it's always a problem how do i get in how do i get experience without a job to give me experience and you've basically given us the roadmap for that yes i mean that's fantastic because it's it sounds like what you're giving everyone who's watching is a way to break in without making the mistake and i think a lot of people make this mistake they think they have to leave their job and be unemployed to get a degree or get assert before they can actually break in that's absolutely not the case i i am vehemently opposed to that i think i think this is one of cyber security is an amazing industry and you know i have found i found gold and i want to share it with literally everybody um because it's not outside the region and i'll tell i'll tell you this you can cut it in or out if you want to um uh i i didn't get accepted into college when i when i graduated high school i got turned down to go into college but tell me how do i do this give me give me the give me the pause and and here's and here are here are neil's top three things neil's top three things are hey everyone it's david bumble i haven't done one of these in a while but i've been asked so many times to talk about the top certifications to get if you want to get into ethical hacking and to help me answer that question i've got neil neil welcome thank you thank you david it's good to be here so neil tell us a bit about yourself i mean you've told me a little bit about who you are we've recently met but you know give us the sort of the quick overview of your experience and why you can talk about the subject yeah absolutely and and thanks very much for having me on it it's an it's an honor to be here my name is neil bridges i've been 20 years plus in the cyber security space 10 years of that i spent doing offensive hacking for the united states air force as part of the national security agency i've built the first functional training unit for uh for air force cyber basically training all of the hackers that uh have gone to the to the nsa to go be hackers over at the nsa since being out of the air force i've had multiple gigs as a building up a pen testing of red teams uh with fortune 100 companies i've been a consultant for pricewaterhousecoopers one of the largest uh consulting firms uh uh in the world uh where i led a lot of their uh their their incident threat management uh out of the midwest and i've built uh multiple security operations teams uh for uh for fortune 100 companies uh spent five years as a sands instructor i'm a notable author i've done appearances on bloomberg uh and and i've spoken at numerous numerous conferences and and by invitation guests uh for for a lot of the uh the the vendors and vendor events inside the cyber security arena yeah i mean you didn't you speak at black hat is that right i i did speak at black hat i've also spoken at um uh defcon i was looking at uh b-sides looking at a lot of uh smaller events and things like that i've been asked to to come and consult with the fbi um spoken at um been keynote for a lot of vendor events uh such as proof point carbon black splunk and things like that i mean that's really great i mean one of the when i was thinking about this today i was thinking one of the great things that that i really like about you is you're not just working on like the black hat side if you like so you're not or the you know the penetration testing you're not trying to just break in you're also working with companies you're working with the nsa you're working with government organizations to protect themselves is that right that is and one of the things that that you know i've always been into hacking and i've always loved the the offensive side of things um one of the things i quickly realized is everybody loves the offensive hacking it really is the the cool sexy about what it about our industry about what it is that we do but but at the same time you know the the the thing that that helps most organizations is the ability to protect those organizations from hackers and and there's not enough of those unsung heroes and so i give all i give a lot of credit and i try to spend a lot of my time working on the defense of networks and putting that hacker mindset to work to to defend networks to help blue teams to train threat hunting teams to help try to protect a lot of these large organizations because we're lacking that mindset on the blue side because everybody wants to gravitate over to the ethical hacking piece of things now i want to bring the level down on this video because i want to give people who are starting out a path to to get into this industry and as i said to you earlier i want to show them how they can get to where you are you know learn your knowledge so first thing is what's a blue team what's a red team can you just explain some of the basics and you know you've mentioned that term 100 so um when you're talking about ethical hacking when you're talking about the ability to look for vulnerabilities inside of systems and whether those systems are people or computers buildings if you're talking about physical penetration testing when you're looking at those systems a red team or the red side of our cyber security industry is oftentimes looking for ways to to find those vulnerabilities and then to turn those vulnerabilities into access if you will for the bad guy whether that's in the term of like instead of physical penetration tests where you're looking for access to a building whether you're uh you know penetrating a computer trying to gain access to systems or data that's oftentimes what we refer to on the red side or the offensive side on the blue side those are really the uh the network defenders and i'm not just talking about the the it folks who are sitting in the knock or the network operations center doing uh you know routing and switching and firewalling um when we think about blue teamers we're really talking about folks who sit inside of a security operations center these are your incident responders these are your threat hunters uh these are folks who are uh you know looking at your alerting and monitoring on your on your sim system or your security information event management system something like a splunk qradar or a logarithm or something like that um these are the guys and and i and i equate this and when i talk to to csos and cios and ceos on the regular you know i equate the blue teamers you know those are your frontline soldiers um those are the folks who are who are on the battlefield on a day-to-day basis actively fighting uh the adversaries um that are attacking corporations uh they're looking at alerts they're running down malware they're you know hunting for for the adversary inside of inside of your your corporate network um and so while red team is very sexy and everybody loves to do red team because we've um uh we've we've created kind of a