say. I think great for a lot of people in community, but you know, you have to self-actualize a little bit, you have to really kind of want to do it. And try to find some something more than about you in it.
I actually came from a very good base of people that were kind of mentors and teachers. So I kind of grew up with that in the household. My parents were teaching at in Poughkeepsie New York, but they were always taking the time with their students to mentor them, hire their students on their consulting gigs. So these people almost had an apprenticeship of learning. So I spent a lot of time about, and I was an apprentice at time. I would go as a PA on video shoots with these students and see them interact with my parents.
I mean, to this day, there’s these folks that still reach out to me and say, you know, your parents fundamentally changed my life by offering me insight on things. And that, to me, to have that kind of impact is exciting. It’s something beyond everything. You know, I always ask people when I’m mentoring them and also hiring them, it’s like, let’s take money off the table. There’s no object and have those needs met, you know, what do you want to do? How do you want to give back now? What are you going to do to make impact in your life and those around you?
And because it’s very easy to… when people say I want more money and it’s a light shedding moment of career path discussions. But I think, you know, when you really look at it and you know, what am I going to do here in my time on earth, in my industry and with my family, with everybody else. I try to set that mindset up as much as I can with others as well.
But you know, kind of going back, I mean, that’s really what drives me is this passion to make change in people’s lives. You know, and when it comes two… probably being a mentor, you know, that’s where you have to find outlets for it, and the appropriate outlets. It can very easily go astray if you do it kind of ad hoc. That’s why organizations have a more specific kind of mentor programs. And it’s nothing like overly structured, like the one I’m doing, it’s or set our own tone and pace goals.
But, you know, there’s some structure to it where we’re holding ourselves accountable. So it’s not something where I leave somebody out hanging because likely what could happen is, me as a mentor can get pulled into a lot of other, a lot of things, you know, when I’m traveling and all of a sudden that can have to be on a plane in Southeast Asia and overnight, you know, I might have to cancel something and cancel it again.
It is very easy for me to lose track of that. And then the mentee not have the courage to say, Hey man, what the heck? Like, you’ve had to change two things and then that kind of waned. So you really need to find organizations that. there’s some kind of structure and accountability, so that stuff doesn’t happen. Hold yourself honest.
And there’s a variety of different ways to do that. And at first, even like looking with inside your workplace, a lot of organizations have these kind of mentor/mentee programs, and it doesn’t have to actually be just about forensics and IR, it could be about your career path. It could be about other things. So, you know, more I think about it, I think there’s less things I do in mentoring people in technical depth than I do about soft skills, humanization of themselves, dometimes just being a shoulder to cry on and say, you know, what do you, what are you trying to accomplish in the next 30 days? And really be more of a coach.
That kind of the way I look at it is, I’m not a doctor. I’m not going to come in and say, here’s the prescription. You need to be a better professional. It’s more of this coach of, Hey, you walked into my gym, where do you want to get better? What are some of the goals? Oh, I want to have my GSE certification from SANS. What would you want that? Next year? Not possible. Let’s set a realistic goal, and reorienting people towards realistic goals.
And again, doing the SMART, you know, was it specific, measurable, accountable, time-bound, and I think R… response. Anyway, you look up S M A R T goals, you know, set realistic goals that you can actually try to hold people to that. And even just be again, like I said, sometimes be a shoulder to cry on, just say, Hey, what’s frustrated or what’s not working? Vent to me. Don’t let it sit and fester to the point where you’re sending off that nasty email that gets you fired, get it out of your system now. And let’s find a more constructive way to work on it.
Or somebody I was talking to last night, she was like, is this too passive aggressive? I was like, I’m the wrong person to ask. I was like, I totally appreciate it. I was like, you could have softened it and said something more along the lines of X, Y, Z, and taken passive aggressive from 11 down to a 4. It wasn’t like a specific mentor kind of thing, but I thought about it in that framing of like, you know, sometimes just saying there’s a better way to do this is helpful, you know, and when you’re a mentee looking for that, look inside your organization.
You’ll find people that are specifically tagged as mentors, because many organizations have that kind of structure. If not, ask, that can be set up, you know? Again, look for other Oregon professional organizations. I said, Bluetooth Village to Defcon has a great, great set of people working on that. It could be your local ISA chapter might have something. It could be any number of things.
