Get ready for a riveting episode as we delve into the fascinating world of cybersecurity with Duane Laflotte, Chief Technology Officer of Pulsar Security. His colleagues affectionately dub him the "nicest evil hacker," and you're about to find out why!
In this episode, you'll uncover:
Don't miss out on this valuable insider knowledge!
Duane can frequently be found at the bleeding edge of emerging technology and believes that continually feeding curiosity results in prolonged growth and creative solutions to complicated challenges.
He is an expert technologist in the areas of cryptography, exploit development, networking, programming, and enterprise data storage.
As an industry leader, Duane has worked with a wide array of Fortune 500, government, and military organisations – such as Disney, Bank of America, the FBI, SOCOM, DARPA, and the NHL – as a solutions architect, red team lead, and presales engineer.
Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/
Follow Duane on LinkedIn: https://www.linkedin.com/in/duanelaflotte/
Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program
► https://newsletter.privacypros.academy/sign-up
► https://www.youtube.com/c/PrivacyPros
Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro
So I mentor a lot of junior engineers, interns from high school all the way through college, you name it. I've even had people just reach out on LinkedIn and be like, what should I do? What do you think? And I try and mentor as many people as I possibly can. One of the biggest things I would say is cybersecurity is a daunting topic. It's big, it's sometimes scary, it's sometimes complicated, and there's a lot of people in that industry sometimes who are gatekeeping. You're not going to be smart enough. You need to have 15 years of programming experience under your belt before you can actually start doing these things. And I'd say, don't listen to those people. Honestly, I love the mentor aspect. Find somebody who is going to support you, who is going to knock down a lot of those barriers. Because honestly, I see people go up against the cybersecurity wall where it's so complicated and everybody's telling them they can't do it and they turn around and they go do something else, when in reality, there may be a passion there. So I'd say, don't listen to the naysayers. Find a mentor or a mentorship program or a group of people, and it's totally accessible. There are people who will help you out there, get you into the field.
Intro:Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.
Intro:Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts, the podcast to launch progress and excel your career as a privacy pro.
Intro:Hear about the latest news and developments in the world of privacy, discover fascinating insights from leading global privacy professionals, and hear real stories and top tips from the people who've been where you want to get to. We're an official IAPP training partner.
Intro:We've trained people in over 137 countries and counting.
Intro:So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.
Jamal:Good morning, good afternoon, and good evening to wherever you are listening from and whatever time of day it is for you. I'm your host today, Jamal Ahmed, the founder and lead mentor at the Privacy Pros Academy, where we help driven professionals to unlock their potential by building thriving privacy careers and future proofing your career in this fast evolving role. Today, I'm super excited because we've got an amazing guest. He has been described by one of our previous guests as the nicest, most evil hacker in the world. That is none other than Duane. Duane is CTO Chief Technology Officer of Pulsar Security. He works to resolve complex technical issues for the team and its partners. And Duane can be frequently found at the bleeding edge of emerging technology and believes that continuously feeding curiosity results in prolonged growth and creative solutions to complicated challenges. He is an expert technologist in the areas of cryptography, exploit development, networking, programming, and enterprise data storage. As an industry leader, Duanee has worked with a wide array of Fortune 500 government as well as military organizations including Disney, bank of America, the FBI, SOCOM, DARPA, and the NHL as a solutions architect, Red Team lead, and presales engineer. Duane, welcome to the private Pros podcast.
Duane:Jamal, it's my pleasure to be here.
Jamal:Wow, that is some experience. And that seems to be some expertise you have there.
Duane:Yeah, I've been fortunate, honestly, to find people in my life who have been able to help foster my natural curiosity in cybersecurity and systems, and more importantly, how to break them and how to break in. It’s been good.
Jamal:Getting interesting and finding out all that and more in a moment. But before we begin, if you could only eat one food for the rest of your life, what would that be?
Duane:One food for the rest of my life? That's a tough one. Here's what I would say I'd go with natural honey, raw honey. That's what I would eat. Has enough calories, probably sustainable, would survive on an island for hundreds of years. It's probably the best thing to hold on to, doesn't need to be refrigerated. That's it. I think that's it.
Jamal:Very practical. Good answer. All right, so how did you first get into cybersecurity?
Duane: owards that back in the early: Jamal:Super interesting. Now, how has the industry evolved over the last couple of years?
