How to get into Cybersecurity with Sam Romanov - EP 8 - Ransomware Rewind

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
we're in the business of securing systems
we're not in the business of being a risk assessor
we're not in the business of auditing
we're not in the business of like analyzing logs
there functions that exist within providing the benefit to um
customers so we need to stay up to date with what's relevant
what a certifications
would you recommend for people getting into cyber security

(00:21):
I think it really does I think there's two categories of people
there's people that come from
IT background
and there's people that are not coming from any technical background
that wanna get in so with people that aren't
people that don't have a technical background I
I think you know
you need to start with some
you've gotta really understand like

(00:41):
the security at all the different layers
and how the technology is working first
before you can even get in and start
applying the security because you might be communicating to people
especially if you're doing like a risk assessment
that have no idea what you're talking about
and you've got to provide an education piece
honestly it was survival
it's either you learn cybersecurity die or customers die
I think figuring out where you wanna go

(01:02):
coming up with a roadmap and then aligning those skills
experience and knowledge
in terms of your own personal strategy
is like the way to go to get into cybersecurity
so Miami is
the city that was built on cocaine and sustained on cybercrime
like one of the questions I get asked all the time from people is like
should I even worry about getting into site security
because AI gonna take all of our jobs

(01:24):
the answer is
welcome to the Ransomware Rewind podcast
hello and welcome to the Ransomware Rewind podcast
today I'm excited to introduce Sam Romanov
he's the owner and principal consultant
at Cornerstone Technology Solutions
he provides cyber security solutions and services to clients

(01:44):
he's an expert in information security
network management project delivery
regularly shares great cybersecurity tips and tricks
also how to get into the industry on his TikTok channel
@Cybersecurity.Sam
his videos have
hundreds of thousands of views
Sam's socials are very entertaining
he's constantly helping people find cybersecurity jobs

(02:06):
learn the industry
and house businesses with tips and tricks
on how to protect their business
his humor paired with his expertise
make it both entertaining and also very informational
I gotta ask you what's
what's your Instagram handle all of yeah
right now @cybersecurity.Sam
so I guess the background to that I

(02:28):
I wanted to become a sizer uh
last year that was my objective
and I reached out to a guy called Doctor Eric Cole
like I don't know if you know him
I think he's a bit of a big deal in the US
you worked for the Sands Institute
and working instructor and stuff there
and I did his course he's got a course on how to be a size 0

(02:49):
and it's either
you can either be a sizer working for a company or a virtual size 0
I like virtual size 0 because I'm a bit of an entrepreneur
and he said in order to get clients
you need to go on LinkedIn do a video a day
and then while you're doing the video
you're doing outreach
so when you're messaging people and you're adding them on LinkedIn

(03:09):
they're seeing your content coming through
so it's kind of a bit of a bit of
a bit of a sales ecosystem that you're building just with your iPhone
so I started doing that and then good friend of mine reached out to me
he's runs the marketing company and he's like look
I haven't seen anyone talk about self security like you uh
I'm a little bit different goal
I might do kettlebell swings in my videos

(03:31):
I got the pen ready and uh and then he's like
let let let's just see what happens
and I ran with that and then some of my videos did really well
and now I'm doing cyber coaching and I'm building a course
cause that's what people want go on and do to do more b to B uh
type stuff
like sort of my objective was with doing the online marketing

(03:51):
but it turns out like this E is really where
where I was getting a lot of interest
so so yeah I mean
I ended up landing like a v sizer engagement
so I hit my objective uh on that
but then at the same time
found out I was like coaching people getting into cyber
which ends up paying a little bit more than
than the then the size I work and looking at building like digital

(04:11):
sort of like courses and stuff to sell
which I didn't really have that objective when I started the marketing
but it's kind of like interesting
when you put the information out there
like who comes back and you
you have an idea of what you think people like
but then when you actually put the content out
like find out it might be something completely different
and I did like marketing at university for a couple of years

(04:33):
and I was like you know
there's all this theory on trying to figure out like
a test of marketing or what not
but when you're doing marketing and you're running polls
and you're doing all this engagement
it's like it's it's like all the pieces came together
this is how it works like this is how marketing works
you're directly engaging with the customer base
and they're telling you what the problem is
and then you come up with the product when they tell you what it is

(04:55):
or thereafter
that's when you come up with the product and and even with the course
I've had people reach out
where's your course uh I can't see your course
I'm like I haven't even promoted that I have a course
like then I asked him
what kind of course would you like
oh we want this like cool
that's what I'm building well
maybe this podcast could be an addendum to your course
there you go who knows
yep but I like to demand because you think about products first

(05:19):
you have a tribe of people that have a problem
you have a solution for them
and now you veted them because they're willing to pay for it
and all is doing just the opposite
yeah it's like
I think
have you read the book uh
I think it's called The Business Emus uh
why most yeah
Small Business Isle and it's just gotta flip it on its head
like we like typically most workers will be like
or we do the work and then we get paid with

(05:41):
with business is it's kinda like the other way
it's like finding out what they need first
almost like the marketing first
and then when they come to you with like these my problems
that's when you go back with like solution
so that whole mind shift after reading the book
then doing this it was like a penny dropper okay
I get it now you know
yeah I read the email years ago
and it's something I live by because it's still true

(06:02):
like your average and the great name for the book
of the email because your average company especially small companies
it's I'm an accountant I'm gonna get all these customers no
you're not yeah
you're busy marketing and sales
exactly if you're not doing marketing and sales
it ain't growing and you don't have a business
no one's gonna knock on your door because they hear you're an account
Mike I don't think we've formally sort of virtually met

