Gordon Draper (00:03):
Welcome back to the Cyber Consulting Room podcast with your host Gordon Draper. In this second part of our captivating two part series, we are diving back into the riveting discussion with our esteemed panellists recorded live at Tuskcon on the Sunshine Coast in Queensland, Australia. If you haven't already, make sure to check out the previous episode to catch the first half of our engaging conversation. Joining us again are Prashant Mahajan, Director of Payatu Australia, which is a cyber consulting firm. Amy Nightingale, a self-employed senior consultant in incident response and forensics, who is also a cybersecurity instructor at the University of Sydney and John Gerardos, a self-employed principal consultant in enterprise security architecture and cybersecurity instructor at the University of Sydney. Together they bring a wealth of experience and insights into the ever evolving landscape of cybersecurity. So buckle up for another round of illuminating discussions with these industry experts on the Cyber Consulting Room podcast. The next question I've got is definitely an interesting one. So what ethical guidelines should cybersecurity consultants follow in their engagements? Ethical as an ethical hacker. People should be following ethical guidelines. How do you apply the ethical guidelines to your consulting practises

Prashant Mahajan (01:28):
As a security consultant? Stick to the scope. If you feel you want to explore something which is a bit out of scope because you happen to notice something, ask permission. Majority of the clients will not say new are not allowed. They'll actually be more interested in trying to know what you found after that.

Gordon Draper (01:47):
Yeah, that's been my experience as well. If you ask, they'll may let you have a look.

Amy Nightingale (01:53):
Yeah, no, a hundred percent. For me, I think one very, very important skill and I kind of need to amend the fact that I said my number one skill is learning, but also along with the number one is communication. As a consultant, I think communication in terms of when we're talking about ethical guidelines, it's really, really key as well. I think it's really important to stay in scope definitely, but definitely very clear communication with the clients and also with the consultancy that you're working under as well, being able to know exactly what people expectations are, what's actually happening, what's actually going on, what their scope is. Just having that understanding from the start, that bit of discovery that you need to do right before you start an engagement or actually get hands-on and then being able to communicate any steps or anything as you go along and making those decisions.

John Gerardos (02:39):
For the most part, I think that the answers cover everything that I would've said. The only one thing that I would say is especially when you are consulting, be very careful with upselling stuff or basically saying the sky is falling. A lot of people in security tend to jump to the conclusion that the sky is falling because there's a vulnerability. I think you have to put things into scope and make sure you communicate it properly to the client rather than the sky is falling, let's upsell you a few million dollars worth of stuff, which I do tend to see occasionally. The other side of it, especially if you are new to the industry and you are on the offensive side, just realise everything, all the skills and knowledge and tools we use, they're double-edged swords. Just make sure you are actually using them for ethical and legal purposes. That's something that's critical in this industry and what I say to my students all the time is you don't want to do the wrong thing because it ends your career very, very quickly.

Gordon Draper (03:36):
Trust and integrity as well as quality and work, but definitely the trust and integrity are the highest values within cybersecurity I've found, especially in consulting. So with regards to cybersecurity consulting, what skills and qualities are most sought after when hiring cybersecurity consultants?

John Gerardos (03:56):
We've actually been through this very recently in my organisation. What we tend to look for is aptitude, the ability to learn and the passion for learning. You don't necessarily need to know everything. You need to be willing to learn and able to learn and know enough to be able to independently learn and ask questions. Other than that, honestly, it just goes from there. Depending on how senior you're going to be hired, obviously if you're going to be hired for a senior or a principal role, you need to have a little bit more than that. But if you are getting into the industry knowing a little bit about the industry and being capable of learning and showing it, demonstrating that you have passion for the industry, whether by going to conferences, participating in events, and showing a little bit of knowledge and interest, I think that goes a long way.