Duane: s, early: Jamal:And for people who are not as embedded into the cybersecurity space as someone like yourself, what do you think is one surprising thing we would be surprised to learn.
Duane:Interestingly enough, when I talk to people about cyber, they talk about cyber like, it's one thing, like, I want to get into cyber, I want to do cyber, right? And it's a massive field, and there's a lot of pieces to it. So you could do specifically what I do, right? So I'm in offensive cybersecurity and red teaming, which is a very specific offensive security. There is pen testing, there's auditing, there's all sorts of things. But in red teaming, we attack organizations like a nation state would. So let's say, I don't know, China wants to attack a particular company. We would emulate what those what we call TTPs, or tactics and techniques and procedures would be how would you socially engineer people, how would you send emails, phishing emails, to break into that organization? That sort of thing. But that's entirely different than, say, having a specialty in reverse engineering. We all love our connected iwatches and your Amazon Echoes and your refrigerator that can tell you when you're out of milk and your TV that can stream Netflix. But all of those are technology, IoT devices sitting on your network that may or may not be vulnerable, and that's an entire path of understanding, really. I think that the thing that's most surprising. When I talk to young, aspiring engineers who want to get into cyber, they usually go, yeah, I want to get into cyber. And I say, okay. Cool. What do you want to do in cyber? And they're like, cyber. Okay, let's talk. There's defense, there's offense, there's auditing. There's all sorts of worlds in cyber. So that's the most eye opening thing, I think.
Jamal:I mean, it makes complete sense. It's like somebody you go and meet someone at a university and say, hey, what do you want to do when you leave? And say, I want to get into the car industry. Okay, well, what about the car? Do you want to design the cars? Do you want to build the cars? Do you want to race the cars? What is it that you actually want to do? Cars? So what you're saying there makes complete sense. What's the most important cybersecurity challenge that privacy professionals in particular and businesses should be prepared to address over the next year or two?
Duane:Oh, that's a good question. So we're hired to break in organizations, right? And that's why they call me the Dark hacker. I think of all the dark thoughts of, how would I break in? What would I do? Would I kidnap their kids? Okay, that's probably off the table. Let's not do that. But you start thinking about what are the dark things that may happen that you could get access to that network. And typically, I try and find all these really clever ways to break into networks. And what we usually see is most customers fall down on the basics. It's what procedures do you have in place, especially for privacy pros? What procedures do you have in place for data that's on the network? How long do you keep that data? What's the cradle the grave strategy for creation of data about our customers, about our intellectual property, whatever it may be? Where does it live, where does it reside, and when does it die and get off the network? What's the chain of custody of that data? Right? And we see most of the time, we'll be able to break into an organization, and we'll be able to steal say we'll break into a bank and we'll steal customer account information, and you go, okay, what was the process of protecting that data? And the whole thought is, well, nobody's going to be on our network. That's the process. And really what we see is you need layers of defense, but for privacy pros particularly, it's understanding all of the sensitive pieces of a network. And really, what is your plan for protecting those from Cradle to the grave? The other thing we typically see is identification of target, which is also an interesting one. So we get hired, and the first thing I ask is typically, okay, cool, you want us to break in? What do you want me to get? Break in is a general term. What data am I looking for? What's the crown jewels? If it were, I don't know. We're breaking into Kentucky Fried Chicken. Do you want me to steal the secret sauce recipe? What is it? What's the thing that would shut your business down? And most companies have no idea. They're like, oh, I don't know, just see what you can get. Right. So from a data privacy sense, you go, okay, great. You don't even know what's sensitive on your network, so how do you protect it? How do you put a life cycle on it if you don't even know what it is? And that's really one of the things I would focus on, honestly, is really kind of digging into the internal networks and understanding what is sensitive to the business and what legally could cause issues for the business, and then coming up with a plan on how we protect it, restore it, back it up, whatever it may be.
Jamal:Okay, that's super interesting. So it's quite fascinating. So what you're saying is basically you're talking about Pareto's principle. 80% of challenge that you see comes down to the basics. If we take care of the basics and we think about the full end to end lifecycle as you frame it from cradle to the grave, and think about all of the different vulnerabilities or all of the different threats at each step, that will really help us to have a more robust way of thinking about how do we then defend that? And then again, it's not just at that. Out of that, there is going to be a 20% that is more valuable than the rest of the 80% of the data. And you need clarity on what that actually is. And once you have clarity on what that actually is, you can be confident. You know, you're guarding your crown jewels. You're guarding the thing that's most dearest to you. Otherwise, if you don't have that clarity, how can you be confident that you're actually safe if you don't even know what you're supposed to be guarding and what could throw the spider in the works at any time?
