Today we're joined by Unixguy, one of the top Cybersecurity content creators online right now. He shared his incredible knowledge from his 20 years of experience in Cybersecurity. ✍️FREE Cloud Engineer Assessment quiz - https://caleb-hzavw51g.scoreapp.com
Follow us on YouTube:
www.youtube.com/@caleboni.certified
TIMESTAMPS: 00:00 Intro 02:38 Has the Tech Job Market really changed? 12:52 Is Cybersecurity entry-level? 24:37 Unixguy's Journey in Cybersecurity 31:24 Roadmap for Cybersecurity? 38:45 Unixguy's most interesting Career Story?
[00:00:00] And still to this day, from so many managers that I work with every day, they complain that they can't find enough good qualified people. So nothing has changed. The same challenges out there. In fact, there is more and more attacks. Like there is more and more requirement for individuals like this.
[00:00:15] This is UnixGuy, one of the biggest cybersecurity content creators on the internet right now, who also works as a cybersecurity consultant at PWC. I call him the Michael Jordan of cybersecurity content. He currently has just under 200,000 subscribers on YouTube and thousands more across other platforms. Today, UnixGuy joined me on the Tech Certified Podcast for our biggest episode yet.
[00:00:45] In this episode, you will learn about the current state of the cybersecurity job market and what you should be doing differently in your job search.
[00:00:54] But if I objectively look at the market today, I don't necessarily think it's significantly different than, let's say, 2017. In fact, I would argue in this year, for example, there are more jobs advertised than we had in 2017 and 2018.
[00:01:11] You will learn whether cybersecurity is an entry-level role or not.
[00:01:16] From my experience is anytime we make a blanket statement, chances are it's wrong.
[00:01:21] So when we say something full blank, cybersecurity is not an entry level, full stop.
[00:01:26] Like that tend to be wrong first.
[00:01:28] And you will also learn how UnixGuy broke into cybersecurity over 20 years ago.
[00:01:34] I don't want to end, like, please, if you're watching this video, do not follow my pathway.
[00:01:39] My pathway is completely irrelevant to anyone watching this video.
[00:01:43] Things were significantly different back then and...
[00:01:47] And how you can break in today in 2024.
[00:01:50] In my opinion, if you're brand new, you haven't done anything...
[00:01:54] This was truly one of the most interesting and controversial episodes I've had on the podcast so far.
[00:02:00] But before we begin, I must ask this one thing.
[00:02:03] If you watch the Tech Certified podcast or any videos on this channel, then please subscribe to the channel.
[00:02:10] Right now, of the people who watch the content on this channel, only 14.6% are actually subscribed to the channel.
[00:02:18] And the other 85.4% are not subscribed.
[00:02:22] Getting this subscribed percentage up will go a long way in the growth of this channel.
[00:02:27] Now let's get right into the video.
[00:02:34] Now, for this podcast, I wanted to start here.
[00:02:38] The job market has become increasingly difficult in the past, I don't know, months or years.
[00:02:47] And I wanted to just talk about what aspiring cybersecurity professionals should be doing differently to enter this field.
[00:02:59] What are your thoughts on that question?
[00:03:03] Starting with the tough questions right away.
[00:03:07] Oh, man.
[00:03:07] The problem is, and I guess I do disagree with a lot of people in the industry.
[00:03:14] I don't necessarily disagree with what you just said.
[00:03:17] But in general, I do find myself not agreeing to a lot of assessments.
[00:03:23] So let's, I guess, unpack that question.
[00:03:25] As you said, it's getting increasingly difficult.
[00:03:28] I would argue that difficult compared to what?
[00:03:32] So if we're comparing it, let's say, with 2021, which was a year that organizations went absolutely crazy.
[00:03:40] They had so much budgets and they were just competing for talent.
[00:03:44] Now, in my opinion, that was unprecedented.
[00:03:47] The amount of hiring that they did was absolutely crazy.
[00:03:51] And the salaries were absolutely high.
[00:03:53] Now, recently, we've seen a correction to that.
[00:03:57] But if I objectively look at the market today, I don't necessarily think it's significantly different than, let's say, 2017.
[00:04:05] In fact, I would argue in this year, for example, there are more jobs advertised than we had in 2017 and 2018.
[00:04:14] And that is simply because there are just more companies that are digitized.
[00:04:19] More and more organizations recognize and understand the importance of cybersecurity.
[00:04:27] So in my opinion, is it increasingly difficult?
[00:04:31] Is it hard?
[00:04:32] Are we in a recession?
[00:04:33] I personally don't agree.
[00:04:34] And I think I do have a little bit of a gripe with that assessment because I do hear that assessment mainly from IT professionals or even recruiters.
[00:04:44] Whilst like, I don't know if you remember, let's say, in 2008, right, we had or 2007, we had this global financial crisis.
[00:04:53] That global financial crisis was like the biggest one we've had in decades, even in the century.
[00:04:58] However, even economists and people who specialize in economy, they couldn't predict that.
[00:05:04] So I would say that, you know, as an IT professionals, the assessment that I hear about the market may not be, you know, necessarily true or accurate.
[00:05:14] Yes, things aren't straightforward.
[00:05:16] Yes, things aren't easy and aren't straightforward.
[00:05:18] But I would argue like 10 years ago, things weren't easy either.
[00:05:22] That's not to say they were difficult.
[00:05:23] I think the level of difficulty is appropriate.
[00:05:26] So I think that has been my consistent opinion around, you know, the ultimate crash of the market and, you know, people losing jobs, etc., etc.
[00:05:37] Now, when I say these things, unfortunately, sometimes they are taken out of context.
[00:05:41] So I'll give you an example.
[00:05:43] If I say that the economy is quote unquote good, which is a really broad statement, right?
[00:05:49] Someone out there who is having it tough or who, for whatever reason, is going through hardship, they might take offense to that.
[00:05:56] And I understand that.
[00:05:58] But when we say things like the economy is good, that doesn't mean that, you know, poverty has ended or no one's going to ever have any difficulty.
[00:06:06] It's just a broad term to say comparatively, let's say this year or this decade may probably is probably better than, let's say, the 1990s or the 1980s, etc., etc.