Christa: What kind of qualities are you looking for in a mentor though? Because there’s got to be some balance between finding somebody who’s a good communicative fit without necessarily being an echo chamber.
Doug: Yeah. And sometimes it’s going to take feeling out. I’m a big fan of understanding logical fallacies in cognitive bias. Cause you can trick yourself very easily into believing something. And so the sunk cost fallacy, or the gambler’s dilemma, is: don’t think you have to keep putting in more time on something that’s not working out, hoping that it’s going to have this magical payoff at the next session.
And so if you’re working with somebody that’s not jiving with you as a mentee, say, Hey, look, this is not a good fit for me. I think I need to find somebody else. Feel free to walk away. And to go back to your question. I think that that’s something you have to go in with that open mindset, because you might have to test it out a few times, find out what’s going to work for your personality. But the things you’re going to want to look for maybe somebody who’s already mentored somebody else where you can talk to one of their mentees and say, how was the experience?
You know, but again, sometimes that’s tough. It’s not as, like I said, formalized in the industry. So you might not be able to get that. And somebody might say, well, it’s been kind of ad hoc. But you know, what you can also look at is somebody that’s had similar backgrounds and skills. And this goes to me too, you know, one of the things is I’ve struggled with that horribly because I’ve always been the bull in the china shop. I get brought in, in most organizations I get hired. And then after I’m hired, they’re like, can you write up a job requisition for yourself and a job description. It’s like, we know we had to get you in, you have some kind of vision, but you know… you make it up.
And so it’s very difficult for me to go in in some type of entrepreneurial or leadership kind of role and then have to figure it out and then turn around and go, gosh, all these people are depending on me, I feel stressed out. Talk to… oh, I don’t have anybody. And some of the mentors I have had were then unceremoniously executed or fired in front of me. And I was put into their position, a battlefield promotion, which was incredibly traumatic and attacked the one person [indecipherable].
And in that process I found out it doesn’t always have to be somebody in a hierarchal kind of situation. It doesn’t have to be my boss. It doesn’t have to be a senior person. It could be somebody that’s just a good sounding board that can again, call me out of my logical fallacies and my biases. When I believe in my own BS, it goes, Doug, I want to professionally and respectfully disagree with the way you’re approaching this. And say, no, you’re wrong.
And maybe little bite sizes where people that I’ve built around me as being mentors to me, even if they’re lateral to me, below me in a reporting structure, but somebody that I can find as almost a sounding board and then really say, Hey, thank you for providing this advice to me. Even if it’s just a snippet, heck I’ve even found my daughter, who’s like 10 years old. You know, she’s really good at calm. Cause I hope I’ve taught her well. And calling me out on things in a way that becomes a mentorship relationship where she’s just like, you know, kind of holding me accountable.
That’s the overarching thing, is finding somebody that can really kind of hold you accountable, that can see you through your eyes and call you out on that. And so I just recently looked very lucky at Splunk. They have a professional mentor and coaching program that they gave us and it’s like having so much, like I would have to pay a year for it. And when I looked for a list of mentors in this program, it was like, you know, similar backgrounds, similar kind of walks of life. And I picked somebody who was a perfect fit. You know, I got lucky out of the gate.
We’ve had some online sessions and, you know, just gave me good coaching advice and how to help me be accountable to some things. And I think that’s, you know, it has to be what I’m looking for out of it too. And I think maybe to end that is to say, you know, set some realistic expectations about what you want out of it and be open about discussing that with your mentor.
Christa: Last question: the pandemic introduced a lot of uncertainty into our lives, even as technology itself is on this continued rapid pace of change. And so as we’re talking about mentorship and getting that advice, how are you advising people to chart a course now? What opportunities exist for professionals in this field? Especially if they’ve been disadvantaged or from disadvantaged backgrounds, but also in general. I mean, you’re talking about mental health and and other issues that I think that the pandemic has introduced in a big way.
Doug: Yeah. There’s definitely a lot to unpack there. And I know folks who I try to, again, informally try to mentor or help… somebody who I know who’s in the local Denver community, who’s not been to work for a while and then just has said hey, I’m struggling with the mental health. I don’t feel motivated sometimes even to go look for jobs. And I’m like, it’s just, it’s a double whammy. Right?