Duane:Yeah, and that's a great summarization, honestly, because it really is kind of weird when we go to a customer and they go, yeah, I don't know what we're trying to protect here. And you're like, well, you have a lot of sensitive things, I'm sure. It's almost like we see customers wait for us to break in and steal something, and then they go, oh, that was important. Now we should protect that thing. And it's like, okay, well, you should know your business better and tell me what's important before we break in.
Jamal:And with the use of Internet of things on the rise and businesses giving out more devices and more people working remotely and working from home and embracing this digital nomad lifestyle. What are the kind of key concerns that privacy professionals and businesses should be occupied with?
Duane:It's been an interesting era in cybersecurity because it used to be everybody would take all of their network stuff and they would hug it, they put a firewall around it, and they would put it in a particular building, and the people who needed to access it came in that building. And that was security, right? It was, I know where my data is, and I could put my arms around it, and the people who need to access it are in the building. And you're right with the pandemic, that changed a lot. Everybody had to work from home almost instantly, which means we noticed a lot of procedures that normally would have gone into place. Hey, let's take nine months to a year to roll out a work from home procedure. Let's make sure that all of the devices we give employees are actually locked down properly. Encryption at rest, encryption in motion, no split tunnelling VPNs. There's all sorts of things we would typically do when vetting a device to have it off the network, but be able to communicate in. And a lot of those were circumvented because they said, no, these people need to work tomorrow, so how do we do it tomorrow? So what we assess from our standpoint when we're trying to assess an organization, what we look at first is what we call the risk footprint or the surface of attack. So that Surface of Attack for us went from a single building with maybe some hosted services, something along those lines, to everybody's house at this point is now that Surface of Attack. Because if you start to follow that to the Nth level, not only could I go to your house and probably break into your WiFi, my guess is your WiFi password isn't super strong. So most people's WiFi passwords are either whatever's on the router, which is usually an eight character password, which takes seconds to break, or it's something like a simple word or phrase, which is really easy to break as well. So now if I were to break into your home WiFi, I could get access to that corporate device and then maybe piggyback into the office through your VPN connection. But even further down the line is, if you have children, you probably don't have a segregated work WiFi network, right? You probably are just on your same house WiFi that your child is on. And they go to school with their laptop and iPad, which means they're picking up all sorts of who knows what. I have a nephew who plays video games online, and man, he will find any hack he possibly can and downloads it from the jankiest sites. And I'll come over and be like, hey, what are you doing on this Russian site? And he's like, there's a really cool hack for this game. And I'm like, oh my God, I have no idea what you're picking up here. So it's that type of thing where now your surface of attack is so large because everybody who's working from home, it's not just worrying about them and training them, but it's also everybody else who's on that network, which is their children, which you don't have access to training. And you either need to now start really controlling their network so that they have a segregated work network that nobody connects to and they're diligent about it or you're really now at this point, it's pretty hard to connect to really protect that edge. I find it great and when I do, because it gives me more access to breaking in. But yeah, it's a tough job for privacy pros. And Blue Teamers.
Jamal:That attack surface just went from being over here to over there. Yeah, I hadn't even thought about the school networks and what they're picking and when you're allowing the children onto your network. So I don't know how some cybersecurity pros are sleeping at night.
Duane:Yeah, I do. I feel for them, especially the privacy pros because it's like they used to be able to say, okay, I know how we can fence this thing, right? Maybe it's all of our customer data or maybe it's patient information, I know how we can fence it. And then instantly, overnight, all organizations came to you and said, no, we need anybody to access it anywhere in the world from home now. But you need to keep it secure and you need to make sure it's only them. That's a nightmare task. So, yeah, it's been daunting. When I talk to organizations, especially when we start dealing with school districts, even they'll deal with school districts, and they'll say, we went from over a majority of our kids in classes to working from home. But we still need to protect the infrastructure and all of the information that's on these networks is about children. Right? So we can't just open our walls and have anybody in the world be able to pull this information about the kids who are learning here. It's been challenging task from that perspective as well.
Jamal:Are there any quick wins or really easy things that we can do to really enhance that while we bring in someone like you to have a deeper dive?