height culture around the coolness of hacking exactly it truly is the frontline soldiers of blue team um that make a company tick and i mean what about jobs because i mean at the end of the day you want to be paid to do this stuff do you see that there's more jobs for the blue team like for companies or they're more jobs for like offensive stuff there are way more jobs for blue team as a matter of fact in in every organization the amount of blue you know the ratio between blue jobs and red jobs um is almost ten to one i've i've built some of the largest uh uh security operations teams um you know in in the united states of america and i can tell you that even on some of those teams you've struggled to have one or two pen testers engaged full pen testing is often remanded to a lot of the consulting agencies so like your pwcs your kpmgs your eys maybe an accenture or something like that if you're if you're familiar with accenture um and sure they do a lot of engagement but you're going to be as part of that that consulting ecosystem if you have aspirations of working for microsoft or google or or an amazon or an apple or something like that of course they they do employ pen testers and those are those pen testing jobs are there but those are also very very hard to to get to and to achieve is it possible for someone to start out um as a blue team member and then move to the red team once they you know learn more skills and get more well-known 100 absolutely that is one of the biggest um uh things that i i mentor folks on all the time and as a matter of fact it is not uncommon and one of the things that i talk about when we talk about teaching teaching students when we talk about bringing people into this career field is um you'll get it an individual who's come right out of college or maybe doesn't even have any colleges come out of high school with some some experience or some some um you know what maybe a handful of certifications or they've they've taken videos like yours david or you know other videos on youtube to learn about cyber security or ethical hacking but they can only either get like a help desk job or maybe like a very very junior level security analyst sitting on a blue team looking at alerts on a on a sim they'll come in they'll see their first penetration tester or they'll see the first penetration test uh inside that company and they'll immediately gravitate to that and be like how do i get into this career field you absolutely they you can absolutely go from security analyst on a blue team you can go from help desk trust me when i tell you that i have seen people go from uh construction workers and business degrees and law degrees to penetration testing as well um and and there's you know there's no end to where you can get into this career field um as long as you've got the mindset you've got the heart to do it okay so now i've got to ask you a number of things because you mentioned a few things there firstly do we need degrees and then the big question i wanted to talk about is certifications and which certification so do i need a degree first thing secondly do i need certifications and if so which certifications would you recommend do you need a group degree no this is the biggest thing that i love to debunk i've had i've talked to several recruiters um i'm going to give you an opportunity to cut something here if you want to go i've had several recruiters that i've interviewed on my stream before we've talked about the the way the industry is going when it comes to to certifications versus degrees versus you know all the other versus experience and the industry as a whole is very much moving away from uh the need for for degrees as a matter of fact if you start to look at a lot of the job descriptions especially in some of the higher technical skilled roles especially on the ethical hacking side on the incident response side on the threat hunting side you'll see that a lot of the job descriptions are changing from four-year degree or certifications or some combination of those and experience and so that's a huge shift as a matter of fact if you look across the tech industry you'll see companies like pricewaterhousecoopers kpmg ey they're all starting to drop their four-year re degree requirement to start to bring in more talent who may have a vocational degree may have an associate's degree may not have any degree but some certifications or even may not have any certifications and has just been able to prove themselves through your heart and the interview process that they're capable and qualified to be sitting in that role so i mean i'm going to get to the certifications in a moment but you mentioned you've got a twitch stream can you you know at this point tell us a bit about you know what are you doing on twitch and what's your you know how do you how can people contact you because i'm assuming you're on twitter places like that as well yeah absolutely uh so we we run a a twitch stream called cyber insecurity um it's just cyber underscore insecurity uh if you go to twitch.tv um we we stream every monday wednesday and saturday uh 7 central in the u.s central standard time and we regularly have um guests from all across the industry up here on the stream we've had the chief strategist from anomaly threat intelligence up here on the stream we've had the chief strategist from vmware carbon black up here on the stream we've had a former uh uh two star general who ran uh cyber command uh up here on the stream and we talk about everything from red team to blue team uh ha you know we it's tailored for whether your tactical level whether you're at the cesa level whether you're trying to get into cso we've done uh on stream resume reviews we've done on stream report reviews actual pen testing reports and we've talked about how you know pen testing reports get interpreted at the cesa level at the board level and how you can tweak your writing so that uh so that you can you can write better for the folks who are going to read your audience and so it's a very well-rounded uh stream that kind of seeks to try to do a lot of of on-stream mentorship um for for a lot of folks in the industry as well we cover the latest and greatest in news and topics and we bring industry experts on to do that um so so cyber insecurity on uh uh on twitch you can follow me on twitter at uh itjunkie so i'm going to recommend that all of you you know go and follow neil's twitch stream and you know follow him follow him follow him on twitter but um just going back now so i'm 17 years old or i wish but if i let's let's say i'm 17 years old man here we go we're going 17 again yeah there we go we can we can dream okay what do you recommend i want to get into this field i want to perhaps go red team blue team whatever degree you're saying don't do that or get a certification or just try and get