So when I’ve tried to encourage those people to say, okay, well let’s step back and look at what’s changed in business because of COVID again, think of things in business terms, you know, where things are going, we’ve been talking about it for a long time that there’s going to be this massive shift to cloud infrastructure, cloud computing. I don’t think the remote workforce thing is that much a surprise.
Anybody that’s helped CEOs or CTOs or CSOs. You know, when you look at the way technology has been heading in this direction and things like hoteling and, you know, the ability to work a couple of days from home per week, it’s not been uncommon. So we’ve been kind of gradually going… I think this is rip the bandaid off.
So within that advantage, all of a sudden you have now a massive rush to people working remote and using cloud compute services. So it’s like, okay, how’s that going to change the dynamic of businesses? So the more businesses are going to move to cloud services containerization for the applications that support the workforce. What are some of the security issues that are going to come with that? What can I learn about that? Luckily again, you know, most organizations that are cloud-first companies — and luckily Splunk is one of those — we’ll offer free training around those platforms and services.
AWS has an amazing amount of certifications that you get for free by going in and doing that. Pluralsight is spinning up things in AWS training and Azure training and GCP training. So you can learn a lot of this stuff remote at home. Do not squander that opportunity. While it sucks to be not in a classroom learning this, cause that’s how my learning style works best, it’s advantaged a lot of people that might not… who might not have the financial means to do that. Where yes, with a laptop that I can beg, borrow or steal. Don’t steal it. But you know, I can sit there and learn some of these AWS courses and become certified in this and show that kind of those proficiendies and knowledge of that and practice it.
So there’s a lot to be learned out there around cloud technology, because that’s going to be the new technology going forward. So even folks like myself that have been doing… you know, when I learned MP3 0.5 back in the day and how to set up, you know, original forests of active directory, that’s kind of thrown out the window. That space in my head needs to be vacated from memory to now learn about cloud steps.
So I’m starting at the same point as a lot of people entering the industry when it comes to learning about DevSecOps, when I’m learning about cloud stuff. So it’s a green field for everybody. Take that advantage now. And, you know, as things kind of got a level playing field, yes, there’s a crisis, but don’t let it go to waste. You know, learn about this stuff and how people are changing due to this, and figure out ways to secure and respond to security incidents in this new type of business workflow, you can really set yourself apart.
And this is opportunity again, where you can write and publish things. I’d have to say I’ve been a big fan of a couple of things I would love to see kind of evolve out of this. You know, my retirement goal is to do more work in a way, but I would love to fundamentally change the way that we do recruiting and hiring and just basically do you know, blind resumes, no names, no stuff that I would use as a hiring manager that contained my innate biases. Cause it happens, you know, when you see names, whether it’s an African-American name and Indian name, Chinese name. There’s so many things that I don’t want to even have to think about as a manager. I don’t want that on the resumes and CVs. So I want to screen them for that.
If it’s well-written and well-presented, then I want to test them out on their skills and go into some kind of testing things. So my hope is that’s going to drive more of that type of hiring practice in the future where it’s blind interviews and then testing cohorts of how people really apply that knowledge of what you need them to do on the job. And then if they happen to be whoever they look like, whoever they marry, who cares, you know? They get the job done.
And that’s what I would love to see come out of this, but that’s kind of happening now, because you’re submitting a lot of these things remote, you know, leverage that. Leverage a system for your advantage to say, Hey, this is a remote thing. And you know, maybe I don’t have to go in person and have to be scrutinized to those [who are] biased. Again, double down on what you know, make that demonstrative, and get a job on it.
Christa: All right. Well, Doug, thank you again for joining us on the Forensic Focus podcast. We appreciate your time.
Doug: As always, anytime. And just to say, you know, Forensic Focus has had a place in my heart, and what Jamie’s done for… gosh, I’ve been on there for 13 years. I feel old now! That’s where I got to meet people like Rob Lee, you, everybody that I still talk to today within the industry, you know, Lee Whitfield. I mean, that was originally… it’s just, it’s such a cool community and that’s the best thing. Folks, please be part of the community. Give back. Forensic Focus is a great thing that if you see a problem, this is what I did early on. People would post a problem. I would go research the hell out of it and post a response. I learned something, I gave back, win-win.
Christa: Yup. Yup. Thanks for that last piece of advice! And thanks also to our listeners, you’ll be able to find this recording and transcription, along with more articles, information and the forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.