Duane:Yeah, absolutely. We're going to come back to basics. I'd love to say there's like one piece of software you could buy or one little thing you could do, but it really is honestly it's just the basics. Having a solid password strategy and management strategy, leveraging multifactor authentication anywhere possible. So if you have remote work from home employees, you should have multifactor authentication, period. You can't in this day and age not have multifactor. It's really kind of the bare minimum, making sure that devices that they're connecting into the network with have been certified from your IT department. Not just say, hey, here's a VPN connection, connect with whatever you want, really. It should be corporate devices with things like BitLocker to make sure people aren't if they lose their laptop, which happens a lot, they're encrypted and you're not losing any data. And these come down like I said, these come down to the basic, how do we make sure we have the right password strategy with MFA? How do we make sure the devices are as secure as they possibly can be and that will mitigate a lot of attacks honestly. The next thing I would say is endpoint detection and antivirus is always important for the big companies out there. They're paying multiple millions of dollars a year for endpoint detection and response applications. But honestly, if you're a small to medium business, use Windows Defender, it's awesome. Honestly, it's free, which is a great price point. It comes from Microsoft and it's on your laptop already, or your desktop. You just need to turn it on and take it from me, I'm a professional virus writer. That's what I do. I write viruses to bypass antivirus programs so that we can run them in corporate networks and see how they respond. And there's no antivirus on the planet that we can't bypass, except Defender gives us the hardest time. It takes about a week for me to write a virus to bypass Defender, and it works once, one time, and then I have to rewrite it again because what happens is when it gets detected, it goes up in the cloud and then everybody starts blocking it. So that would be my recommendations, is really go back to basics, make sure that those are solid, and then start leveraging things like Windows Defender free. It's going to detect most things out there and it's actually a really good, really great product to use.
Jamal:Thanks, Duane. So my key takeaways there is number one is what we talk about every single time. And it is the most important thing for me, the single most important thing that makes the biggest difference is good password management hygiene. And the thing is, it's so easy to manage password with great password managers available on the market at a very low cost, there is really no excuse for having poor password management in place. So that, I would say, is the most important thing and the most basic thing. It doesn't cost any money to do that. Change your password regularly, have complicated passwords. Don't try and be clever and think of something that you think no one ever thought of because someone could just go in, look at your social media profile, see you're interested in a certain thing, and start making guesses. Oh, you've got a dog named Hugo. Let's try Hugo one, two, three.
Jamal:So good password management, something that is not related to your life, that you talk about on social media, or someone could easily guess about you, your friends, your social networks, password management number one. Number two, you said that there is no way we should not be using multifactor authentication now. It just adds that additional layer of protection. And three, it's already on your computer for free. Windows Defender. That's it. If you just take those three very simple steps, or if you will just take those three very simple steps and actually practice it and do what we're supposed to do, then we could probably get rid of most of those attempts. Most of the time.
Duane:100%. Yeah, I agree with that 100%. It's amazing how simple it is to knock down probably 80% to 90% of the attacks that we see in the wild.
Jamal:So let's say we've got someone who's listening now, and they're really interested in pivoting their career. So they're either looking to land their first or their next top tier cybersecurity role. What advice can you give to them?