(06:25):
pleasure to meet you interested to know a little bit more about you
sure um my history is right now I'm at Rapid Scale um
Cloud Consultants rapid scale project that I was with the Light Edge
another company dad is in the cloud space
and prior to that I ran local telco dinosaurs
then they would turn into real Dallas centers

(06:46):
he start getting into the megawatts
the company names with the complex drive and fiber alley
and what I saw
was workload start moving from the regional
Toko data centers to the cloud
and also a gun into cyber security
is a lot of folks who spin up dedicated servers
and just outright fraud and um

(07:08):
law enforcement would come after them and
and I started realizing like so much traffic on the on the internet
it's just outright fraud
and it's a myth that it is coming from these countries like China
Russia what have you it's everywhere
so coming from Miami it's all coming from Miami
Miami is a city that was built on cocaine and sustained on cybercrime

(07:31):
but hey but yeah
that that's what your soul
but that that's what got me into this space and before that Mike
cause we're talking about like I get into cyber security
what what was like your first job in cyber security
boy that was when I was running the data centers
and it was kind of like offset of the job and just learning it
like learning like how to configure firewall
if you say like the back then they have the old Cisco Asa 55

(07:53):
0 fives and how to set up port filtering
and it was just an iterative process where
cause back just to give more contacts back in the day
you would take a dedicated server
you can say like a slash 30 so you got your public IP
you hook it up to your server and hello
welcome to the internet
so obviously people were getting hit up left and right
so I had to figure out how to protect them and say hey

(08:15):
you got an at your IPS and it just gradually came
it advanced from there but now yeah
more on the psychological side
so is this this is like before soft security was like trendy right
exactly it was just good like networking practices
exactly and it started right
that's how it started
and then it came into this compliance and all that fun stuff

(08:38):
and honestly it was survival it's either you learn cybersecurity
die your customers die
you got serious fast there Mike sorry
this became life and death but it is it is however
this we had one customer where
he must have been breaking every law in the book
and I realized how easy it is

(08:59):
it you don't have sops in case in place
if you don't have cybersecurity in place
the criminals are just gonna come straight to you
and you have to defend yourself
and I know people view cybersecurity as her
like regard rails and then going on Instagram or whatever
but we have to be there especially in a work environment but yeah

(09:19):
and I'm kind of giving you a data dump on like verbal t tots
but it was survival more than anything
I feel that I feel that and rapid scale is cloud security solutions um
what do you actually do for businesses at rapid scale
we have a deep bench of engineers for cloud security for AWS
Google and Azure so what we do is we meet with um

(09:41):
the companies with their their it team
and then
create systems to protect everything that's in the cloud environment
edge correction like remote employees
cause we found this like the it teams are always overwhelmed
what they can do is delegate these things to us
and then we can help innovate as well because we have developers
the challenge with it and most businesses is the CEO and CFO

(10:04):
you need to innovate you need to innovate I was like
really can't innovate if someone stealing my data
how about you
that's where we come in in
in which regard
how do you get into yeah
exactly which regard how do I get into sub
okay I was in the military for about eight years doing it
so systems administration
network engineering so kind of in a similar sense
uh with Mike Gowdy lucky

(10:25):
I sat the um
the SIS exam not too long after I finished my tenure in uh
the military
and I guess I didn't realise I was doing some of the tenants of cyber
like asset security so like having data classification
especially being in the military
got to classify your data
I have good data governance
um I didn't need access management
so uh

(10:45):
you know signing rogue groups and um
performing audits against accounts
um didn't realise that
that was a site security function as well at the time
and then even like uh
creating like vans and having good uh
I guess at layer 3 security
didn't realise that was security at the times yeah
just thought these are the things that you need to do so uh
while I was in the military

(11:07):
I ended up joining a startup
like a sub security startup
I then left the military join the startup
it was a really bad deal I was 27
I didn't really know what I was getting myself into
it was an equity earning type model
but effectively I was being scammed um by the business owner
long story short um
ended up winning a contract for that company

(11:29):
uh the owner of the company had some health issues
uh just started deteriorating pretty quickly
I then uh left and I landed a another contract
um the contracts that landed were such security engagements
the first one being like an incident lead
the second one working as an RR processor
so during that time that I was working for the startup

(11:49):
I was hitting my certification goals
so cysp
sea risk and then in Australia we have certification called IRAP
so it's info SEC registered assesses program
so that enables you to before like complex
like security audits that are
it's kinda like vetted by the Australian government
that you can do these specialized sort of order

(12:10):
so I started my company by one uh
an engagement doing an hour up assessment and then uh
from there just had my own company doing various different things
uh primarily in GRC so at the moment it's a lot of risk management
uh so moving from audit risk
uh and then doing some virtual scizo stuff which is uh

(12:30):
more like strategy focused and and oversight
so very big hurdle very big journey to get in
uh it was very difficult in the short term like uh
leaving defense
working for the start up and then trying to win a contract
that was just plenty of no's
uh a lot of like trying to up skill as well
like just realising that there is a lot more inside security

(12:53):
beyond identity and access management
network security and uh asset security
so really during that time uh
that I was studying uh to get my certifications
a lot of home labs like I
I just went out started buying these big servers
I bought like some firewalls
just beefed up my like had like a very secure home

(13:14):
and I was just trying lots of different like scenarios
so uh within that
I was able to transfer like a lot of the skills and I made it
made myself more confident when I was on the phone with people
cause I would just list what I'm building in in my home and
and really that's how I landed that contract
they wanted to know what my experience is
I just listed like I had it like a next gen XDR application control