experience because i just i'll just preface it with this i've seen guys bash degrees i've seen guys bash certifications so what would you advise me i'm trying to get into this industry i might be young i might be old like you said you it's great to hear the stories of like construction workers getting into this field but let's say i'm trying to break into this field what would you recommend i do in 2021 absolutely so in 2021 um let me make one thing clear i'm not bashing a degree at all you don't need a degree but you know i've got folks that i mentor that are going for a master's degree i've got one guy that i mentioned that's going for a phd in cyber security they all know that they don't have to do that as a matter of fact they're not going to make any more money by simply going for a master's degree or a phd it is about personal goals and personal objectives for them and so what i would tell you if you were 17 years old is if you want a degree if that is a passion of yours to have a degree and to be able to have that piece of paper then i absolutely think you should achieve one but don't ever feel like you have to have one to be inside of this field i think those two those two points are vastly different what i would tell you if you want to break into this field um hr folks and recruiters are looking for folks who have hands-on experience and so you know if if you're familiar with you know like what david talks about when he does some of his demonstrations of of ethical hacking or or um you know any of the other uh you know technical stuff that he does building your own home lab doing your own type of think tanky type stuff is absolutely critical make sure you're going out there and you're participating in capture the flags especially on the ethical hacking side david i don't know if you want to mention ctftime.org but that's a great website where people can go and find a huge central location of of capture the flags that are out there and you don't have to have any level of knowledge you can literally just start there and just start that learning process and just keep track of the ctfs that you do um go out there and participate in the communities and the discords make your name out there start to network with folks like david and other peers in your organization and then as you develop that learning skill yes start to pursue certifications at the same time and when you look at these certifications um look at certifications and and i may sound a little cynical when i say this but you have to realize that there are certifications that help you get knowledge and make you smarter and there are certifications that help you get past the gatekeepers in hr and i've spoken frequently on the gatekeepers of hr and and it is something that that that is a reality we all have to acknowledge that hr is a gatekeeper in this industry and so i'm not a fan of ceh i've taken multiple cehs throughout my career um i won't bash dc council you know openly you know like this but it's it's a you know you know there are definitely better things out there but it is it is a language that hr speaks that i think is an inevitable reality oscp you know is is a good cert but um you know there are better certs out there and there are better hands-on labs out there but it is a language that hr speaks and so i think when you look at certifications you have to divide your time money and effort up between the ones that are going to help you get past hr as a gatekeeper and the ones that are actually going to make you smart and marketable in this industry and i think that those two things are vastly different in this industry i think that's great points i mean so to give me first certification if i'm starting out what should i do first what should i do second i mean is there kind of a path or a roadmap of search that you would recommend i mean some guys i said just go and do oscp but to me that seems like too much of a jump for a lot of people it is a jump and i don't necessarily recommend people to jump straight to oscp the people who say go straight to oscp are the people that know that oscp is a gatekeeper for some of the some of the most prestigious organizations that are out there that are looking for penetration testers but if you're looking to get in on the ground floor um you know you can go take something like the the ine the the former elearn security penetration testing student or junior penetration testing course and those courses will not only give you a certification but they will also give you the hands-on skills and cognitive knowledge that you need to not only get past the gatekeepers but to also make you incredibly successful when you land on the field and so i think if you're starting out you've got to get as much knowledge into your head you've got to realize that it may be two to three years before you get that first job as a penetration tester and so whether you go to college or not is really irrelevant you still got to go out there and you've got to get the degree or an excuse not to get the degree get the cert work on the labs work on building your your knowledge set up so that you can get that first job i want to i want to make that really clear you're not going to be able to say one day i want to be an ethical hacker and therefore go out and get you a junior level out there for ethical hacker job you're going to have to put in a year two or three get you know and an ine elearn security um you know certification you know potentially start looking at your oscp start to build out your uh uh your extracurricular activities whether it's your home lab whether it's working on tri hackmates or hack the boxes [Music] participating in ccs but if i saw a resume today and here's what i tell folks all the time if i'm hiring for a pen tester job and i saw and i had a junior pen tester on my team or a pen tester level one on my team and i saw um an an ine elearn security degree and then nothing else but hands on hack the box try hack me ctf time home labs on a resume i'd hire that kid in a heartbeat absolutely 100 um because it's the hands-on stuff that isn't being taught outside of just a handful of certifications you know that are going on out there i think i mean that's great advice i mean it's if i was hiring someone for a network position it's the same thing you want to you want to have examples of knowledge and of work and hands-on is always going to be much better so i'm going to push you on this now so for you go for it so the ejpt from ine that's are you saying that's the first certification that you would recommend someone would get or would it be like ch or what about like comptia security plus what would you suggest i mean this is your opinion so what would you suggest me to go and do if i want to break into this field um and again my opinion i i think i think ejpt um most people can do eg pt what