[00:06:16] So that's the assessment that I currently have.
[00:06:21] And you, Caleb, you can stop me at any time or go on rants on tangents.
[00:06:25] Of course, of course.
[00:06:26] I want to try to just lay the foundation of what I think the current quote unquote economy or cybersecurity job environment is.
[00:06:33] So my advice to someone who is new to this field, who want to land a cybersecurity job is it has not changed.
[00:06:40] The same advice that I've been giving for a long time ago is you need to put in the work.
[00:06:44] There is no hack.
[00:06:45] There is no quick tip.
[00:06:47] There's no top five tips that will give you the job right away.
[00:06:50] You do need to put in the work, but the reward is there.
[00:06:54] It will lead to a good career, a lucrative career that pays so much better than so many other jobs here.
[00:07:00] So the way to do it is probably following one of the roadmaps or advice that I have laid out in my videos.
[00:07:06] Does that make sense?
[00:07:07] Yeah, that makes a lot of sense.
[00:07:09] Yeah.
[00:07:10] And it's really interesting you say that.
[00:07:13] And it's a really, really different take because on the internet right now, everyone who's trying to get into not just cyber, like any tech roles, a lot of what they're hearing is the job market is getting difficult.
[00:07:29] There's so much less cybersecurity jobs.
[00:07:32] It's so competitive, all this kind of stuff.
[00:07:35] And it's kind of refreshing to hear a completely different opinion on that.
[00:07:40] You know what's funny, Caleb?
[00:07:41] Like, I don't know if you've heard of him, Graham Hancock.
[00:07:44] He's a very controversial character.
[00:07:46] He talks about ancient civilization.
[00:07:48] Anyway, it's a different topic.
[00:07:49] But he has a line that I really like.
[00:07:51] He says that we are a species that suffers from amnesia.
[00:07:55] So we collectively forget what happened even two years ago.
[00:07:58] So, but, however, we do have the internet today.
[00:08:02] So if someone wants to go back and just, quote unquote, search what people were posting.
[00:08:08] And let's say 2015.
[00:08:10] Sorry, yeah, 2015 or 2017, which is almost 10 years ago.
[00:08:15] People are saying exactly the same thing.
[00:08:17] I was in cybersecurity.
[00:08:18] I was having conversations with decision makers and the things I remember, like CEOs and stuff.
[00:08:24] And the things they were telling me is give me, give me automation.
[00:08:27] How can I, what can I do to automate?
[00:08:29] Can I use machine learning?
[00:08:31] People think AI have just started two years ago.
[00:08:33] No, they were talking about the exact same things.
[00:08:36] And the same fear among fresh grads was, is like, you know, there's not enough jobs.
[00:08:40] It's competitive.
[00:08:41] It's hard.
[00:08:42] Quote unquote, cybersecurity is not entry level.
[00:08:44] All of the same crap that was spewed back then is spewed now.
[00:08:48] Not only that, I remember when I was entering this field really long time ago, people were, what was popular back then is offshoring.
[00:08:56] Everyone was talking about offshoring.
[00:08:58] There were even TV shows and movies about offshoring and how all the work is going to go to India or Philippines or whichever country.
[00:09:05] And therefore, none of us have jobs.
[00:09:07] Like I had my, I still remember it because I was really young and easily impressionable.
[00:09:13] I had my cousin making fun of me.
[00:09:14] He's like, what are you doing studying this stuff?
[00:09:16] It's all going to go offshore.
[00:09:17] It's pointless.
[00:09:18] You know, don't waste your time.
[00:09:20] Take another career.
[00:09:20] He was doing civil engineering.
[00:09:22] And yeah, it's the same stuff.
[00:09:24] Like it, nothing has changed.
[00:09:26] People will say exactly the same thing.
[00:09:28] And I challenge anyone who's watching this video.
[00:09:31] Find me any point in time where people were saying the economy is great.
[00:09:35] Jobs are great.
[00:09:36] Blah, blah, blah.
[00:09:37] Never happened.
[00:09:38] Always.
[00:09:38] Yeah.
[00:09:38] We always do that in hindsight.
[00:09:40] We're like, oh man, 10 years ago, things were great.
[00:09:43] Or it's the good old days.
[00:09:44] Like what to say?
[00:09:45] The good old days.
[00:09:46] We never say that the good old days are today.
[00:09:48] It's always some point in the past.
[00:09:50] So that is my opinion.
[00:09:52] I think it's not as bad as people on the internet make it out to be.
[00:09:56] But having said that, it's not easy.
[00:09:59] It was never easy.
[00:10:00] It was never meant to be easy.
[00:10:02] It's challenging enough.
[00:10:03] But once you get over that challenge, then there is a reward at the end.
[00:10:08] Incredible.
[00:10:09] And I think I can, to an extent, agree with a lot of what you said.
[00:10:15] Because at some point when I was, I mean, I've spoken about so many times on my channel
[00:10:21] when I was first trying to get into the industry as like a two-year, second-year student studying
[00:10:28] at university, I had the same complaints as a lot of people would have right now.
[00:10:35] It's so hard.
[00:10:37] It's so competitive.
[00:10:38] There's so many people trying to get in.
[00:10:41] I don't know how to get in and all this kind of stuff.
[00:10:44] And it's kind of the same things I hear.
[00:10:47] I think right now, I definitely hear it a lot more.
[00:10:50] Maybe it's the age we're in of social media.
[00:10:53] But also, just, yeah, there's so much going on.
[00:11:00] I definitely agree with you, Caleb.
[00:11:02] The problem also with being a student.
[00:11:04] Like when I was a student, all my information came from other students.
[00:11:09] And frankly speaking, students have no idea.
[00:11:11] I had no idea.
[00:11:12] You're a student.
[00:11:12] You're just studying.
[00:11:13] And the person who's teaching you, which is a university or college professor,
[00:11:18] they usually haven't worked a day in their life in the field.
[00:11:20] So they themselves have no idea what's going on.
[00:11:23] So it's really easy to be confused.
[00:11:25] But I hear you, yes.
[00:11:28] On the internet, online and on Reddit,
[00:11:31] which is mainly people who've never worked a day in their life in this field,
[00:11:34] it seems to be popular.