Prashant Mahajan (04:50):
Like John mentioned, these types of skills and qualities would depend on the type of role which is open. Essentially passion, are you able to learn yourself and majority of the times also, and when I've been taking interviews, I will ask them other questions than technology and cybersecurity to get to know them because at the end of the day, it's not a single person, it's a team. Are you a people person? Do you fit into the team dynamics or not? You might have the best skillset, but if you don't fit in the team, then potentially you might not get offered the job,

Gordon Draper (05:25):
Especially in an offensive group that is being used as a collection of offensive draws as some unique people, and so you need to make sure that they can all work together. So what do you foresee as the future trends and challenges in the cybersecurity consulting industry?

Prashant Mahajan (05:43):
Buzz was creating more challenges, people misinterpreting technologies, basically creating FUD (fear uncertainty and doubt) that the sky is falling see at the moment with all the interest and other aspects of ai, it is something, but does that mean it's going to completely solve all your problems? No, it is a tool. Use it in your arsal.

Amy Nightingale (06:04):
Yeah, that's actually a really good point there. Prashant, when it comes to, a lot of people are trying to buy band-aids to their situation and a lot of different vendors are going out and saying, we will solve all your problems if you buy us. They might spend all their budget just throwing it out without any investing in actual having a proper team to manage it or being able to actually know how to use the tools properly. Quite often they just throw money at it, say that solves all their issues without actually narrowing down and spending time to actually work out what the fundamental issues are, what are the actual building blocks that they should be focusing on in their security posture. It is an issue right now and I can see it continuing becoming more and more of an issue in the future. So yeah, added to that, I think it's improving on most fronts of things when it comes to, for example, skill shortages, there's a lot more happening right now. I think those kinds of things are definitely improving, but that one there, I don't see improving anytime soon.

John Gerardos (07:00):
Yeah, it's a good one that the AI front was mentioned. So AI has been in the media for many, many reasons and a lot of people say, oh, is that going to take over our job? I think it's the opposite at the moment, especially if you're working in security, all the security awareness things you tell people, watch out for phishing emails, look for the misspellings, look for the typos, look for this, look for that right now you can say, Hey, chat GPT, write me a very convincing phishing email and it will and anyone has access to that. So I actually think it's going to make our life a little bit harder for a while. On top of that, everything is now IOT and that's growing. Not all of those devices are easy to update and vulnerabilities will be found. So that's something we have to deal with for now and it'll eventually improve, but I think it's going to get a little bit worse before it gets better.

Gordon Draper (07:50):
What role do you see emerging technologies like AI and machine learning, even ot, iot and blockchain playing in cybersecurity?

Amy Nightingale (08:01):
Fundamentally, I like to, when it comes to a lot of these questions, and I do get them really, really frequently, especially from when working with students or people newly arriving at

Gordon Draper (08:10):
AI is going to take our Job

Amy Nightingale (08:10):
are they going to take our job? Oh gosh, something to understand is a lot of these different technologies, I'm going to group them together right now, but a lot of these technologies are actually fundamentally tools. It's same as will Google take my job? It's a tool that really helps and assists with you to improve your current skillset. So for example, you can use machine learning, you can use ai, you can use all these ot, blockchain, you can use those and build on it. And I like to kind of put it in the analogy of like a calculator. You don't have to calculate things anymore. You can put that little part of your brain and put that to the side and say, okay, we've got a little machine to handle that. Now let's focus on the important stuff that they can't do, they can't handle, and especially when you're working in consultancy, there's heaps out there, so it is just a tour at the end of the day and you're just building knowledge on it. So that's the way I like to really put it forwards as

Prashant Mahajan (08:58):
Should we also mention quantum computing?

Gordon Draper (09:01):
Let's not get into the particular topic that I read somewhere that apparently the various agencies around the world are trying to lower encryption standards with the transformation into quantum computing. Let's focus on quantum computing, is going to break some classical cryptography, but we've also got post quantum algorithms these days

Prashant Mahajan (09:23):
These technology, there will be new problems which come and new solutions with that as well. So even talk about quantum computing. If you see recently signal protocol has been updated to support post quantum to provide encryption cyphers. That is I think a trend which is going to come. There are a lot more technologies which are going to come in future. Each of them will have their own pros and cons.