(13:34):
uh deployed had like a
a tight one hypervisor running my own seat and I just listed it out
he goes okay okay okay
you're hot okay
it was like it it was like okay
this guy's got more than we running in his home and uh
I think that that's what makes it easy for me to go down
the coaching ground
is that I'm sort of just delaying what I've done to get into cyber and

(13:55):
you know just saying to people
you gotta have those hundred nose
like if you have 100 nose
uh in applications when you're applying for role
there's gonna be like three yeses in that
so long story short I put another plug in there for coaching
but that that's been the journey and I'm
I'm learning like still everyday I'm trying to obscule
and you guys would know that like with the site security landscape

(14:16):
you have to really be on top of your game
like this just so much to learn
like with AI and there's all this quantum
I think a lot of people are saying this is buzzwords
but I'm really trying to figure out like okay
well yes
there there'd be problems
uh that are emerging
but so what like what do we do about it
like where are the opportunities
where the threats if we just look at it from like a
like a slot sort of analysis
so yeah even now

(14:37):
like I'm just I still got that like day one hunger where it's like
I need to stay on top
because otherwise I feel like you can just become irrelevant
like overnight um
very true and I say
so what advice Sam do you give to people that are like
just scratching the surface of cyber security
they they may see that cybersecurity is
could be a lucrative field and I like computers

(14:59):
yeah what would you tell someone like that
yeah like if they're just scratching the surface
I I always say that it's three things
it's like skills knowledge and experience
they're the three things that are gonna get you in to a job
now
like what really pisses me off is when I look online and people say
I do my 6 week course and you land 100 k job inside security
it doesn't work like that

(15:20):
it I sort of equated to risk is based on likelihood and success
so the likelihood of success is gonna be based on like
okay with knowledge
you can demonstrate knowledge
I can see you have some uh
university degrees or maybe some certifications in the background
on your screen Joe
I've got them as well like that's one the pillars
like the more certifications you have
the more the more qualified you are uh

(15:42):
the the higher the likelihood
and it's all about a competition because when you're going for a role
it's not just you that's getting interviewed
it might be 10 people so uh
you've gotta make sure that you're the one that stands out
so ensuring that you have your study game um
up to scratch and number two
it would be like okay with skills
start building a lab like like I discussed earlier

(16:02):
so get hands on get some hands on experience
these are all things that you can put on your CV like go out there
build a download virtual box
it's free download Kali it's free download damn vulnerable web app
it's free download uh
web suite community edition it's free cool
now you can start doing some web application penetration testing

(16:23):
these are things that you can put on your CV that uh
are gonna demonstrate you can do something and then experience
what I say is most businesses today are running Microsoft 3 6
5 or Google Suite so
why can't you start providing some advice
based on the skills that you've learnt
and the knowledge that you've gained uh

(16:44):
of how to secure some of these businesses it systems
they don't they don't know what you know
so don't be selfish with the information that you have
can provide sub security awareness for free
advice for free or a free sub security audit
grab a testimonial and a referral
these are things that you can put on your CV
you don't need to wait for that magic job that um you know

(17:05):
you're you're trying to aim for to start getting experience today
and then when you walk in
you actually have confidence that you're already doing it
you're already now a junior or sub security professional
you're not waiting for someone to give you that label
you're out there doing it and you've got some demonstrated experience
so that's is effectively the core pillars
like what I instruct people to do

(17:27):
and it's free advice that I give out
like the course and
and the coaching is really like a deep dive into that
it's like pushing people like okay
well now you're you paid me to just basically annoy you
are you doing these things
and then so that's like the cool pillars
but even before you get started in that
figure out what kind of role you want in cyber
cyber is so broad like you can work in cyber insurance like yourself

(17:50):
you could be a cloud security
network security consultant
could do what I do which is GRC
could be a penetration tester
I think there's all different types of personalities that
that fit within that like the GRC
I like communicating with people
I like um
dealing with executives not a lot of people like that
that like sitting behind a computer
so I think figuring out where you wanna go

(18:12):
coming up with a roadmap and then aligning those skills
experience and knowledge um
in terms of your own personal strategy
is like the way to go to get in to cyber security
so that just saves like a lot of time
I believe and that's
that's my advice if you're listening to this
take it on board
awesome yeah
well list some of those free resources on the show notes for sure

(18:33):
you're talking about like having like your own lab
um what are like the
what's the hardware you would buy for um
your own lab like just start
yeah well
have like three
yeah like
I mean the
I don't know what it's what you have in the US
but in Australia we have a
there's like website called act networks
and it's all X government servers that you can buy uh

(18:54):
you don't really need anything that beefy
but like
you can have a lot more fun with a bigger server because you can just
there's more storage
you can set up more machines there's a lot more that you can do um
so for the course that I'm that I'm building I'm just running it
I'm just running my own lab on like my uh Mac Mini m two uh
like even with that I can do a lot like

(19:16):
like I've got 30 gig this space on my Carly
I've got and then with that I can do a damn vulnerable web app
I can launch attacks against that with my Burps Way tool
so you don't you don't need a lot to get started
but it really comes out of processes memory and disc
the more you have the more you can do
so really like if you wanted to get started
if your computer supports virtualization uh

(19:39):
you can check your laptop or computer
don't know exactly like where to look
but if you Google it
like how do I check if my computer supports visualization
you can do that really simply and you can get started today
but like I said the more resources you have
the more you can do one thing that I always see on
you know cybersecurity TikTok
is the guys are always talking about certifications in different ways