Duane:That's a good question. The first advice would be try and understand a little bit about the depth in cybersecurity. And what I mean by that is we had mentioned earlier, do you want to be a red team or do you want to be the breaker of things? That's what we do. We tear things apart and we say, this is broken. This is broken, and somebody needs to go fix it. Is that where your interest lies? I'd love to see how it all ticks. Are you the type of person who's like, no, I want to build the walls of the castle. I want to make sure that nobody can get through here, and if anybody touches a wall, I know about it, and we're responding with hot oil and arrows and spears. Then maybe blue team is the way you want to go. You want to start doing analytics and that sort of stuff. Are you the type of person who's like, no, I'm a lone wolf, and what I love to do is I love to hunt. I love to solve problems. Maybe a threat hunter is a good idea for you, and it's a pretty hot topic right now. So threat hunters are people who literally go through all of the evidence of either a breach, start hunting, literally on the network as to, okay, I think we've been breached here. Let's see where the trail leads. So you're a hunter on the network, but you're looking for hackers and then maybe none of that's for you. You are the type of person who loves to have your checklist and say, are we using MFA? Are we using secure passwords? Show me what our chain of custody is for all of our customer data. And if that's you, then that's compliance, right? There's a role there to make sure that customer information, or whatever it may be, is secure and in the right hands and everybody knows the process that's a compliance and compliance officer that would be the first thing is sort of understand sort of what drives you. And the reason I say that is a lot of people look at the money in cybersecurity and go, oh, my god, there's a lot of money in cybersecurity. I just want to go there. But cybersecurity while we've been on this podcast, I've seen about seven different notifications that new hacks have hit the Internet in the last 20 minutes. So if you don't really love this, you are going to be learning all the time. You're going to be a student of cybersecurity forever. My job changes by the minute. This is a passion of mine. I have it on my Twitter feed. I'm constantly reading all of the new exploits and seeing how they work because it really excites me. If you don't do that, then what will happen is you'll fall behind in cybersecurity because it moves so quickly. So first, find what really drives you. Second would be find a mentor. We mentor a lot of people. Whether it's offensive security, cybersecurity or defensive cybersecurity, people will reach out to us. We'll mentor them, we'll help them through certificates, help them understand an understanding, even have them ride along with us on Red Team engagements to watch us attack organizations. But I’d say find a mentor that can help you through the process because it's a lot to navigate. And then listen to podcasts like this. Honestly, this is a great way to stay up to date on cybersecurity issues. Listen to our podcast securitythisweek.com. Just really try and understand how quickly are things moving in the environment, what are the things that interest me, and then just drive into those things. That would be my biggest recommendation. There's a lot more technical detail when you decide which path you want to go. But I'd say, first off, find out what really drives you and then find a mentor that you really would like to work with.
Jamal:I love that advice and it resonates with me a lot, especially because it's the same kind of advice that we've been talking about with aspiring and current privacy pros who really want to become world class privacy leaders. And we say, look, the first thing is, what's your reason? Why? Why do you want to do this? What is it that you actually wanting to get? And when you understand why, find a niche and really focus on that and become very well familiar. Become first and make sure you're following the updates. Because if you sit there, stand still, and you're not up to date and you don't know what's currently happening, you become irrelevant and your skill set doesn't become required. Businesses want to hire people who are at the forefront, who know what's going on, who knows what changes need to come up. They don't want someone who knows how things were ten years ago because we're not back there right? And I keep joking about inventing this time machine, so we can't help you with that time machine right now. And the thing is, motivation comes up and down right. You'll be really motivated one day, the next day you might not be so motivated. And this is where discipline takes over. So even when you're not feeling on a day when you're not feeling motivated or you're having a bad week and you're not feeling motivated, it's still having that interest, having that curiosity to say, hey, what's happening this week? What have I missed? What do I need to know? What's moving? What's been you the latest threat on the market? And getting familiar with what really drives you, what turns you on, is going to help you to identify which aspect of the market do you want to get into? Are you someone who likes are you offensive? Do you want to go and break in stuff, tear stuff down? Or are you more the one that likes building that defense and making it impenetrable? Or are you someone that wants to operate yourself and you're not a team player and you just want to figure stuff out? When your own whatever it is, you need to figure out what your reason why is and what's really going to drive you to make sure that you can wake up every single day and look forward to another day. And I can hear the passion in your voice Duane and you're like saying, hey, I've just seen 20 pins about all of these things and I know you can't wait to get up to investigate.
Duane:I know, right?