[00:11:36] However, when I go in the real world,
[00:11:38] in actual people working in cybersecurity, that's not the case.
[00:11:41] We usually see opportunities advertised,
[00:11:43] people getting job offers, people getting promoted.
[00:11:46] And still to this day, from so many managers that I work with every day,
[00:11:50] they complain that they can't find enough good qualified people.
[00:11:54] So nothing has changed.
[00:11:55] The same challenges are there.
[00:11:57] In fact, there is more and more attacks.
[00:11:59] Like there is more and more requirement for individuals.
[00:12:01] Like in Europe, they have the GDPR, which is the Privacy Compliance Act for Europe.
[00:12:08] That wasn't a thing a few years ago.
[00:12:10] Now, because of it, so many new jobs were created.
[00:12:13] Same thing in Australia.
[00:12:14] We have the Privacy Act.
[00:12:15] In the US, they've got the California Act.
[00:12:18] And even in China, there is China Privacy Act.
[00:12:20] So the market is growing.
[00:12:21] We still need people.
[00:12:23] But yeah, if you're just going to listen to people who are not in the field
[00:12:27] or they just like to complain on the internet,
[00:12:30] and I'm not going to lie.
[00:12:31] Actually, if I make a video now on my YouTube channel
[00:12:33] and says the market is crashing,
[00:12:34] that video will get so many views because fear mongering works.
[00:12:37] But I'm not going to do that.
[00:12:39] And, you know, people still do it.
[00:12:41] And I definitely don't agree with it.
[00:12:43] Wow. Incredible.
[00:12:44] Yeah, I'm so grateful for that take
[00:12:49] and the honesty that you've brought with that.
[00:12:52] I wanted to jump into another question.
[00:12:57] And this is kind of a question that is very universally asked
[00:13:03] in the cybersecurity space.
[00:13:05] You'll hear it a lot.
[00:13:06] Is cybersecurity entry level?
[00:13:10] I think a lot of people, they speak about cybersecurity.
[00:13:15] You cannot get into cybersecurity unless you have two, three years experience
[00:13:21] in wherever, whether it's IT, whether it's something else,
[00:13:27] before getting into this industry of cybersecurity.
[00:13:31] And I wanted to ask you, Unix guy,
[00:13:34] what your opinion is on that.
[00:13:37] And if not, if it is not entry level, what is the route?
[00:13:43] Yeah.
[00:13:44] Look, really good question.
[00:13:46] It comes up now.
[00:13:47] I promised you 20 years ago, people were saying similar things.
[00:13:51] Now, from my experience is anytime we make a blanket statement, chances are it's wrong.
[00:13:56] So when we say something full blank, cybersecurity is not an entry level.
[00:14:00] Full stop.
[00:14:01] That tends to be wrong first.
[00:14:03] So I'll give you an example.
[00:14:04] I work in PwC, which is one of the big four consulting firms.
[00:14:07] Okay?
[00:14:08] So we do cybersecurity consulting.
[00:14:10] Every year, PwC have something we call grad program where you hire fresh graduates.
[00:14:16] That's not just PwC, but all the other big four do it.
[00:14:19] The big banks have it.
[00:14:20] Government has it.
[00:14:21] So just by virtue of the fact that we do actively every single year,
[00:14:27] hire entry level individuals into cybersecurity jobs,
[00:14:32] that in and of itself should make, excuse me,
[00:14:36] this bloody coffee,
[00:14:37] that in and of itself should make this statement wrong.
[00:14:41] So just saying something, cybersecurity is not entry level.
[00:14:44] It's just wrong because there are simply so many people landing entry level cybersecurity jobs.
[00:14:49] Okay.
[00:14:49] Now let's unpack that statement.
[00:14:52] Cybersecurity is not just one thing.
[00:14:55] It's not just one job.
[00:14:56] You know, I don't know, driving a bus, you call this, say, a bus driver.
[00:15:00] But cybersecurity, we don't all go to a building and we do the exact same job.
[00:15:04] No, cybersecurity is a broad umbrella term where we do so many different jobs.
[00:15:09] I think the confusion happens.
[00:15:12] Well, first, I blame my generation, the boomers.
[00:15:14] We are the source of every problem because when we started, yes, first of all,
[00:15:19] there was no job title called cybersecurity.
[00:15:21] We were either support engineers, system engineer, network engineer.
[00:15:25] So my job was as a quote unquote Unix guy.
[00:15:28] I was working with an operating system called Sun Solaris, which is a Unix operating system.
[00:15:33] And part of that job, we installed the OS.
[00:15:35] And there was this quote unquote new and upcoming company called Checkpoint.
[00:15:40] They partnered with us and they had a firewall product, but that firewall wasn't the firewall that you see today.
[00:15:45] It was just a software.
[00:15:47] So we installed that software.
[00:15:48] We configured the ports for them.
[00:15:50] And then we will do what you call today identity and access management.
[00:15:54] Sometimes we configure something called, it used to be called OpenLDAP, Sun1 directory, which is your OpenLDAP.
[00:16:01] And sometimes we install patches and that's your vulnerability management.
[00:16:05] But we did these tasks as systems engineering.
[00:16:08] Likewise, the network engineers, they would configure their routing and switches.
[00:16:11] And then they had something called access lists or ACLs.
[00:16:15] And that was their security.
[00:16:17] Now, I can't tell a beginner today that you have to do that crappy job that we did.
[00:16:22] No, it wasn't crappy.
[00:16:23] It was the only job available.
[00:16:24] Spend 10 years of your life, do it.
[00:16:26] Then you'll be allowed to have the chance to even touch cybersecurity.
[00:16:30] That's just wrong, right?
[00:16:33] That's not necessary.
[00:16:34] Can you do it that way?
[00:16:35] Absolutely.
[00:16:37] Can you work as a network engineer for three years and then transfer to cybersecurity?
[00:16:41] More power to you if that's what you want.
[00:16:44] Is it necessary?
[00:16:45] Absolutely not.
[00:16:46] And I think it will go down the rabbit hole of you can't secure what you don't understand.
[00:16:53] I'm going to put my coffee back because this is one statement.
[00:16:56] Every time I hear it, I have a bit of a giggle, right?