(20:00):
different education rule uh
ways to get into cyber security
I mean you your background was military
which is a great way to get into cyber security
because you get paid while you do it
even though you're kind of like a slave in a good sense of the word
good for young men yeah
forget the way like you can't leave as long as you when I joined
I really needed it discipline yeah

(20:22):
I know there's a
there's a certifications like I'm gonna ask you about those in a
in a second yeah
um there's two year programs there's four year degrees um
and the self taught right
what a certifications
would you recommend for people getting into cyber security
I think it really does I think there's two categories of people
there's people that come from uh

(20:43):
it background
and there's people that are not coming from any technical background
that wanna get in so with people that aren't
people that don't have a technical background I I think
you know you need to start with some sort of it fundamentals first
so this could be like a comptier certification like network plus um
or security plus like I think you really need to understand networking

(21:05):
a data in transit and how networks work
that's like when you have a system that's isolated
it's not connected to anything
it's not really like a lot of threats
it's like it's me that's a threat to my own computer which
which isn't really like a
a reasonable sort of situation
the the threat really
the threat landscape really comes into play
when you start connecting multiple different systems together
either locally or or um

(21:26):
you know across the internet when we have like cloud system
so I think really understanding how a network works
and the OSI model in particular
because this is like
the different layers of where vulnerabilities exist
like there's TCP based um
attacks there's DNS base attacks
has HDPS base attacks
there's a lot of attacks that exist within that stack

(21:47):
and I feel like you really need to know how it works
and I equate cybersecurity to like the medical field right
so you wouldn't go to see a doctor if they didn't know how body works
they might know how to treat things but uh
it's no different to type security
so like with the site Inside Security
a network has symptoms of an attack
it's it's not healthy
there's something wrong you might come in for preventative medicine

(22:10):
there might be you know
an issue with with the
with your body like there might be like cancer in this case ransomware
so you have someone come in to treat it
so I I think you really need to understand it first
before you get into site security um
some people get in uh
without that but I feel like they struggle a lot
and this is where like the imposter syndrome sort of comes in with it

(22:30):
like I feel like an imposter
yeah well
you should feel like an imposter cause you don't know how it works and
and and security um
you're kinda like the masters of that domain
so first of all understanding how networks work
then applying a security layer of the top you're coming from uh
an it background like I did uh
and like now Mike did I feel like um

(22:51):
you just need to figure out like
where do you wanna specialise and then go down that route
like if you wanna specialise in being like a stock analyst
or maybe don't look at doing GRC based certifications because you
it's all about time and effort
like how quickly do you wanna get to your goal
so I think that's essentially the critical part
there are a lot of certifications that exist
within each of those streams
uh I mean

(23:11):
I could give it like a list
um that if you wanna give in like the show notes or whatnot after this
but you know I
I won't labor the point too much
non it first play a security layer it background
figure out what the hell you wanna do
and then have the tablet certifications
uh for that road map
I'm gonna jump in
I think you made a really good point about knowing the OSI layer

(23:33):
the urgent layers and OSI model
cause people are talking to you
they're gonna say hey
this is at layer 3 hey
this is layer 1 like oh okay
so that's it's on the physical layer right yeah okay
but if you don't know that
if you don't know that you're screwed
and I've done both the sales side and the tax side
and when you talk to the engineers
they're not gonna be nice
they're gonna say okay

(23:55):
on layer 1
we have this old hardware layer 3 that networks blah blah blah blah oh
by the way we got packet loss
you're like oh shit
what's he talking about
pack a lot of physical are idiot and they're not nice
so you got just like learning a tree
like the I hear the technology of like a tree
you got to learn the trunk before you learn to leaves

(24:15):
what I've seen in the space
a lot of people learn to leaves because it's fancy yeah
yeah the engineers will eat you up if you don't set you up for fair
yeah gonna start at the roots
even the roots exactly yeah
I think like don't don't like rush it
like don't like just you know
I wanna get into Social Security
I gotta get in the next three months
just like no
just just take your time
you like you gonna get this set a five year plan

(24:35):
like I've got a five year plan
like I don't know if you guys have one
but I even have like a 25 year plan
like it's it's
it's just like you get there just
and you what
like if you're getting into Social Security
I feel like you really
should have a passion for knowing what's going on
because you're getting paid
to verify and validate if something's wrong
so I I get like

(24:56):
you know the way that I
when I when I do like my GRC assessments I
I really like don't leave any sign
I don't like I'm
I'm really paranoid like I don't wanna make
I wanna make sure that I'm
I'm crossing everything off
so the only way that you can do that is
really understanding the technology right
so like um
and like you said like it
it assumes knowledge when you're getting into conversation
like I'll be in a room and if I'm doing like a presentation on um

(25:20):
my findings and typically the way that some organisations will run it
they'll do like a big peer review session
and I'll have the sock team in there
I'll have um
the data scientists in there because we're talking about data uh
we'll have the penetration testers in
we'll have architects in the room and there'll be like
there might be like 20 to 30 experts in this room
especially like a large enterprise

(25:41):
and I'm giving a presentation on my findings
and we're talking about protocols
we're talking about um
reliability of data
we're talking about like some of the tech that I've
that I've gone into has been extremely complicated like
um you know
like Cisco ACI technology and like I'm sort of using terms here
but like data center networking and like
you've gotta really understand
like the security at all the different layers

(26:03):
and how the technology is working first
before you can even get in and start um
applying the security because you might be communicating to people
especially if you're doing like a risk assessment
to have no idea what you're talking about
and you've got to provide an education piece to them first
something like a like
a half an hour education piece on the technology
before I even jumped into like
like what the security concerns are