i would even say is is ine offers their pts or their pen testing student which is really kind of the the super entry level it's almost the same you know i don't want to i don't want to degrade the pts by saying it's the ceh of the career field but you know they've recognized that that there's a need to have a truly entry-level you know you know certification that's completely free you can go to the ine website today you can sign up and you can take the pts um completely and totally free um from from ine um right yeah and so that that gets you you know kind of your point the the sec plus the the net plus the the ceh kind of fundamentals foundational um uh and then uh uh you know then after that you can graduate up into like the ejpt which then helps you start to build on top of that foundation and continue to grow up from there but there's there's no reason why you have to go take a ceh and pay for that course when there's content out there especially through ine that you can take without a um you know without paying for and i mean is is is that as well known in the industry so if i mean we spoke about gatekeepers and recruiters i mean that's normally the big problem if you do a search on a job website um will recruiters be looking for that cert or they're actually going to be looking for ch or something else uh so so that's that's the tricky part most recruiters are gonna are going to be looking for ceh um because that's what they know um what what i get i have to i have to table myself on this because i i can go on a high horse about bashing hr and i've i've we've had i mean we've had we've had several recruiters on stream and we've gone on tangents on bashing hr because hr doesn't know uh hr doesn't know the difference between ceh ejpt or anything else what what's what hr does is hr asks the hiring manager what are you looking for yeah that's why people jump straight into oscp is because most hiring managers say well i know oscp so oscp is the bar to entry but quite honestly if they make it to hr because there's so few pen testers just the sheer process of um you know getting to hr most hr folks will either have a conversation with you so that you can come to an interview and say well no i don't have ceh but i have ejpt pts and all of these other things and the recruiter doesn't know enough he just says well this looks good enough and i need to fill this wreck and so they're going to pass your wreck on over to the hiring manager anyway and so i hate to be a little flippant a little little cynical about that but this technical audience so be as be as real as you can so if you have to swear at hr that's fine because let's be honest we're trying to help every all the viewers here try and you know break in so tell us don't don't mention words as they say tell us exactly what do i need to do to get past these these guys and i mean yeah they'll give me a lot of comments about hr how do i get past these wonderful people these wonderful human resources to get that job and i mean i'm really glad you know that you've had all this experience with the military um we need to talk about nsa because that's very interesting absolutely we need to talk about like corporate but for the if i want to break into this field i mean i might want to go and work for for a corporate first and then perhaps later go to the nsa or military or government team but tell me how do i do this give me give me the give me the pause and and here's and here are here are neil's top three things neil's top three things are go to ine get in the ecosystem start to take the the stuff that's available to you that's on i need they get they've got it essentials that you can take they've got uh you know a pen testing essentials they've got a networking essentials they've got a lot of foundational level course a lot of fundamental courses that's free yeah and that's free um that you can go and you can take that will help you build up a good basis set of knowledge from there i would then advise you to continue your certification or your degree journey whatever your heart's content is and if that means go to ejpt next if that means go to oscp next if that means go to any of the blue team certifications or blue team ranges like cyber blue range or something like that and get some of the hands-on skill there proceed down that route but at the same time you should be doing the hands-on piece and this is where the hack the boxes the try hackme's the ctf times all of these uh put your hands on mechanisms come into play and document that hands-on mechanism because i can tell you the hr folks and hiring managers are looking for the hands-on mechanisms in their new entry um in in their junior level folks and then the third thing the thing that you can't um you know you're not going to be able to find at any organization this is something that you've got to do yourself you have to network i can tell you that most of the jobs entry level to senior level that happen in the cyber security industry come with you networking and i can tell you that i've had people reach out to me on linkedin and uh and and and you know i've welcomed them into the community i'm like hey i see that you're i actually have a campaign where i go and i look for people who are brand new to cyber security and i invite them into my linkedin network to try to help provide them with mentoring and you know oftentimes their idea of mentoring is they simply send me a message like hey i'm two years from graduating can you help me find a job that's not networking that's not networking this industry is so close-knit that most people know each other most people when they're looking for stuff you pick up the phone and you call a friend or you call a cso or you call another red team operator or you call another penetration tester you say hey i need a pen tester for this or i need i'm looking for an analyst for that and so you have to build up that network and you have to participate you truly have to embrace that about our industry and those are the three things that i would say that if you're looking to break into this that's your 2021 and your 2022 strategy is to focus on those things i think if you're if you're on linkedin and you don't have um you know a thousand a thousand followers in the cyber security industry by the end of 2021 you're behind on the networking curve so i'm really glad because now you've changed the title of this video because i was going to talk about five top certifications but now we're going to call it the top three things to break into this industry or something like that so can you just repeat that again so that it's ex that it's clear for everyone what are the top three things they need to do so so neil's top three things that they need to do to get into cyber security uh uh first and foremost you need to go to you know i needs uh uh ini's website