Jamal:And this is exactly the same. It's very similar in privacy. We have new laws coming in. We have new enforcement action. We have things are changing. The way technology is being used is changing. Chat GPT has shown just how disruptive emerging technology is, as well as generative AI can be. And there's so many interesting and fascinating things happening all the time. And if we just sit saying, hey, you know what? I passed this certification which was standardized 15 years ago, and that's enough to help me have a world class thriving career, I'm sorry, guys, it's just not going to happen. So you need to make sure that you have that drive within you. And then once you've got that drive, the second thing you said is, you need to get a mentor. And that's exactly what the Privacy Pros Academy is all about. It's about finding a mentor, someone who's been where you want to get to that can show you the ropes, that can help explain the theory and put it in a way where you can actually pragmatically, go and solve challenges, where you can bring the value from yourself. And add that to the team, add that to an organization. Because just sitting there, reading a book and learning how to pass an exam, it's not really going to get you anywhere. Maybe ten years ago, maybe in this market, in this competitive market, in this global market, it's not even going to get you an interview. In most cases, yes, so making sure that we get a mentor. Find the best, right, find the best mentor you can. Find someone who resonates with you, find someone who style you like and just go and approach them. And don't be afraid of investing in your own future development because it's only yourself you're investing in. When you decide to develop, when you decide to grow. And remember, nothing good comes easy. So we have to sacrifice something, whether that's time, whether that's money, whether that's energy, if we want to get the rewards. And I'm someone who's a big fan of delayed gratification, and the time I spend with my mentors has been I've always got tenfold rewards. So I really love what you said there. And the third thing that I also love to share, in addition to what you've said, is finding a group of like minded individuals, finding a community of people who are also on the same path as you. You want some people ahead of you so you can learn from them. You want people that are going through the same stage of the journey you are. And also you want some people who are you're one step ahead of. Because it's once you start teaching other people, you start developing them, that they put you up and onto the next step as well. So I really resonate with everything you've shared there.
Duane:It's fascinating that you say that about having people below you as well. So I'm actually just in martial arts, and I've noticed the same thing in martial arts, where you think you know something and you really enjoy doing a thing, and then when you go to somebody's trouble or struggling with it, and you go to help them with it, then you realize, I don't know it as well as I thought I knew it. Right? And you start to relearn small pieces or aspects that you didn't quite know before. So yeah, it's a great point, great point.
Jamal:And the other thing is, sometimes you don't visit a particular topic or a challenge because you're busy doing other stuff. And since you last dealt with that or looked at that, you've gone and grown. You've seen new things, you've heard new things, you've tried new things, and then when you go back and visit that, you see it from a completely different lens. And I find that every time I'm revisiting things, I'm also learning because now I'm looking at it from a completely different lens or from a slightly different lens, and there's always more value to gain. I have a question for you. Without breaching any confidentiality agreements, you might have signed a nondisclosure agreement. What's a really memorable client story that you can share with us?
Duane:It's interesting. There are so many interesting stories. There's a story I have about breaking into a network over at TV, which I can tell you about. We have a story of reverse engineering a vacuum, which we could definitely talk about some of the interesting stories we have are around really profiling the people that work at the organization, really kind of getting the human aspect into that. So, for example, with the TV example, at one point, we were pen testing a customer, and they knew we were going to break in over WiFi. That was what was on the scope for us to test. So they thought they were being cheeky, and they decided to change the WiFi password every 24 hours. If we were to break in, we wouldn't be able to stay on the network. But the moment we broke in, we were actually able to compromise one of their TVs that was in the lobby, put a piece of code on it that would then beacon the password out to us so it would tell us what the password is. So every day when they re-added the TV, it would tell us, oh yeah, here's the password coming back in.
Jamal:Right.
Duane: ssword was like, I love Sarah: Jamal:They're very interesting because most people, when they're thinking about their threats, they wouldn't think about the TVs. They have the vacuum coming and cleaning up at the end of the shift. So it's super fascinating. And I love what you were talking earlier about the attack surface. It's having that awareness of just how wide your attack surface is and just knowing all of the different surfaces that you have, because it's not two dimensional, it's multidimensional.
Duane:Yeah, absolutely. And there are certain things that even organizations don't think about. Let's say we wanted to attack, say, a Starbucks, right? We want to attack Starbucks. You and I probably don't know what the infrastructure is at Starbucks? Is it Linux? Is it Windows? Where are they? Are they in Azure? Are they in Amazon? We're not sure. What we could do is go to LinkedIn and start looking at engineers who work at Starbucks and see what things they are certified in. What are the job titles they have. So that's one thing is outside. That's a Surface of Attack where I can now understand what's the infrastructure they're using these Firewalls, they're using Amazon, they're not using AWS. They have a lot of NetApp filers because they see a lot of NetApp storage arrays. So that's part of it. The other part is you and I could apply for a job. Why not, right? So we'll put together a really nice tech resume. We'll apply for a job, and during that interview we'll go, so what do you guys use internally? Do you guys have a password policy? And we've used these tactics on engagements in the past where we've just applied for a job and talked to the customer and literally just ask them all the questions about and they'll even tell you, I can't wait till you start here, Duane, because we have these really big issues with cybersecurity and nobody's changing passwords over in the food processing plant. Like, oh, okay, that's good to know, right? So, yeah, Surface of Attack is definitely bigger than most people think.