(26:24):
at least from my perspective of how this is configured
so definitely it's you know it
it's it's prudent to like not know the 10 before you even get in
if that's like the the right term of how you use prudent
but like that that's how I feel it needs to be just as like an adult
you the friend to talk
depending on like who you're talking to is like another board

(26:45):
it's gonna be a
completely different conversation than when you're talking to like
the it team cause the board is gonna wanna know
you know what's our ROI
how much does it cost what's
oh yeah having
you know something go wrong if we don't do this
cause they're looking at it at a certain expense right
yeah or two
two completely different talks
so like with the technical team

(27:05):
you'll be doing a technical deep dive into like
like one of it was like how they're
they're just like a trusted anchor module
and a trusted platform module
how they're performing signing of uh
software that's coming into the system
so he how you can verify whether or not the update is uh
accurate or it's authentic

(27:26):
and then they wanna know the entire trust chain
like from the vendor all the way to here so that who's
who's really controlling the certificates uh
how all that works and then if there is a risk
you've gotta then translate all of that into like a business risk
and then communicate that to the risk owner
so it's kinda like a 2
you're wearing two hats and you gotta communicate differently
so risk owners is really about like traffic light system

(27:47):
you know uh
regular green what's it gonna cost
how long uh
you know what
what's my risk and how long um
until this is going to be remediated
so what's our strategy moving forward
the technical team it's really about deep diving into those problems
so knowing how to communicate in uh
you know
both streams is like another core skill of being inside security that
at least from my experience uh

(28:09):
that's like a less an anecdote of of um
of of the difficulty in it and I still struggle
sometimes it takes a lot of work
yeah I think it's even more difficult to have
like a 5 minute conversation with an executive
to distill all like a 2 hour meeting down to like okay
here's what we need to do and you need to believe me
cause I need buying right
I don't wanna go back to the team and say they didn't
we didn't get by and so yeah

(28:30):
yeah that
that that is a lot of brain power right
I have a kind of a funny question for you
like
you know those memes where it's like what I do
what I what my friends think I do
what my mom thinks I do and I actually do for people on cyber security
can you paint that picture
like what they think cyber security is versus what it actually is

(28:51):
yeah Excel
Microsoft Excel a lot of data analysis like
yeah yeah
yeah tables
and like I find that there's a lot of data analysis
a lot of report writing at least from my
my experience like a lot of report writing
a lot of data analysis and then a lot of meetings

(29:13):
like just trying to get people on board with uh
what you're doing
and also trying to find out what the hell is going on
like sometimes you go in it's like you'll be looking at a diagram
oh that diagram's like 5 years old
don't worry about that one
okay well thanks
you could have told me that like a week ago
different teams have different view
especially in like large enterprise organizations
where you have multiple different teams
look like one team looking after automation

(29:35):
one team looking after networking
teams on top of teams on top of teams
which like project managers that are rotating
so no one has a view of what's going on
and that can just take like a month to try and figure it out okay
we all agreed on this is what we're doing
so a lot of stakeholder engagement
I think is uh
is one of the things that is left out
like at least from my perspective

(29:55):
like might be different with like penetration testing and the like
but those are the city for perspective
with all the screens in the dark room
yeah exactly
piping away every time that's good at TikTok on that
yeah and it's
they always have these silly pictures and they're like
when you get a da script I'm sorry
like a letter script and they like have batch files IPLs
I've got a few of those videos on my TikTok

(30:17):
what I think we do versus what we actually yeah
it's funny what does your mom think you do Sam
look I
I I try to explain to her in like a um
like I don't explain like who my clients are and who I work for
I just try to tell her what I'm doing and she just
you can see that look in her eyes like she's nodding
but she's like what the f are you even doing

(30:38):
and she's like yeah
she like she's like
I can't even update my phone
like how do I just said what you're doing
but they just they just
they say yep
you're doing a good job you know
it comes out a lot in our podcast
the older people are our prime targets for
oh yeah getting hacked
what would you tell people to tell their parents
multi factor authentication
just put that on your emails

(31:00):
put that on all of your critical assets that you have on uh
you know I've
I've I've seen different instances where I'm not gonna say who
but some family members have been targeted
uh successfully targeted
and the crux of it is like
if they have multi factor authentication
then it really like either stops or slows down uh

(31:20):
the impact to to like at least a degree where
you know you're
at least gonna be notified that something suspicious is going on
so just having good identity based security controls
like you hear it a lot like
and it's almost like a buzz word
it's like there's gotta be more to security than
than MFA but it's really like a really powerful troll
if you can't get that right

(31:40):
then don't even worry about anything else
because what I say is you have poor identity security
you gonna log in not break in yeah
100% so don't let him log in first
least try to make it hard for him to get in
so you know you're not that low hanging fruit
and if and if anyone can take away anything and like
you know if you have some family members Joe

(32:00):
I think um that you know you wanna delay uh
what I'm talking to
just make sure you even if you need to do it for him
just all those critical ones like Facebook
their social media
the especially the email that might be linked to like everything
make sure that is is MFA locked in in the first instance
then you can move on to like patching and and and the likes
but that's the that's the

(32:22):
the crux of a lot of problems
going going back to cybersecurity and people getting into it
do you
do you feel like people get into cybersecurity for the wrong reasons
yes
yeah I think I think it's um
people see like the how lucrative it can be like the
you know
high pain consultant can make hundreds of thousands of dollars

(32:43):
and if you run your own firm
you can make you know you can make millions really
so I think some people get into it for the wrong reasons
but I think those people have a hard time when they
when they eventually get in
because you need to have a passion for cyber to do well
in cyber security like like
like and if you get again for the wrong reasons
I think you you're gonna be found out pretty quickly