Gordon Draper (09:42):
Hey look, new technology, I think I've got to learn something new.

Prashant Mahajan (09:45):
Sometimes these technologies will actually make your job easier so you can actually focus on the other interesting bits.

Gordon Draper (09:51):
How is the shortage of skilled cybersecurity professionals affecting the consulting industry and do you know of any measures that are being taken to address this gap?

John Gerardos (10:00):
I run a cybersecurity bootcamp.

(10:04):
Obviously there's a whole bunch of training out there, a lot of new upcoming training, but also there's a lot of mentoring initiatives out there. I personally volunteer with the AWSN (Australian Women in Securty Network), but I've also mentored a lot of people outside of AWSN, whether they're interns, students, or even some senior pen testers. Basically the shortage is affecting getting people who are basically ready to hit the ground running. There's a lot of people out there that have the skill to learn, have the ability to learn and have some knowledge. I think the unfortunate thing is the amounts of people required in entry level is a lot less than the amount of people required in the medium to senior level and getting enough people through that funnel, getting them through the entry level funnel so that they can upskill is difficult and that's where those courses come in.

(10:58):
That's where that mentoring comes in. Organisations are starting to realise that, but no one wants to train the entry level person because they might go somewhere else and a lot of people are starting to realise, well, what if we don't train them and they just stick around and we don't get much value. So training budgets are improving a little bit and some people are starting to see that you do need to invest, you do need to mentor people. Like I said, those mentoring programmes are starting to become a lot more official, a lot more open and advertised. Things will improve a little bit that way because visibility of that shortage and the importance of the industry is increasing.

Amy Nightingale (11:37):
I think I'll take it from more positive approach honestly. I mean there's more entry level roles and also training courses for people who want to join the industry than ever. It's definitely improving. It's definitely something that is people more and more aware, especially if you come from a background, but you come from a professional background that is really, really well sought after and it should never downplay any of your skills, any of them, no matter what field you come from. Having that extra skillset, that extra perspective from working in whatever field you worked in does actually help immensely because security isn't just about one specific area. It's quite often you're working with people quite often when you get a role in certain areas, that perspective helps immensely or that skillset as well, especially communication, especially being able to see their points of view. So I think that's one thing that I think is something that's not really talked about as much and also not to downplay your skillset too much.

(12:37):
Quite often people who think they're junior think they can't really do it, but if you have a bit of technical knowledge and you have some hands-on experience, just go for those roles which are mid, just go for them and let the person, the interviewer actually decide for you whether or not you're experienced enough for that role. A lot of the students that I'd be teaching often end up in a mid-level role from the get go, even though they feel like they're a student, they're just learning, but they managed to get themselves enough hands-on experience that they could just go straight for it and quite often that's sometimes just the key. You don't have to lock yourself in just purely to those roles since they are also limited, but because there's so much search for mid, quite often the people who are actually qualified for mid just don't end up applying. So that's something also to be aware of.

John Gerardos (13:17):
Just to add one thing to what Amy said, I do support what she said, and a lot of people don't get a job just because they excluded themselves from applying thinking they're not qualified enough. So

Gordon Draper (13:29):
That's where the HR job descriptions come in that require 10 years experience by the age of 20 in technology that just got released a month ago,

John Gerardos (13:38):
And if you think you've got most of the skills apply and let them decide.

Prashant Mahajan (13:42):
It's not that you need to completely match a hundred percent of the skills mentioned in the job description. HR is also trying to cast a wide net. They're trying to get more people to apply, so they list all of the things. Doesn't mean all of them are checkbox. You need to have each and everything at the same time. When you're applying, do tailor your application to the requirements instead of using one single blanket template and blasting it to 200 people or more.