Jamal:And Duane, as you were giving me some of those examples of what you might do, I find the penny dropped as to why Patrick described you as the nicest, most evil hacker.
Duane:Thank you. I'm paid to think the evil things. Like, how could we, in a very nice way, break into this place?
Jamal:I would definitely rather have you on my team than against it.
Duane:Well, thanks. I'm glad I'm on the good side. Don't you worry.
Jamal:Any last final thoughts that you'd like to share?
Duane:Yeah, so one big thought. I mentor a lot of junior engineers, interns from high school all the way through college, you name it. I've even had people just reach out on LinkedIn and be like, what should I do? What do you think? And I try and mentor as many people as I possibly can. One of the biggest things I would say is cybersecurity is a daunting topic. It's big, it's sometimes scary, it's sometimes complicated, and there's a lot of people in that industry sometimes who are gatekeeping. You're not going to be smart enough. You need to have 15 years of programming experience under your belt before you can actually start doing these things. And I'd say, don't listen to those people. Honestly, I love the mentor aspect. Find somebody who is going to support you, who is going to knock down a lot of those barriers. Because honestly, I see people go up against the cybersecurity wall where it's so complicated and everybody's telling them they can't do it, and they turn around and they go do something else. When in reality, there may be a passion there. So I'd say don't listen to the naysayers. Find a mentor or a mentorship program or a group of people, and it's totally accessible. There are people who will help you out there get into the field.
Jamal:Yeah, it sounds like we speak very similar language and we share lots of values. And one of the big things that we speak about here also is mindset. And that's exactly what you're describing there is. Don't let those doubters, don't let those naysayers get involved. You decide what you want to do. Have that growth mindset. Know that with effort, anything is possible. All you need is a mentor, someone who's done it, someone who's helped other people, and they can help you too. And all you have to do is take action, right? Nothing's going to happen if you sit there waiting for things to happen, or complaining about the environment, complaining about the family, complaining about the layoffs, just like those layoffs, there's hundreds of companies hiring. And with data being so precious, with data being such an important part, with people's reputation at stake, guess what? They're going to need great cybersecurity professionals. They're going to need great privacy professionals because they need people to help them, to protect their businesses, protect their assets. And if you can demonstrate you bring enough value to the table, there's going to be world class roles there for you too.
Duane:Yes, absolutely. I can't agree more, honestly. And it's a field that's not going away. Cybersecurity data protection. Those fields are only going to grow over the next ten to 20 years. So it's a great place to invest in yourself, but also really great market to be in.
Jamal:There you go, guys. From doing himself, this is an increasing market. There is going to be lots of opportunities. It's only getting started. Ten years ago was the best time to get in, but until we built that time machine, right now is the second best time to get in.
Duane:It is.
Jamal:All you need to do is find yourself a great mentor. So take action and find a way of future proofing your career. And if you want to reach out and you want to become an awesome data privacy professional on the privacy side, you can reach out to us at the Privacy Pros Academy. And you've heard that Duane is very open to talking about mentorship, so we're going to put him in his LinkedIn profile. So just reach out to Duane, have a chat, and he can either mentor you or send you in the right direction. Because we need great people in data protection, whether it's cybersecurity, whether it's privacy, whether it's something else. We're looking for great people, and we have our communities, and we want to really build them up, because that's what makes it all so fulfilling and so worth it. So don't be afraid to reach out to people and say, hey, can you help me because nine times out of ten, people love the opportunity to help. And when you see people at the top of their field, there is nothing more fulfilling than helping other people because you see the need for great talent to come through.
Duane:Absolutely, I agree. Honestly, as a mentor, it's one of the things I love seeing is when the spark goes off and the light in their eyes when they're like, oh, my God, we just broke into this thing. Like, what do we do next? Right? And they're super excited, and it's like, yeah, that's the feeling right there. You'll be a lifelong learner in cybersecurity. Yeah, great.
Jamal:You'll get the adrenaline rush there as.
Duane:Well, every time you yeah, awesome.
Jamal:So, Duane, before we wrap up, I always give the guests an opportunity to ask me a question. So I'd like to extend that courtesy to you. Is there anything that you'd like to ask me? You can ask me anything at all.