(33:05):
like Mike was saying like these engineers
they don't they don't muck around and it's
it's it is a small community listen
Australia it's a small community and the
the people that are doing well in cyber have a good
have a good reputation and the people that that aren't doing so well
that have a bad reputation so
you know they either shoot themselves in the foot or you know
eventually they get a passion for it cause they're in

(33:27):
you know they're in and they're doing it every day
and they get a good reputation
so that's I think that
that's the two different streams that sort of come
from the people that are getting into Saba yeah Mike
what would you say on that
you had a quick answer well
the
challenge that I have is a lot of people are coming in for the money
which you're gonna get called out on your BS really quick
you have to be passionate about it

(33:49):
and you're not gonna make a lot of money for a long time
what I like the idea of is like the apprenticeship world like hey
get a tech support job do like Sam was talking about
like build a network at your house
and just get to learn it and have more of a passionate form
if you go get a tech support job
you will get educate really quick
cause there's gonna be the spider flight

(34:10):
you're gonna have someone screaming at you saying hey
I got compromised and you're gonna start taking a step back say hey
how did you authenticate you're gonna start learning Active Directory
you're gonna start learning MFA
and it's just way better than these random goober
so like these all these goobers and like right now it's AI
I'm gonna go on a little tap
like I went and took the AWS certification for AI

(34:31):
cause I didn't know anything about it
I gotta learn this I don't have a choice
but a lot of the goobers
are selling this myth that you can get in cyber security
and make all this money in a short period of time
it doesn't work that way yeah
and it's just it's very disingenuous
yeah I think I think they get found out right
like for the for the people that are like

(34:51):
like know their know their shit
like you get found out pretty quickly
like they start throwing around zero trust and all of this
like I've seen it before
where you got these people coming in as talking about zero trust
and that and um
and and I and I just start questioning it
like it it's like
what do you mean by that
like you saying what in zero trust actually like
like which pillar of zero trust are you talking about uh

(35:12):
uh uh
uh it's like well
you and I don't need to say it now
everyone knows you don't know what you're talking about
because zero trust is really just based on other security principles
and did you really combining them together like
and same thing with AI it's like AI
AI AI
we gotta watch about at about AI but
but like okay
well what are you like

(35:33):
which situation are you concerned about in like a business context
like is
is this like like
like where like
give us an example because it's all based on risk
so I think yeah
I think you can get found out pretty quickly
and they shoot themselves in the foot yeah
gotta do your homework
yeah well
I mean speaking about money though

(35:53):
what what is like
the field in cybersecutor that's paying the most right now
like if somebody was like
you know I
I love cybersecurity yeah
I wanna like work in the part of cybersecurity that makes the most
is it just like all of them
you're doing really well yeah
to the top of her yeah
yeah cause like
you know some people say that size 0 is the top

(36:15):
but you can make just as much as like a specialist
that's really good
especially if you're a contractor and you have your own field
so it will cut all comes into your strategy
like if you're looking at being like a full time employee
you could be like a chief engineer after the chief
like technical specialist in an organisation
as well as like a size oh
so I I don't think it really even in like cyber sales
even like it really
like being like a really good cyber insurance person like yourself

(36:38):
like I don't think it really matters what field you get in
if you have the passion and you don't
you don't look at the money
like the money will come
if you're just passionate about your work and you wanna be like
in your strive to be the best uh
the money will come as just like a by product of your success um
but you know
if if the full time work isn't giving it to you can do what I do

(36:59):
which is set up a company and do uh
contracting and make your money that way
that would be yeah that's my 2 cents yeah
so focus on your passion work really hard at it and you know
you'll move up in the ranks and
and you'll end up making money as long as you're doing yeah
gotta come better work for people and constantly
you know people pay for value right

(37:19):
so like yeah
if you've got a passion and you're constantly trying to improve
and you get more certifications if
if that's one of your strategies or you're
you're trying different things
trying to get more experience in another area trying to upskill
like people will pay good money for that
and that so that to me becomes the focus is like you are the assets
so what do you need to do to make yourself more valuable

(37:41):
don't focus on the money focus on yourself
how much does the leadership go into that
I think it adds a lot of weight
like if you you look at your prime promotional
like if you're trying to win a contract
what is your prime promotional
well it's your CV so on your CV I have my LinkedIn that's like
like integrated under my CVS

(38:01):
I got a hyperlink going to
that just had an article published in Osaka's general article
so that now goes on to my CV
so it it becomes like you know if someone looks at it they go well
I can check Sam out now and have a look and oh oh
Sam's written this so he talks about this
oh wow like he's he's got well he he
he's not just valuable from the site security standpoint

(38:24):
we can use him to help grow our business
because he's got like a good presence online
so it's your value is now going up exponentially
and I think in the digital age you gotta have an online presence
um I really believe that you need to have like a personal brand
and one of the things that when I'm discussing with my clients uh
the one
the hurdles I need to get them over is that everyone has a brand

(38:46):
because what do people think about you when you're not around
that's your brand
so so like you know yeah
yeah yeah
so like that's why I say have a good work ethic
you know even if you're like
you're not confident and you see yourself security journey
be the first person that turns up the last person to leave
why that's a brand that's a brand point
you have good work ethic

(39:06):
like there's if you have better work ethic than everyone else
like at least if you
you might not have like as much soft security knowledge or skills
but people are gonna go well
you don't wanna get rid of Sam
he's working an extra 10 hours a week like that's that's hard to find
so over time oh sorry I was just gonna say
another thing with that is
your brand
could be that you get the things done that were asked of you