Amy Nightingale (14:09):
But I do think it's important to focus on hands-on experience. Trying to get your hands-on try to get into a role as soon as possible is very, very important. I mean, we did touch this earlier when talking about certifications.

Gordon Draper (14:19):
I think that answers the question that I was going with to lead into the three of you have answered it beautifully. What would you say is a common myth about the consulting industry?

John Gerardos (14:30):
I think people look at the consulting industry thinking it's a mysterious black box. It's super hard to get into and you need to be the most intelligent person in the world to get a job in the industry. Realistically, it's not we're all human. Everyone has strength and weaknesses. As long as you know something about security, you should be able to work in the industry and basically you end up working in a team anyway and no one knows everything. So make sure you make use of your team, make sure you ask questions and make sure you lean on each other for support. You might be the best pen tester in the world and then you need to write a report that's a little bit more GRC focused. Ask one of your GRC colleagues for help. Ask them how to relate it better to the business because this brings me back to something I said earlier. A lot of really technical people find a vulnerability and say, the sky's falling. You are better off relating it back to the business and writing it up a little bit better in context. And the best way of doing that is to ask for support from someone who has that skillset. I'm not picking on that particular skill itself. I'm just saying if you're in a consultancy, you make use of other people and you get support from other people because no one knows everything.

Prashant Mahajan (15:49):
The industry is not as flashy as you see in the movies or TV shows. You mean it doesn't take, there's no enhance or a hacker type two hands on, keyboard on the same keyboard, on the same keyboard.

(16:03):
Here's an interesting one, which I'm looking forward to hearing some answers on. What is one of your most memorable experiences in consulting or working with consultants in cybersecurity?

John Gerardos (16:13):
Most memorable experience, I got to break into a factory and the best part is I was legally allowed to break into the factory. I think there's a lot of really, really cool gigs, really cool things you can do as a consultant regardless of what you specialise in. I've worked in GRC, I've worked in pen testing and I've worked in security architecture and in every single one of those I've had some really cool experiences and I've had some slightly more boring experiences. Regardless of where you are, there's really, really cool things you can do. I'll go back to that factory. That was my most memorable. It was cool and I was working on that night until 3:00 AM

Amy Nightingale (16:52):
Related back to the cross skilling section of it as well. I mentioned before that I have studied Japanese and university as well. That actually randomly happened to lead me to the experience of being able to consult for the 2020 Olympics in Tokyo. So just random things like that. They were like, oh, who actually speaks Japanese? Can we grab anyone? And I was in there. I could at least make sure the translator was being correct and also be the security consultant at the same time, so that helps immensely and that engagement, so that was really quite a bit of an exciting experience for me personally. Even just the fact of working on certain Blue team CTFs as well because of the fact that I had a lot of programming background meant I could set up platform look for, I think it's the largest blue team, CTF in the world "Boss of the SOC" and also the presentation being able to present, but since I did a lot of presentations as well, those cross skilling there really helped with picking up these random little opportunities. Those honestly are pretty much gems in my experience in consultant and I think if you want to get really great experiences, I think it's all about putting your hand up for it and giving it a go. It's scary, it's really scary, but if you think you can learn anything, you can just go for it. Just go for it and figure it out as you go along. Ask people for help and just work your way through it, and I think you learn the most and get the best experiences out of it.

Prashant Mahajan (18:10):
One of my memorable experience from a specifically consulting space was a Pen Test project for a specific client and basically within one hour of me getting access to the network, I basically had a meeting with the client and basically told them how trivial it was for anybody to gain privileged access in the environment. The next day, the client basically had arranged a meeting with the entire management where I was to give them a debrief of what the project was, what I was trying to do and what I was identified, and that basically led to a cascading chain of events, which led the entire company to uproot their entire network environment and basically build everything from scratch with security and design.