[00:16:59] Because it's such a broad statement.
[00:17:01] People usually say this statement to want to come across as clever.
[00:17:06] And I think it has the opposite effect.
[00:17:08] Because, again, broad statement.
[00:17:10] Let's unpack it, right?
[00:17:12] And funny, by the way, people who say that, they usually have never worked a day in their life in cybersecurity.
[00:17:17] Some of them are network engineers.
[00:17:19] Some of them are CompTIA trainers.
[00:17:22] So they just do CompTIA training.
[00:17:23] And apparently, you can't secure what you don't understand.
[00:17:26] So, yes, theoretically, you need to secure something you don't understand.
[00:17:31] But the question is, how much do you need to understand, right?
[00:17:35] So you need to understand networking.
[00:17:37] Just how much networking do you need to understand?
[00:17:40] As far as I know, almost all cybersecurity training that's available in the market, it goes over networking.
[00:17:47] Now, do you need to be a network engineer?
[00:17:49] Absolutely not.
[00:17:50] That's not a requirement, right?
[00:17:52] But they seem to say this, you know, you can't secure what you don't understand.
[00:17:55] And they usually refer to networking or, again, something like a help desk as, like, this is the necessary background.
[00:18:03] Again, these statements come from individuals who haven't worked in this industry.
[00:18:08] Because thinking that this is the only foundation that's needed, again, they're wrong.
[00:18:12] Because there are so many other things that you actually need to know.
[00:18:15] So, for example, why stop at networking?
[00:18:18] Sometimes we need to deal with transistors.
[00:18:20] Sometimes we need to deal with physical security.
[00:18:23] In fact, I find myself having more and more conversations with lawyers and, you know, regulations.
[00:18:28] Like, I work with this organization that has factories in China.
[00:18:32] So I had to travel and I had to see certain things and certain regulations.
[00:18:36] That doesn't mean I need to be a lawyer.
[00:18:38] But again, this, quote, unquote, I need to know something before I secure it.
[00:18:42] You know, I had to pick it up as I go.
[00:18:45] Like, you don't need to do everything before you start.
[00:18:47] So, sorry, I think I went into a lot of things.
[00:18:51] But this, this, cybersecurity is not entryable.
[00:18:54] I think it's a myth that refuses to die.
[00:18:56] It usually comes from individuals who, again, have not worked a day in their life in cybersecurity.
[00:19:01] And they should never give advice to cybersecurity.
[00:19:04] It's very, very strange that they do that.
[00:19:07] Or B, again, it's usually coming from someone who's on a journey.
[00:19:11] They want to learn cybersecurity.
[00:19:13] But they think it's like, this is so hard.
[00:19:15] Therefore, instead of trying to learn it, they go and learn these other things that are not really relevant.
[00:19:20] So, yes, there are roles that exist as entry level within cybersecurity.
[00:19:26] In consulting, we need the junior consultant.
[00:19:28] For example, another example role, let's say vulnerability management.
[00:19:33] Every organization needs to have a tool we call vulnerability scanner, where they run that scanner and they generate reports.
[00:19:40] That is not a senior task.
[00:19:41] Like, we actually need junior people.
[00:19:43] I cannot get someone with five years of experience to do this job because A, they'll get bored and leave.
[00:19:48] And B, frankly speaking, I don't have enough money to pay someone senior.
[00:19:51] So, this is a junior task.
[00:19:52] There are so many, like even under the umbrella of identity and access management, there is an army of junior resources that we need that they absolutely need no skill to do that job.
[00:20:04] They just need to be willing to learn and willing to start their journey.
[00:20:07] Another umbrella of roles is GRC, which is, again, there's so much garbage online about what GRC is.
[00:20:14] But, again, within GRC, most roles aren't really senior.
[00:20:17] So, in my opinion, cybersecurity, just like any other field, like networking, you have junior network engineer, mid-level, and you have senior network engineer.
[00:20:28] Same thing with cybersecurity.
[00:20:29] You have a junior analyst, analyst, you know, director, et cetera, et cetera.
[00:20:33] So, that's my take on it.
[00:20:35] Yeah.
[00:20:36] It makes a lot of sense.
[00:20:37] And I think a lot of people kind of that are perhaps trying to get into the industry and, again, have difficulty in understanding how to can really push this agenda of cybersecurity being something that you need experience in this area or that area before you can actually get into.
[00:21:04] I think everyone's path is so different.
[00:21:08] And there are different paths to getting to the point you want to get to.
[00:21:14] Cyber, like you said, is very broad.
[00:21:17] And there's many domains that you could be getting into that require completely different skill sets from the other, which is interesting.
[00:21:27] And really what you said is so true.
[00:21:31] Like, when you think about it, literally, graduates get hired into.
[00:21:38] So, that alone kind of.
[00:21:41] It's crazy.
[00:21:42] And you know what, Caleb?
[00:21:43] Like, the problem is on the internet, blanket statements tend to, you know, get views.
[00:21:49] For example, if someone says, there is an idiot out there who says, like, cybersecurity training is scam.
[00:21:54] Full stop.
[00:21:55] Reason why?
[00:21:56] His literal reason is you can't secure what you don't understand.
[00:21:59] Therefore, you need to do CompTIA.
[00:22:01] Therefore, buy my course.
[00:22:03] That's CompTIA course.
[00:22:04] Like, this is.
[00:22:05] And you look at these people and they actually have never worked today in their life in cybersecurity.
[00:22:10] There is this strange idea that, you know, there has to be only one path.
[00:22:15] Like, I really liked what you just said.
[00:22:16] There is so many different paths and there is not just this one single path.
[00:22:22] Like, people, again, a popular thing that used to be, and I personally tried to fight it, is they said, CCNA from Cisco, that's a must.
[00:22:30] If you don't do CCNA, you don't understand networking.
[00:22:32] Which is, frankly speaking, really stupid.
[00:22:34] Like, saying something like this is just communicating to me that you are under the impression that networking knowledge only exists in CCNA.
[00:22:43] That's ignorance.
[00:22:44] There is, like, a countless number of training courses that go over networking.
[00:22:48] There is free videos.
[00:22:50] There is tutorials.