(39:28):
um yeah
oh yeah that'll deliver on time or ahead of schedule
that's like that even that is like an awesome selling point
like that's something that I put on my CV
I deliver on time or ahead of schedule
like that's ask any of my references
that's what I do so yeah
like these are all touch points
that I think that people can start incorporating
under their online presence
so and I think as well like you can get recommendations

(39:50):
on like LinkedIn and that's like a really powerful way to like
you can say that you're good
but if you have 10 people
from all different organisations that are saying
you're good well
that's like instant verification that like okay
now I have trust with what Sam saying
because 10 other people trust him
he's published he's all of these sort of things
so that's gonna put you higher in terms of value
just from having that simple sort of digital touchpoint

(40:14):
yeah yeah
I had a lot of fun doing this
this is my first uh podcast
really yeah
I haven't done a podcast before maybe no
no I definitely haven't
no no
I've had other activities to jump on
but they just sort of fell through
so uh we pop that cherry today in International Cherry Pop
wow wow
that's thank you man
that's cool that I was your first podcast

(40:35):
yeah yeah cool
yeah send it through
I'll put it on my I've got a school community as well
like should check that out
it's um the cybersecurity growth community
uh let me the link I'll put on the show notes
yeah yeah yeah
so uh
definitely recommend you jumping in
so we do like daily cyber tips
we have uh cyber quizzes and we have uh
guests that come on um as well

(40:57):
and we have like
it's just like a community like based sort of projects like uh
one of the guys I mean
the community created
like a exclusive operating system that comes with like
capture the flag and hacking tools
like built into it
so you can like download it and run that as your own
your own OS which is pretty cool
so we should do a part 2
cause there's a lot of stuff we didn't talk about

(41:19):
we didn't talk about networking
we didn't talk about like contests like
like Defcon and and yeah like that that you can like start creating a
you know street credit for yourself
yeah 100% even AI
I wanna talk like more about AI and and quantum uh
like but not just from like a standpoint of buzzwords
like there are some opportunities right now inside security

(41:40):
if you wanna start a business or you wanna help like organizations
like the threats the vulnerabilities that exist
uh with like Co pilot and stuff like there's um
some really interesting uh
takeaways that I've gained
uh from going to conferences like where the opportunities now
so like I think this is one of the big uh
sort of one of the big problems that like
one of the questions I get asked all the time from people is like

(42:02):
should I even worry about getting into site security
because AI gonna take all of our jobs
the answer is uh
no
don't worry because there's new opportunities that are coming out with
with co pilot there's new opportunities coming out with
with post quantum there's new threats that exist that need uh
guidance and they need um
you know security tools
I need uh

(42:23):
recommendations to secure their organisations
as opportunities within the threats
I guess like if you look at from this what analysis sort of standpoint
so yeah I really wanna jump into that in
in in our next one about how
you know what are some practical sort of takeaways that we can
we can look at for businesses and maybe even for you
some of your clients as well
knowing that
yeah everybody's worried about AI taking all their jobs

(42:44):
but it's like yes
in the short term there will be some jobs taken
but yeah we
jobs in five years that we never even thought about
yeah well
look at the smartphone right
like the smartphone came out
like how many jobs have been created from that
that that piece of tech
yeah like
like the applications that are able to be deployed on that um
even manufacturing it so it

(43:05):
it's not like it's kinda like cab drivers
right with Uber
like what business are you in
you're in the business of taxis
you're in the the business of transport
it's the same thing with AI
it's like well
we're in the business of securing systems
we're not in the business of being a risk assessor
we're not in the business of auditing
we're not in the business of like analysing logs
there functions that exist within providing the benefit to um

(43:27):
customers so we need to stay up to date with um what's relevant
so that's why whenever ever if I got it here
I get like so I'm gonna suck a soccer member
so get like a journal every quarter
I think there's five volumes
so maybe less than a quarter more than a quarter
I should say I'll pay you
but I try to save today as much as possible with

(43:50):
is that the one you're out
yes I've got the online exclusive shameless plug
and I can share that as well
they gave me a PDF version so it's open to non members as well
but I bet you know
even within this it's talking about one of the areas uh
a neuroscience perspective on AI and cybersecurity
so you know as men we like to read when we're uh
using the dunny or the restroom as you call it in the US

(44:12):
so I just keep that there and you know
why not have a bit of a read instead of a scroll
and you know automated fishing attacks
AI powered nowhere how that connects to neuroscience defending
so here defending against the threats cool
these are all things I need to know as a site security professional
because these are the relevant
up to date threats that are impacting businesses

(44:32):
so you need to stay up to date otherwise you get lip
how can people find you Sam sub security Sam on TikTok and Instagram
so thank you Trump for lifting the band in the US
you can still find me in there that um
that was interesting because like
a lot of people started going to like the Red Note act right um
did you hear about that

(44:53):
so I have to go to TikTok
I wasn't gonna start Red Note without like yeah
so look for for like any people probably say to me like
oh you're in soft security on TikTok whatever look
I have like one phone and that phone only has TikTok on it
so I have two sorry
I have two phones one of them has Um
TikTok on it the other one I use for everything else
just cause I'm a little bit paranoid about it

(45:13):
but I have a lot of bands on there
so top security dot Sam on TikTok and Instagram um
Sammy Romanov on LinkedIn uh
you can find me on uh
those platforms but that um
that red note thing was really interesting
so a lot of people like when the when the ban like happened for like
I think it was like a day
like half a day yeah