Gordon Draper (18:56):
Oh wow. That's pretty memorable. Yes. In that case, the sky was falling,

Prashant Mahajan (19:02):
Not really in falling, but I was already inside the network, so it was sound very easy for somebody to have. If they have access to the office, then it's pretty trivial to get anybody, like most organisations like Coconut. Anyways.

Gordon Draper (19:17):
Yeah, that's a good description. I think of it as an M and M, Hard on the outside.

Prashant Mahajan (19:21):
On the outside. Be

Gordon Draper (19:22):
Soft in the middle. Yeah. So I want to thank you all for being here today and sharing your time. What would you like to share as the most important lesson you've learned over your career?

Prashant Mahajan (19:36):
For me is the community is the best part about this industry and basically all the things which I've been able to do so far. It was because of the community and that's why I'm always part of the community and try to basically pay it forward.

Amy Nightingale (19:53):
For me personally, there is a lot when it comes to importance, I think it's just taken it one step at a time. It's very easy to get very, very overwhelmed with so many different things going on, especially in the security industry. It's always so fast paced and you want to keep on enjoying it, so it's about keep finding the enjoyments things that you really love and just pursue it, chase after it, and also pace yourself while doing it. Because burnout is a problem. It is an issue. It is a massive, massive issue, especially in consultancy. You don't want to hit that stage whatsoever. It's just about taking it one step at a time. Don't rush into it. I think it's a really important lesson that a lot of people learn the hard way, so just take it easy and find the small things that you enjoy and also find things that are not tech that you enjoy. Please just find a hobby, get yourself active or do something even if it's not active, just keep yourself away from a screen and enjoy that as well. That really helps immensely.

John Gerardos (20:49):
I'm going to say never stop learning at the same time. Be humble and don't burn out, so do pace yourself and be careful because it is a really, really cool industry. A lot of people in the industry are super passionate about it, but accidentally that tends to lean to burnout when you are up until 6:00 AM in the morning because you're working on a really, really cool CTF, so do pace yourself and be careful about that. Also, just never stop learning and keep the passion going.

Gordon Draper (21:19):
Yeah, burnout is a very big issue within cybersecurity as well as consulting. I found myself at one point doing two eight hour shifts in a day, a few days a week, and that just burnt me out. Definitely. One of the lessons that I've learned is it's a marathon, not a sprint. You've got to keep yourself going. Just to wrap up, I just want to thank all of you for your time and for each of you, can you please share how our audience can find you online?

Prashant Mahajan (21:47):
I'm Prashant3535 on more social media.

Amy Nightingale (21:50):
My name's, well full name's Amy Nightingale. Quite often I'm ANightingale, but there's not very many Amy Nightingale's out there, so generally I'm listed straight under there. My main platform probably is honestly LinkedIn at the moment,

John Gerardos (22:01):
LinkedIn, Twitter, if you want to see me active Blue Sky or Mastodon, if you just want to see an account, if you search for my name, John Gerardos and you get the surname correctly spelled, I am literally the only one out there. If you're interested, feel free to connect and we'll go from there

Prashant Mahajan (22:17):
Or just play the musical G note and G will appear.

Gordon Draper (22:22):
Yes. Awesome. Thank you very much for your time, and thank you for sharing your expertise and knowledge on the Cyber Consulting Room podcast.

(22:32):
As we conclude this two part series from Tuskcon on the Sunshine Coast in Queensland, Australia. A heartfelt thank you to our insightful panellists, Prashan Mahajan, Amy Nightingale, and John Gerardos. Your wealth of knowledge, expertise, and insights has been invaluable to our listeners and has eliminated the intricate world of cybersecurity. We appreciate your time, dedication, and willingness to share your expertise with our audience. To our listeners, thank you for joining us in this exploration of the latest trends and challenges in the industry. Stay tuned for more riveting discussions on the Cyber Consulting Room Podcast, where we continue to bring you the voices shaping the future of cybersecurity.