[00:22:51] There's so many things you can do to learn networking.
[00:22:53] And networking exists outside of Cisco.
[00:22:55] And not only that, there are so many roles in cybersecurity that requires zero, zero networking knowledge.
[00:23:02] And that just seems to pisses people off because they think, you know, this is the path.
[00:23:07] Like, I had a video once, you know, scrapping on CCNA and saying, basically, if you want to work in cybersecurity, you don't need to do it.
[00:23:15] And then I had this YouTube channel make a video and say, no, no, no, no, do CCNA.
[00:23:19] And just out of curiosity, I clicked on that person's name.
[00:23:22] And I looked at the YouTuber who had, like, a massive follow-up.
[00:23:25] Looked on his LinkedIn profile and his experience.
[00:23:28] He worked as an IT support for, like, eight months.
[00:23:32] And then all he did was work in these, like, content creation cybersecurity companies where he actually hasn't performed a single cybersecurity task.
[00:23:41] So, which is really weird.
[00:23:42] Like, to be outspoken on a topic that you know nothing about is really weird.
[00:23:47] Like, I don't know anything about climbing mountains.
[00:23:50] If I go on talking about climbing mountains, there's something significantly wrong with me.
[00:23:55] It's my opinion.
[00:23:58] Wow.
[00:23:59] Oh, incredible.
[00:24:00] We just launched a free cloud engineer assessment to evaluate and assess your current skills on your path to becoming a cloud professional.
[00:24:09] Now, when you take this assessment, it provides some incredible recommendations for your path.
[00:24:14] And remember, this is completely free.
[00:24:16] It costs you nothing.
[00:24:17] It only helps you on your journey.
[00:24:19] So, if this interests you and you are an aspiring cloud professional, definitely take this assessment.
[00:24:25] I'm going to leave a link to it.
[00:24:26] Here's an example of me taking it myself and getting some pretty good recommendations.
[00:24:30] From my own assessment.
[00:24:31] So, guys, check this out.
[00:24:32] And I hope this is really helpful.
[00:24:34] Thank you guys for watching.
[00:24:35] I'll see you guys later.
[00:24:36] So, through this conversation, we've touched here and there on your experiences through over 20 years in this field of cybersecurity.
[00:24:52] And I want to kind of dive into that.
[00:24:55] I know it's such a long journey.
[00:24:57] And that started over 20 years ago, of course.
[00:25:01] And so, I wanted to ask you what your path was.
[00:25:04] How you entered the field at the time when you started over 20 years ago.
[00:25:11] Absolutely.
[00:25:12] It's an old man's story.
[00:25:14] But look, to be fair, I will tell you exactly the story.
[00:25:18] I'm just...
[00:25:19] I don't want to end...
[00:25:20] Like, please, if you're watching this video, do not follow my pathway.
[00:25:23] My pathway is completely irrelevant to anyone watching this video.
[00:25:27] Things were significantly different back then.
[00:25:31] And what I did, you don't necessarily need to do, right?
[00:25:35] At the moment, there are so much better options.
[00:25:37] Just a disclaimer before I started.
[00:25:39] So, look, I watched...
[00:25:40] I was like when the first...
[00:25:42] When internet first came, you know, I got into MIRC and IRC chatting rooms.
[00:25:46] I don't know if you're familiar with them.
[00:25:48] It was a text-based chatting stuff.
[00:25:50] And like, I remember my passwords were stolen and stuff.
[00:25:54] And I was like a really young teenager back then.
[00:25:56] And I got really curious.
[00:25:58] Like, I didn't know that you can steal someone's password.
[00:26:00] You can...
[00:26:01] The whole concept of hacking was really, really new.
[00:26:04] And I somehow found...
[00:26:06] There was a website called frack.org.
[00:26:08] It's still there.
[00:26:09] It's like a hacking magazine where hacking groups were publishing their stories
[00:26:13] and their how-tos, et cetera, et cetera.
[00:26:16] And it coincided with, you know, me watching some movies.
[00:26:18] It was a hacker's movie.
[00:26:20] And then I learned about Kevin Metnick.
[00:26:22] Kevin Metnick was like the most popular hacker of all time,
[00:26:25] especially at that time.
[00:26:26] Like, he hacked into the government.
[00:26:28] And it was all over the news.
[00:26:29] So as soon as I discovered that, I'm like, fantastic.
[00:26:32] This is exactly what I want to do.
[00:26:34] I want to be a hacker.
[00:26:35] I want to, you know, hack the government, hack the world.
[00:26:37] You know, I was pissed off.
[00:26:39] And that's the part that I wanted to do.
[00:26:40] But like, I remember going through these chat rooms.
[00:26:43] And then I found internet forums.
[00:26:45] And as soon as I ask a question on like...
[00:26:48] And mind you, I was an idiot.
[00:26:50] Like, I didn't know anything.
[00:26:51] Didn't even know how to talk to people.
[00:26:53] So I would go and like, teach me, teach me hacking.
[00:26:55] Teach me.
[00:26:56] So like, I'll ask a stupid broad question.
[00:26:57] And they would get so angry.
[00:26:59] Like, I remember even the swear words they used at me in these chat rooms.
[00:27:04] I didn't even know.
[00:27:05] Like, I didn't even understand half of them.
[00:27:07] But somehow, I don't know where one of them said you need to learn Unix or you need to learn Linux.
[00:27:13] I'm like, all right.
[00:27:13] I latched into that.
[00:27:17] Signed up to university to study anything related to computing.
[00:27:20] The only thing that was available to me was computer engineering at the time.
[00:27:26] Horrible degree.
[00:27:27] Don't recommend anyone to do it.
[00:27:29] Really difficult.
[00:27:30] Not really relevant to what we do.
[00:27:32] But this was what's available to me.
[00:27:35] So I signed up to do that.
[00:27:36] And I started working at the time as a receptionist in a gym.
[00:27:39] And, you know, that money that I used to get.
[00:27:41] I remember like there was a shop renting DVDs.
[00:27:44] And I asked him, like, can I buy them?
[00:27:46] Because we used to buy software.
[00:27:48] So you buy Windows or you buy something on DVDs and stuff.