and you need to sign up for the the available training that's there for free that that'll get you the basics for uh i t essentials it'll give you the basis for some networking essentials it'll give you the basics for some penetration testing essentials don't waste your money on ceh don't waste your money on on sec plus um instead go to ine training and start there once you're done with that you need to go out there and you need to look for the hands-on training that's available um for free or for cheap and that would be things like hack the box try hack me ctftime.org which is a website that aggregates uh capture the flags inside i'll put a whole bunch of links below so if you can send me those after the call they'll be great absolutely uh cyber blue range all this stuff get you some hands-on experience build yourself a home lab um start doing uh your your own you know stuff at home that you can do pretty easily there's there's tons of things out there that you can do on yourself so that's two things the third thing is you need to network if you are not on linkedin you need to be on linkedin you need to have a profile that is indicative of what you want to do in this professional world and it needs to start to look like your digital resume and you need to treat your linkedin profile like your digital resume and then you need to start networking with folks in this industry and i'll tell you right now you can network with me i'm sure you can network with david on linkedin definitely yeah we'd be we'd love to have you and and and then just start you know you know reaching out to folks that you know reaching out to um you know folks inside the company that you work for just start building that network start small but build that network out um in this industry and my goal for you my goal for anybody who's listening is get you a thousand connections in linkedin in a year in 2021 um there's no reason why you can't make a thousand connections in 2021 as a matter of fact i'll tell you this you can do uh i think it's it's 72 connections a day on linkedin is the max that you can do before linkedin starts to raise a red flag i know because i've i've kind of tested that a little bit um and so there's no reason why you can't get you a thousand solid connections by the end of 2021 and if you focus hard on the cyber security industry then when you've done all of the other two things you'll have a network of folks that would die to help you find a job in this industry that's great advice so now i'm gonna play devil's advocate as they say i'm going to push it so forgive me okay so second thing you said is you know we've got to try hack hack the box we're going to try these things um how do i document what i've done so like you said you document what you've done but now explain to me in the different websites how do i actually document what i've done absolutely no fantastic and i've talked about this on my stream before uh in the past as well we've had recruiters on stream that have have have helped back this up right and when you look at a a person who's come into this career field if to your point right you're the 17 year old who's trying to decide how to get in this career field you don't have a whole lot on your resume right if you think about a eight and a half by eleven piece of paper or i'm thirty and i've been doing building or uh i mean a salesman or whatever you know how do i break in yeah yeah you don't you don't have you don't have a lot of that cyber experience that you can put on that eight and a half by eleven um and so when you look at that real estate people oftentimes fill it up with a lot of like you know uh you know click baity type stuff or word jargon where they're like i know i know windows three point one windows nt what is 95 what do you show me what is it yeah exactly um they try to put all that stuff in there to try to get through the computer filters and i tell people when i mentor people i tell people strip all that stuff out of your resume take all of that stuff out of your resume what your resume can have instead is the the hack the box the ctfs the try hack me website stuff you can document those as experiences on your resume the same way you would as if you actually did a job where you did those things so if you achieve level 9000 for for folks who are used to the dragon ball z 9000 reference you know if you achieved level 9000 in try hack me by the time you you started to just to look for your first pen testing job you should document i am in the top ten percent or i'm in the top one percent of all people on the the tri hackweed leaderboard um i've achieved level 9000 on try hack me i've um i've completed 4 000 challenges in hack the box i've gone to you know 10 16 capture the flag events this year and placed in the top five and half of them right there are things that you can put on your resume that show your outreach that i think have gone completely unnoticed by by you know folks who are trying to get into this industry so this is great because i come from originally from a networking background and it's very difficult to prove experience in a networking background but what you're saying to people here is even if they've doing this part-time so they they're in sales or they in some kind of job that's totally different is this a way that you're saying to build up experience without actually being in this industry is that kind of what we're doing a hundred percent when you look at some of the when you look at some of the the entities that are coming up out there um you know that are doing a lot of these labs online cyber cyber blue range uh try hack me hack the box um even all the cts that are out there even this year 2020 was an unprecedented year with a pandemic but it was the first year that def con had done all of their capture the flags 100 virtual as part of defcon safe mode and so this was a year where you could have participated in the defcon capture the flags um and documented that and shown that as experience and you didn't have to pay a dime for defcon this year um and and so it would have been something that you could have put that on your on your experience where you participated in the def con ctf and you did whatever else it is those are things that show that you're not just trying to get a cert get a job which is typically what we see in this industry you're trying to get assert you're learning on your own you're showing the passion for it you're showing your ability to think outside of the certification bubble and that is what hiring managers are looking for i mean i just want to emphasize this i mean this is a road map for someone to get experience with without actually having a full-time job and i think that's fantastic because that's very difficult to do in other sort of id spheres you know how do you prove that you've got networking experience if