Duane:Oh, any question. Okay. So what data privacy laws are you the most excited for? And I'm super actually interested in this because from my standpoint, the laws in cybersecurity and privacy are so complex and there's so much out there with GDPR and all sorts of other things that I have a hard time following it, and I don't know what to be excited for. Like, what's a really good one that's coming out that's going to help, and what one's just going to just cause more red tape. So I'd love to hear your thoughts on this.
Jamal:What I really love to see is a federal act that you have in the United States. I'd like to see a little bit of consistency, because right now, the states are taking action themselves. They're bringing it a little bit here, a little bit? Yeah, it's a little bit of a piecemeal. And when you have companies who are operating across multiple states, when you have multinational corporations, it's such a headache to understand the different terminology, the different caps, different nuances. And as privacy pros, we get paid to understand those nuances and do that. That's another challenge. The challenge is we want to help businesses to do what they want to do in a respectful way, in an ethical way, so that the objectives are met whilst respectfully treating people's data. And by bringing in all these different state laws, it's kind of a little bit higgledy piggledy, and it's getting in the way. And what we don't want businesses to do is to say, you know what, just can't be bothered. Let's just do whatever we want to do, and we have our risk appetite, and we'll just put some money in the slush fund. What I'd love to see, and what I'm most excited to see is a federal in the US coming out, giving a bit of consistency and kind of acting as a layout, so we get a bit more consistency globally as well. So from UK, from Europe, from other parts of the world. We want to understand what that landscape looks like rather than trying to learn 50 plus individual laws. So I'm looking forward to that. Whether we're going to see one or not, I don't know. I know Biden has been discussing it, but I also know how difficult it is to pass a federal law in the United States.
Duane:Yeah, it is.
Jamal:The other thing that I'm really looking forward to is the implementation of the EU artificial intelligence regulations that we have coming in, because that's going to be super fascinating. It's a little bit prescriptive for my liking. I prefer the more principled approaches, a little bit like we have with the GDPR, because there is no way we can think of everything right now that's going to happen over the next 5,10 years in every industry in every single size of business, if we start making laws, are very prescriptive, we block and stifle innovation. And so I'm a big fan of innovation, I'm a big fan of growth, I'm a big fan of being curious, which is, I think, what helps us to do what we do really well. And I hate any laws that kind of bring in that prescriptive element to it, because it means it's going to become outdated very soon. It's going to become irrelevant and obsolete and it will lose that respect. And we can't have laws that lose respect. We need to have laws that are there to give us that safety net.
Duane:Right.
Jamal:That's how I see the role of laws and regulations. It's let businesses do what they want to do, but here's the safety net. So we know that if they get off that tightrope of balancing the business objectives as well as the privacy and security concerns, that the law is there to act as a safety net to make sure no serious harm is done. Everyone can survive from a fall, but if the safety net is there to catch you no harm, then you just get back up and you learn from that and you go a little bit further next time, isn't it?
Duane:Yeah, absolutely. And I wonder if the legal system is ready to move fast enough, because take a look at AI. AI today is going to look entirely different in five years. Not even ten years. In five years. So can laws move that fast? I mean, heck, in six months, AI may look entirely different than it looks today, where I don't think we'd ever get a federal law implemented in six months. So it'll be fascinating to see how laws keep up with technology. To I agree, have that balance where they don't stifle creativity, but they do protect peoples and organizations and data.
Jamal:100%. Amen to that. Duane thank you so much for giving up your time to come and speak to us at the Private Post podcast. We covered so much and there's so much value from this that if you're listening right now, you're probably going to have to go back to the start and start again. We covered all of the things from attack surfaces to what's happening between the pandemic. We covered covering the basics, basic password management, multifactor authentication using Windows, Defender. It's for free and you already have it, so there's really no excuse for using those things. And then Duane gave us some really great tips about how you can really carve out that world class career in cybersecurity, so make sure you get yourself a great mentor. And then we spoke about our vision of what we want to see coming up with laws as well. So it's been an absolute jampacked episode. I'm looking forward to catching up with you again soon. Until next time. Peace be with you.
Duane:Awesome.
Outro:If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.
Outro:Remember to join the Privacy Pros Academy Facebook group where we answer your questions.
Outro:Thank you so much for listening. I hope you're leaving with some great things that add value on your journey as a world class privacy pro.
Outro:Please leave us a four or five star review.
Outro:And if you'd like to appear on a future episode of our podcast, or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk
Outro:Until next time, peace be with you.