[00:27:51] And he said he did have, it was Red Hat 4.
[00:27:56] I can't remember.
[00:27:57] One of those really old Red Hats.
[00:27:59] I think Red Hat 3 even.
[00:28:00] And he sold me like five floppy disks.
[00:28:04] I don't know if you know them.
[00:28:06] And, you know, that's an operating system you install Linux.
[00:28:08] And that was like the beginning of my learning journey.
[00:28:11] So I installed that, you know, crashed my computer so many times.
[00:28:14] I was at desktop.
[00:28:16] As soon as you installed it, I'm not sure if you're familiar with this,
[00:28:18] like bootloader can't be found.
[00:28:20] And it was a whole nightmare.
[00:28:21] Like I spent the whole night just trying to install it.
[00:28:24] Not learn anything, just trying to install it.
[00:28:26] It didn't work.
[00:28:27] And anyway, I figured out a way to do double dual boot.
[00:28:30] And somehow the guy that worked on the shop, he knew.
[00:28:32] So he taught me a few things.
[00:28:34] And, you know, later on I got a chance to work at that shop.
[00:28:36] They rent DVDs.
[00:28:38] They sell so many things.
[00:28:39] And they even fix laptops and laptops, sorry, desktops and other stuff.
[00:28:43] So that was really the beginning of my journey.
[00:28:45] But that little bit of introduction to Linux, introduction to Linux,
[00:28:49] and me being in university, it got me a chance to work for a company.
[00:28:53] I don't know if you heard it called Sun Microsystems.
[00:28:55] It's not a company anymore.
[00:28:57] It got acquired by Oracle.
[00:28:59] It got completely destroyed.
[00:29:01] But yeah, started my first job was as a Unix support engineer.
[00:29:04] And within that job, like I said, security was fundamental to everything that we do.
[00:29:09] I still wanted to learn, still wanted to learn hacking.
[00:29:12] I learned a few tricks at the time, like, you know, hacking passwords.
[00:29:16] And there was like stupid softwares that I downloaded, like a key logger
[00:29:20] and other tools that should not be mentioned here.
[00:29:23] But just reading FRAC and just doing that and just trying to follow the news of hacking groups.
[00:29:30] I even went to a, I don't know if they exist anymore, hacking fest.
[00:29:33] It was a Germany sort of festival with lots of hackers.
[00:29:37] Mind you, I didn't know anything, but just being in that environment and watching it,
[00:29:41] that was the beginning of my true passion and my true journey.
[00:29:44] From there, like on the job, I was learning more and more.
[00:29:47] Unfortunately, we didn't really have like good training courses that I could take and learn penetration testing.
[00:29:53] Like I remember when offensive security introduced Kali Lina.
[00:29:57] It wasn't even, it was called BTS when I was first introduced.
[00:30:00] And that was like a revolution that we never saw anything like it.
[00:30:04] Like it was this huge new thing.
[00:30:06] So that was my journey.
[00:30:08] You know, long story short, fast forward to today.
[00:30:10] I mean, cyber security consulting.
[00:30:12] But really, that's the beginning was just a desire and a passion.
[00:30:15] I really wanted to learn that.
[00:30:17] And I just didn't take no for an answer.
[00:30:20] Get the operating system.
[00:30:21] I was and still am very stubborn.
[00:30:23] Get it done.
[00:30:24] Get it done.
[00:30:24] Study, learn what I can.
[00:30:26] And like in my professional job as a, you know, Unix engineer, I got to really, really get good at Unix.
[00:30:32] Like I got to learn everything there is to know.
[00:30:34] And that includes, you know, we worked on cool things called Solaris Trusted Extension.
[00:30:38] And there are some stuff that only the army uses.
[00:30:41] And I've got to see really cool places.
[00:30:43] And I think that's really set me up for life.
[00:30:46] But yeah, that's the story.
[00:30:47] That's the short version of a very, very long story.
[00:30:50] And I look at those days with like fond memories because yes, we didn't have access to courses.
[00:30:56] But I think there was a lot to be said about just trying really hard to find where the information is and just not giving up.
[00:31:03] Yep.
[00:31:04] Yep.
[00:31:05] Great story.
[00:31:05] And it's funny how you use that disclaimer at the start that you don't need to follow this path.
[00:31:15] Please don't get a job as a Unix admin or something in the hopes of working in security.
[00:31:20] You don't need to do that.
[00:31:22] Right, right.
[00:31:23] So let's talk about the path.
[00:31:28] I mean, like we've already said, there are so many domains and areas of cybersecurity.
[00:31:35] So this would kind of be more of a general or yeah, with all the specific different roles.
[00:31:46] What would be the best path of achieving that first role?
[00:31:51] I mean, I know you have loads of like really, really good roadmaps on your channel that have shared how to get in, how to get your first jobs in various roles.
[00:32:05] So what are those key steps to the path that you'd recommend today?
[00:32:11] Yeah, look, I think that sort of the best or like the best way, in my opinion, doesn't exist.
[00:32:19] Like you said earlier, Kelly, there's so many ways to achieving that goal.
[00:32:22] But in my opinion, if you're someone who's like, you've never worked in this field a day in your life.
[00:32:27] So you probably have an idea of that, what of that, of what that field might look like.
[00:32:33] Or maybe you have, you know, you prefer one of the, like you want to be an ethical hacker or you want to do digital forensics or maybe GRC.
[00:32:42] In my opinion, if you're brand new, you haven't done anything.
[00:32:45] The first step is to just keep an open mind and just try to get your foot in the door.
[00:32:50] So step number one, just accept that it doesn't really matter what the first job might be.
[00:32:56] Your goal or the most important thing is to try and get experience.
[00:33:00] So get your foot in the door.
[00:33:02] So in my view, if you know nothing, I think like something like, I don't know, the Google cybersecurity cert or even like a security plus, which I'm not a fan of,
[00:33:10] but something broad and general that just explains to you what cybersecurity is.
[00:33:15] So that should be like your first call of action.
[00:33:17] Now, if someone has done an entire degree in cybersecurity and again, criteria, that degree is good because, you know, degrees are different.
[00:33:26] It's not just one thing.
[00:33:27] Let's say, let's assume that someone has done a really good bachelor degree in cybersecurity.