you're not working on corporate networks but what you're saying here is this is kind of a road map to get the relevant experience that someone like you would would use to hire someone without actually working full-time so i need to push you on this now so if if i was applying well i'm let's let's assume i'm 17 or 30. it doesn't matter but i i'm new to this industry i you i want to get a job with you you you you recruiting for a corporate position or for the nsa or whatever but let's start with corporate are you saying that you would hire me if i had just of some basic certifications or none but i could prove a whole bunch of experience with hack the box and all the others are you saying that's that that's enough or what do you say if we're stipulating that i have an open job wreck for penetration tester on my team and i needed a penetration tester on my team would i hire somebody who is brand new to the career field who had a cert and a ton of hands-on experience that was demonstrable inside the industry 100 i would do that today i mean that's fantastic because it it sounds like what you're giving everyone who's watching is a way to break in without making the mistake and i think a lot of people make this mistake they think they have to leave their job and be unemployed to get a degree or get assert before they can actually break in that's absolutely not the case i i am vehemently opposed to that i think i think this is one of cyber security is an amazing industry and it's it's an industry that that was born in technology not to say that that it you know networking was not born in technology but born with some people who are like i want to practice breaking into systems it is illegal to break into a system without permission how do i actually practice breaking in a system and we as a community have built companies we've built you know free freemium versions of things we've built entire ecosystems that have challenged the community and been able to provide the community with the ability to practice not only breaking into systems in a legal ethical safe fashion that allows you to have fun and show your experience doing it but also to defend systems and be able to hunt for bad bad stuff inside of a network and be able to practice the network defense side of things in a safe easy to accomplish a type of of hands-on almost ojt without actually having the job type training um and and there's no need to your point david quit your job think about going back to school for for two to four years you know commit yourself to you know i i to to the to the bane of trying to get you know 7 000 search just to get an entry level you know penetration tester job that that that's just that's not what this industry is about i'm really glad you said that because it's um it's always a problem how do i get in how do i get experience without a job to give me experience and you've basically given us the roadmap for that yes so next thing how do i network because you said it's important to network so um tell me you know i'm a very pragmatic person tell me how would you suggest networking you mentioned updating linkedin profile yeah yeah and then like sending your connection request any other tips to you know sort of network in this community yeah absolutely i think um um you know i i i i want to preface something on networking i think the the the younger generation you know if we use your 17-year 30-year-old example right i think i think the younger generation has it easier on the networking side than the older generation like like myself and yourself right i think i think when i talk to folks who have been accountants or lawyers or construction workers that want to get into cyber security they have a harder time with the the linkedin story and the networking side of it than the younger generation does so so i think the younger generation knows how to use social media but one of the things that i want to focus everybody in on is when you look at social media when you look at linkedin when you looked at twitter um you know really focus in on um you know what your goals and objectives are with that platform right linkedin is a platform of professional people and so your picture needs to be not you playing at the beer pong table it needs to be you know you know you look nice have a nice shirt on look kind of professional um you know and then when you when you talk about yourself you you highlight your successes um you're a student at xyz university or you're you're your graduate use the headlines to your advantage hey i'm looking for my first cyber security job um talk about the things that you've done you know really use that as a platform to to highlight you know that you're capable and qualified um to to be in this field and then when you do that you can participate in groups on linkedin you can engage in in other folks when you see me post something we see david post something when you see somebody you follow post something that's cyber security related take an active effort um to comment and to interact and engage in those posts so that people are used to seeing your name um if your viewers uh this this may not be an influence or that that you know many of your viewers may be familiar with may not be familiar with but there's a us business person called gary vaynerchuk um i think he's very well known yeah okay good just make it sure i i was kind of kind of cynical there for that one but go for it if um if if you're not following garyvee you should definitely follow garyvee because he's kind of kind of his uh his uh his strategy when it comes to to growing your following on on linkedin or twitter and he talks about you know find you know six people who are who are in your industry um comment on all six of their posts every single time that they uh that make a comment um those types of interactions show that you want to be in this community you're not just here for the bells and whistles because it looks cool because ethical hacking is the the new sexy but you're getting people to see your opinion um you know thank them for their experience if you want to or say this is interesting i never thought about this or if there's something that you do have an opinion on like the solarwinds thing that just happened last month or the fireeye you know incident that happened last month if you have an opinion on those things voice your opinion let people know your stance let people know what you've researched on the matter right when you've gone out there and read up on it um you know really treat those as interactive platforms and that's that engagement right there will draw people to you and will let them know that you're you're active and you're interested in this community that's great advice i never thought i'd hear gary vee on a call like this but it's it but it's there's no better person to follow on social media or how to use social media and i mean i'll second that i mean it's exactly that as neil said if you if you want to learn how to be good at social media look at what he does and he's got a good he's got a few good books as well um so you've mentioned linkedin and you've mentioned twitter are there any other sort of social media platforms that you would suggest someone join and get heavily involved in um for the sole purpose of networking in cyber security not necessarily um i think i think those two are really the kind of the primary vectors that infosec uses to to do communication um you know discords are you know i hate to i hate to talk about discourse being a dime a dozen but discords are a dime a dozen out there there's everybody almost everybody in their brother's got a discord out there um discords can be a little bit of a sea of you know how do i find the right people if you've got the emotional bandwidth and the mental you know fortitude to to trove through discords i would definitely encourage that and then obviously reddit is is sometimes kind of like you know the the the overly cynical version of social media but there's there's some really good subreddits that are out there that that i think are are worth you know perusing through but i think the majority of infosec relies heavily on on twitter for their primary social communication with their peers but linkedin is your digital resume and so you need to make sure that your your digital persona of your professional image is is solid on linkedin and then your engagement is is active over on twitter okay so going back to the first one because i i i want to push you on this start with some ine free certs free training and if i had to get one certification to open the door it would be oscp is that right as of right now i think i think oscp is is the easiest one to get past the gatekeepers um you know that's out there um i i think we'll see that change um you know i think uh you know i know this is a longer answer i usually do yes or no's uh for questions like this that's great go for it um i think i think we'll see that change um sans is starting to price itself out of the industry i've seen so many comments on on in the twitterverse and and on linkedin in my peer group um and and having run security operations teams i can tell you that paying over seven thousand dollars per person on top of travel and expenses kind of pre-covered um it crushes your training budget it crushes your training budget and and so i think the i think the tides are shifting and and while i think oscp was the gold standard i think ine um you know is going to surpass them if they haven't already just in terms of that name name recognition i mean that's great i mean it's i think we've got a a great roadmap three things that someone can do very practically and i think the most important piece that you've mentioned is the is the second part which is get practical experience in your spare time you don't have to you know leave your job get this on the side and then build up that experience and then as you make more and more connections and that's a great challenge that you gave you know get a thousand uh followers or contacts um on linkedin make a thousand i i've hit 30 000 so apologies to everyone who sends me a connection on linkedin i can't accept it anymore because they limit it at 30 000. it's terrible same on facebook i mean i can't take facebook friends because i've hit 5 000 it's it's oh wow can't take anymore but um it's amazing i so i want to talk about that briefly is and see if you if you agree with me i used to hate social media and i used to you know think i need to keep everything private but as soon as i started engaging with social media as soon as i started using it the doors started opening and have you had the same experience i i have and when i started my linkedin i was in the military and i had a top secret security clearance and i was doing you know cyber work in in the military and you know that was the very paranoid opsec days operational security days in the military but but i took a stance that was like you know i'm going to control what i put onto social media so that the image that the social world sees of me is the image that i want social people to see with see of me and especially when you take that persona on linkedin and you realize that your linkedin is what your boss your future boss is going to look at your future peers are going to look at people who are trying to evaluate whether they're going to hire you or not in the recruiting space when recruiters are out there looking for you when you realize that that's your audience on linkedin you want that to be a digital resume a testament to how awesome you are in this space whether you're whether you're just starting out or whether you've been in this space for 20 years you want that digital footprint to look like that um i can tell you that um since i've been out of the military since we're on the linkedin topic um i think i've gotten um uh two jobs since i've been out of the military um by actually looking for a job on a job board and sending out a resume and applying for it and that was the first job i had when i got out of the military in in 2013 and the job that i had immediately after that those two jobs were the only two jobs that i've actually ever sent out a resume for that applied for everything else has come from recruiters reaching out to me has come from you know your partners at a big four reaching out to me csos uh at other companies reaching out to me uh that's how those jobs have come to me is is reach outs over linkedin and not actually by applying for jobs uh in the space i mean it's a great testament i mean i know you've taken this to the next level you've been on tv is that right that's right i i've been on i've been on bloomberg so i mean they they were quizzing you about um i i didn't see the interview they were quizzing you about something i'm assuming some hack or something it was the solarwinds hack yeah yeah and i mean that obviously opens up a huge opportunity for you because if people see you on television they're going to want to give get you involved in their next project it's exposure it is it's 100 exposure you you know it's and and and make no mistake i i feel ridiculously blessed i don't i count my blessings every day that that i've been able to grow up and i've been able to be successful in this this industry but it's it's not i tell people this all the time it's like it's like you know i have found i found gold and i want to share it with literally everybody um because it's not outside the reach and i'll i'll tell i'll tell you this you can cut it in or out if you want to um uh i i didn't get accepted into college when i when i graduated high school i got turned down to go into college um i got my first jobs um based solely on the fact