[00:33:31] They can possibly skip that first step.
[00:33:33] So they don't need to do a broad training in cybersecurity.
[00:33:36] But if someone hasn't done that, then yeah, something like the Google cybersecurity cert, security plus or both would be a good start in my opinion.
[00:33:44] And then the way I would approach it is take a generalist approach.
[00:33:49] So try to learn one thing from each area.
[00:33:52] However, don't fall into the trap of staying in that entry level land.
[00:33:57] For example, like the Google cybersecurity cert and security plus, those are entry level.
[00:34:02] Let's say I've got a course called GRC mastery.
[00:34:04] Again, it will introduce you to the world of GRC.
[00:34:07] It will give you the skills that we need for GRC jobs.
[00:34:10] So now you've got like more of a broad range of skills.
[00:34:13] I think the next step should be to pick something that's intermediate level, that's hands on, but also a little bit challenging.
[00:34:21] So pick a platform.
[00:34:22] It doesn't matter which one.
[00:34:23] Let's say you pick TryHackMe or HackTheBox or whichever.
[00:34:26] Pick something and, in my view, focus on the blue team side of things.
[00:34:31] Defensive skills, skills that will get you in a security operation center, like even something like Let's Defend is fantastic or Cyber Defenders.
[00:34:38] All of these platforms are great because they give you hands on practical skills.
[00:34:43] Having these skills, let's say you have a stock analyst skills, you have GRC skills and you have broad knowledge.
[00:34:48] In my opinion, this will give you an excellent leg up into landing your first cybersecurity job.
[00:34:55] I think the common mistakes that happen is people and I see CVs and emails and comments almost every day.
[00:35:02] They'll be like, it's really hard to land a cybersecurity job.
[00:35:05] I'm like, what have you done?
[00:35:06] It's like, I've done come to your A-plus, network-plus, security-plus.
[00:35:08] I'm like, well, fantastic.
[00:35:09] So you haven't done anything.
[00:35:10] You're just really just stopping.
[00:35:12] Or they'll be like, I've done Google Cyber Analyst and Microsoft Analyst and then Security Plus.
[00:35:16] I'm like, okay, so you've done step number one.
[00:35:18] What's stopping you?
[00:35:19] He's like, it's hard.
[00:35:21] I'm like, so what is hard?
[00:35:22] Like, what have you done?
[00:35:22] You've just studied something and you haven't even applied to a single job.
[00:35:26] So in my opinion, just don't stay too long in that beginner land.
[00:35:31] Like, do something challenging.
[00:35:32] Do more than one challenging course.
[00:35:34] And I think the second thing and the second sinister thing is sometimes people are so afraid of rejection.
[00:35:39] They apply to one or two jobs.
[00:35:42] They get rejected or something.
[00:35:44] Maybe the company didn't reply to them.
[00:35:47] But unfortunately, they start to make conclusions from that rejection.
[00:35:52] They start to conclude, okay, I got rejected.
[00:35:55] Therefore, the market is really bad.
[00:35:57] Or, oh my God, one company rejected me.
[00:35:59] Then cybersecurity is not entry level.
[00:36:01] Then they go to Reddit and they read garbage posts about how, you know, the field is doomed and gloomed.
[00:36:07] And, you know, there is no hope.
[00:36:08] So I think no one likes to get rejected.
[00:36:12] I hate being rejected.
[00:36:13] But it's just, you know, you got to play the numbers game.
[00:36:15] We all get rejected.
[00:36:17] So again, the second mistake I see is they only apply to one or two jobs and then they give up.
[00:36:22] In fact, if it was me, I would apply to jobs every single day and just get used to being rejected.
[00:36:27] And I'd like to give this example.
[00:36:30] Compared to candidates, one has applied to three jobs whilst the other person have applied to 300 jobs.
[00:36:37] Which one has a higher likelihood of landing an interview and landing a job?
[00:36:41] I think like the answer is really obvious in that one.
[00:36:44] So I think this is a rough plan.
[00:36:45] And like you said, I've got it to some, like I've got this same plan in so much detail in my videos.
[00:36:51] So I think that that's what I would personally do.
[00:36:55] And this has been proven time and time again.
[00:36:57] I do get, you know, comments on my YouTube videos.
[00:37:01] I get messages on Discord of individuals from all over the world who have followed these plans and has successfully landed their first cybersecurity jobs.
[00:37:10] Which is an ultimate proof to anyone who says, you know, it's impossible to land the job.
[00:37:16] Absolutely wrong.
[00:37:16] It's definitely possible.
[00:37:18] It happens every single day.
[00:37:20] Amazing.
[00:37:21] And that's an incredible path that you've laid out for anyone trying to get their first role.
[00:37:28] One of the things I really like that you said is comparing the difference between the two people.
[00:37:34] One of them with three jobs.
[00:37:35] One of them who has applied to over 300.
[00:37:39] I think a lot of the times people searching for roles are not searching with the same hunger as some people do.
[00:37:49] People talk about, there's one thing that I can't remember who told me this, but someone said that if you're looking for a nine to five and you don't have a nine to five, your nine to five should be looking for a nine to five.
[00:38:03] And so the time you're not working and looking for that role, your job, your one job should be applying to roles every day, tailoring your CV to numerous roles and really just grinding and going for that.
[00:38:19] And of course, this is when you're at the point where, you know, you've got the skills ready for the roles that you're applying for.
[00:38:25] And if you aren't applying with that same hunger as others are, your chances are so much lower than they should be.
[00:38:37] So that's a great analogy.
[00:38:41] Yeah, 100%.
[00:38:43] Amazing.
[00:38:44] So I want to get into my favorite part of the podcast.
[00:38:49] And I asked this question to every person who has joined me on this podcast so far.
[00:38:58] I think we're at episode 18 now.
[00:39:01] So everyone has given somewhat of an answer.
[00:39:05] And the question is, Unix guy, what is one of your most interesting career stories?
[00:39:12] And it could be interesting in a good way.
[00:39:16] Something amazing happened.
[00:39:17] You saved the day.
[00:39:19] Or it could be interesting in a bad way.
[00:39:23] Like a lot of people have told stories of how they crashed something or how they deleted something important.