that i was a 18 year old kid who had you know you know built some of the first web pages for north carolina state university built some of the first web pages for for wake county public school systems this is back in the 90s when html was first kicking off i was able to demonstrate for these people that i may not have gone to college but i i demonstrated being able to write html i didn't get my degree until the air force handed me a degree um you know some number of years ago um you know just because you you did your your time in service inside the air force and so i don't have a i don't i don't have a formal you know collegiate degree um and so i i can do it and i know that everybody else out there can do it and i know that that everybody's trying to push degrees and promote degrees because that's the society that we live in that you have to go to a higher education and you have to go get a degree and you have to be successful but but you know this industry is different than engineering than accounting then legal and all of those others out there that that's just not true you think i'm not going to put that in that's going to be right in the beginning and neil we we're running out of time i mean this could go on for a long time and i i wanted to quiz you about you know solar winds and stuff like that but you know we're right we've only got a few minutes so tell me you you did work for the nsa and i think that's that's something a lot of people may aspire to or may aspire to be on the other side of the fence but let's not get into that so so tell me is the nsa made of supermen and people who are just like out there intelligent or is it normal people and you know if i want to start out is that is that is it possible for someone like me to work towards working there uh so i'll start with the second question first second question is unequivocally yes 100 the the whether it's whether it's the nsa the fbi um uh cia any any i i don't know anybody at gchq but but you know i imagine gchq is obviously looking cyber is huge and the governments are big big push in the uk i'll just interject that they're trying to get more and more people involved yeah big push yeah i mean there are there are the governments recognize the value of getting uh more people who who come up in this space um actively involved in offensive security so yes the second question is easy the nsa would absolutely hire you without you being a superstar i don't mean that like you shouldn't you shouldn't you shouldn't be a slacker but you know you don't have to think that you're you know kevin mitnick reincarnate to go work at the nsa um trust me when i say you don't have to break the law and get arrested and then go work at the nsa that's not a career path that's not a career path you're not advocating that then i'm not advocating that i i know it's been televised but that's not a career path um if you if you do the same things that you would do like what we're talking about now the nsa being a governor entity they're going to push you into a four-year degree i think the government is working on trying to figure out how to solve that problem um on the u.s side that's something that you know unfortunately you may have to fight the system when it comes to doing something like that uh you know we're still not that mature as a cyber security industry now to your first question there are some crazy crazy smart people uh that work there there is a um um there is a there's a team of folks um and and and when i was there it was it was a couple hundred folks who who do all of the exploit development tool development capability development um you know you know dnt you know was was the name of it when i was there who who does all of the the things that you read about or the things that you dream about or even some of the the crazy stuff that you see in tvs that's that team and and these are probably some especially on the crypto side not not so much on the hacking side but especially on the math and crypto side these are some guys who um if you ever seen the movie um rising mercury with bruce willis and the kid and you've got this kid who's got autism but he looks at a page and can figure out that it's like the most complicated cryptographic algorithm out there and he can break it just by looking at it they have people like that who as soon as they turn the legal age of 18 the nsa plucked them right out and put them into a building with no windows fluorescent lights and a drop ceiling and that's where they've spent the last 10 to 15 years of their life and so yes they are ridiculously smart and ridiculously weird all at the same time i'm sorry everyone we're running out of time neil's got another meeting in a few minutes so neil i'm afraid i'm going to have to like twist your arm and get you back because i wanted to i want to twist your arm to talk about solar winds yeah could i ask everyone to put comments below you know what would you like neil to talk about on another another video um and should we do a live i think he's he's big on twitch but i want to get him on on the channel as well neil i really want to thank you for your time i mean um please mention your your social media accounts again for everyone so they can follow you i'll put them below as well and any any closing words no david thank you so very much for having me it's it's an honor to to be with somebody like yourself your your videos are amazing the content you put out is is really awesome and so i'm i'm super excited the opportunity to to to be part of this i would welcome the opportunity to to to come back on and and do another and talk to your audience um for those who are looking for me uh you can find me on twitter at itjunkie all one word you can find me on linkedin under neil bridges um or you can find me on twitch every monday wednesday and saturday at 7 p.m central standard time in the u.s at cyber insecurity cyber underscore in security and and just to give a little brief on that it's a little play on some of the imposter syndrome um that is inherent inside the cyber security industry let you know that you know anybody out there who's listening to this imposter syndrome isn't just related to to you because you're new in the industry anything like that i can tell you that i've been in this industry for 20 years um i and i can i can cite instances as recently as a few months ago where i've had my own cases of imposter syndrome and so i've been social it happens to us all and so so come join a community where we try to break down those barriers we talk about all aspects of cyber security and you're welcome in a group of people that just want to see you you grow and be the best version of yourself inside this industry that you can be neil i really appreciate it appreciate that man that's fantastic speak to you later cheers absolutely cheers [Music] [Music] you