[00:39:33] And so it's up to you which way you want to go with it.
[00:39:37] But what is one of your interesting career stories, good or bad?
[00:39:43] Yeah, look, depending on what's interesting.
[00:39:47] But to be fair, honestly, a lot of the things that are the most interesting things and the most fun things that I've worked with was like in like some classified environments and stuff.
[00:39:58] That's a long time ago.
[00:39:59] Unfortunately, not allowed to talk about.
[00:40:01] But I do have a story where I messed up big time.
[00:40:04] This was in my time as a Unix full-time Unix professional is, I don't know if people are familiar with this, but like big back-end servers, they have so many hard drives.
[00:40:22] And we have something called RAID.
[00:40:25] So RAID is when you have one hard drive, but we have another copy of the same hard drive.
[00:40:29] And it's like sync.
[00:40:30] We sync them together.
[00:40:31] So if one of them fail, the other one will take over.
[00:40:34] And, you know, there is RAID 10, RAID 0, RAID 1.
[00:40:37] And I remember I was going to this client.
[00:40:40] It was an airline company, airline booking company.
[00:40:43] So you book your tickets on that company for the airline.
[00:40:47] So it's not airplanes, but it's a booking system for an airline.
[00:40:50] And I took a junior engineer with me.
[00:40:52] And I remember it was like 1 p.m., 2 p.m., something.
[00:40:55] I haven't eaten all day.
[00:40:56] And this junior engineer was asking me questions nonstop.
[00:41:00] So as I logged into the server, I realized they had one of the hard drives has failed.
[00:41:06] And the primary hard drive failed, but the secondary has taken over.
[00:41:10] You know, not to go through too many details, but the operating system was Sun Solaris.
[00:41:15] And the mechanism or the software we used used to be called Veritas Volume Manager.
[00:41:21] I still remember that.
[00:41:23] So Veritas Volume Manager is another layer of software where this copy is happening.
[00:41:27] The copy could happen on the hardware level, but it could also happen on the software level.
[00:41:31] So it was done by Veritas.
[00:41:34] And I was like, I knew these softwares in and out.
[00:41:36] So I could do it with my eyes closed.
[00:41:40] Now, some of those old Sun servers, the naming of the hard drive is really dodgy.
[00:41:45] Like I remember the name is this long.
[00:41:47] So many characters.
[00:41:49] As he was asking me questions, and I'm just running the commands really quick,
[00:41:52] so much that I wasn't even looking at the screen at some point.
[00:41:56] What I did is before I, like I needed to detach.
[00:42:00] So it's called RAID.
[00:42:01] We need to break it first, remove the old one, put a new disk, and then sync them.
[00:42:07] So what I did, I broke the RAID, took the old disk, put the new one.
[00:42:11] And when I ran, there was a set of commands to sync the two disks.
[00:42:15] And instead of syncing that one with the data to the new one,
[00:42:19] I sync the new one to the active disk.
[00:42:22] And as soon as I ran this command, I saw the server.
[00:42:25] I knew exactly what happened.
[00:42:27] Like I saw the OS.
[00:42:28] It used to be, we used to go from the OS to something called the OK boot.
[00:42:32] Anyway, you just go on the hardware level when you guys crashed.
[00:42:35] And standing next to me was actually the database administrator who was working for that company.
[00:42:41] And his face went yellow.
[00:42:43] Like I cannot describe.
[00:42:44] Like he had a stand like me and his face went yellow because he knew exactly what happened.
[00:42:51] I remember I looked at the engine.
[00:42:52] I'm like, can you please stop talking for five minutes?
[00:42:56] Give me a second to just...
[00:42:58] And, you know, being experienced, I just took a step back.
[00:43:02] I messed up.
[00:43:04] The DBA guy, he started getting calls from his company.
[00:43:07] Like his phone started ringing.
[00:43:09] They start like the application is down because all the branches, they couldn't see the booking system.
[00:43:13] Like it was during working hours.
[00:43:16] And again, we used to do these things during working hours because these companies were 24 by 7 live.
[00:43:21] But also like the reason why we have this redundancy is because we didn't need to take the system offline.
[00:43:26] So yeah, immediately I asked him, so where's your backup?
[00:43:29] So he still did backups.
[00:43:31] And I started restoring backup, hoping it was recent.
[00:43:34] And yeah, it took what should have been like half an hour job.
[00:43:38] It took, I think, three hours.
[00:43:40] And yeah, I remember by the time I finished and I walked out, I was like, I didn't realize I was sweating so much.
[00:43:47] Like I wasn't physically nervous, but I think psychologically I was just so upset for causing an outage that was unnecessary.
[00:43:54] But that's one story I'll never forget.
[00:43:57] Thank you so much for sharing that story.
[00:44:01] I hope it doesn't bring back any trauma.
[00:44:03] No, I only look at these times with a really fun, like it was such a good, like we had so much fun.
[00:44:13] Exactly.
[00:44:13] And I think that's the case for most people who told like a crash story.
[00:44:18] It's like, it was such a great learning experience and I wouldn't change it.
[00:44:23] Yeah.
[00:44:25] Which is amazing.
[00:44:26] I wouldn't change it.
[00:44:27] I didn't learn anything.
[00:44:30] I think I should be more careful.
[00:44:33] Amazing.
[00:44:34] Unix guy, thanks so much for joining me on this podcast episode.
[00:44:39] Before we end it off, I just wanted to ask you if there's anything you wanted to plug or shout out to the audience.
[00:44:45] No, I just want to thank you, Caleb, so much for having me.
[00:44:48] This has been absolutely fun.
[00:44:50] And, you know, if anyone is watching this, please subscribe to Caleb's channel.
[00:44:53] It's an absolutely fun channel to watch and I've enjoyed some of those podcasts.
[00:44:58] So thank you so much for your time and thanks for having me.
[00:45:01] Amazing.
[00:45:01] Thanks so much, Unix guy.
[00:45:03] And to the audience watching.
[00:45:05] Thank you so much for watching.
[00:45:06] We will be back every week with this podcast.
[00:45:09] So stay tuned.
[00:45:10] Bye.
[00:45:11] Bye.