(45:35):
yeah so people flock to this other app called rednote
which is another Chinese owned app
so it's kinda like I don't know
people are just going to it not for it
like obviously for a security purpose
cause that's how we're looking at it
but for more of like I want something similar to TikTok
but the people of the app are very
very different so like
obviously it's Chinese a lot of Chinese on there
um from mainland China

(45:55):
they think very differently to the US
they don't really tolerate like a lot of the woke ideology
so a lot of people were flocking to Red Note
and then that like the Chinese was just like
don't bring any there are only two genders
don't bring any of that work crap on to Red Note
and it was just like it was kinda like
I guess like a light bulb moment
I guess for like a lot of the people that were going on there like

(46:17):
oh hang on
um actually we have like a lot of free speech in the US
like maybe just do Instagram
you know there's yeah
yeah Instagram's like more era type like social media
I think I know Instagram is
they've done pretty good to like the reels and stuff
but yeah
it took me a while to get on TikTok

(46:38):
but now I tell everyone to do it
it's kind of fun
yeah I like
I don't I don't use it
I only use it for posting my stuff and like engaging with people
but I don't know too much about it from
from a consumer perspective
ask you one more thing before you go
cause you're saying that you're doing lives on TikTok yeah
what do you do
live and how and what have you like found is the most successful

(47:01):
I do like a live Q&A
so it's either me sitting in front of the camera doing this or um
I'll be working out so I've got
I don't know if I can flip my
can you see my home gym oh
nice kettlebells
I've just got like a series of kettlebells
like from eight kilos up to 40 kilos
so like I advocate for trying to be healthy while you're at like home

(47:26):
because like it's easy to fall into a slump
so what I do so just do like a live
hang on what
so what I do is I try to advocate for being healthy at home
but I do like a live and I just be working out
so like at the moment it's like a promotion where I'll
I'll do a TikTok live and every time someone joins my community
I might do like a a kettlebell work workout

(47:47):
or I'll be providing advice while I'm like exercising
so I mean I find that people get motivated as well
like through that I think like
just movement on the camera is like attractive to people too
I think like movement is like
that's why people love video right
yeah yeah
yeah movement right

(48:08):
so you like doing workout stuff
it's like it's easy life engaging man
I might get like 700 people that have like joined like
at least one of my calls and I get a bunch of sign UPS
I get a bunch of people asking for cyber advice and like
I'm gonna be honest like
I don't know the answer to all the questions that come up on the live
but it's a it's a great opportunity for like creating new content

(48:29):
so like I go well
if I don't know something
what I'll do is I'll perform my own research
and then I'll do a video on that
so now like it's kind of like I've answered the question
but then I've created the content
yeah I feel like if you really wanna like grow your brand
you have to do the lives like you have to end like the first couple
you might feel like super nervous because like

(48:50):
oh shit you know
people turning up I don't know any of them blah blah blah blah blah
then they could ask me anything
but then you do a couple of them
and you find that the questions that you get asked are gonna be like
really similar
and then you get comfortable with like
just knowing that you don't know everything
and if you're honest and I'll admit straight up
like if I don't know something
I go look man
you either had to explain that better to me or like

(49:11):
I need to have might do like a
like a live Google and I provide my advice
and sometimes like I've even got the advice wrong
but then I'd like I've then gone back and gone okay
well actually like there was a part of it that was accurate
but based on my understanding
this is what I believe is the truth
and then everyone on the call
you can qualify my statement if it's wrong
I wanna know why so then it sort of engages them a bit and it

(49:35):
you come off as more authentic
so like yeah
I feel like with anything if you're gonna grow your online brand
you have to do lives like you have to
and then you can even save the lives and use that for like
future content so like
you're getting asked questions that
other people that aren't on the live
might actually have that same question
which will then drive engagement higher so Joe when are you doing live
let's let's do it tomorrow man tomorrow tomorrow yeah

(49:58):
Monday Monday Monday
I don't know specific Monday is a live day
I don't know Monday uh
tomorrow I gotta you can do it you can do it today
like just like you hit that live button and you do one and oh
that was that was a relief you know
like it's and then you get to my point where you just do it like
how do you like them
how do you make yourself up to like use your headphones or

(50:18):
I just have is what I what I do is I have like
yes you can do like if you have Windows
I recommend getting the TikTok Studio because you can add like
you can add like additional sort of icons and stuff that makes it like
a little bit more engaging
like I'll include like a link
it'll be like a URL to my to my school community

(50:40):
and then uh
there's like other things
well there's like a tracker
like help me reach my goal
so you can now customize it like in a
in a pretty cool way
and then I have another screen that has the questions coming through
so like I'll have like my phone on and then that'll just
I'll connect to the live drink like through my phone
and then it would just have the questions coming up
so I'm just looking at the questions coming through

(51:00):
and then I'm talking to the camera
that's like typically that that that's my setup
and then yeah you can just make it like engaging like
like you do quite a few of these lies
and you get sort of just comfortable with the way that you like
run it like the way that you run it might be different
the way that I run it like sometimes I might just
I might just start playing music
like house music while I'm working on something

(51:21):
and then people who would be asking me questions and uh
they can they sort of like vibe out
and we have like a bit of a almost like a virtual party almost
like they just wanna vibe out with me virtually
and I don't know I guess some women that are joining
maybe they wanna watch me work out
I don't know
they give me a follow on bad things
so the my dudes
yeah yeah
like one guys like you know

(51:41):
take it easy mate like my
my my
my wife's on here so I was like pumping
pumping the workout but uh
like I feel like everyone has their own unique selling proposition
so when you look at business
like a lot of people spend a lot of time coming out
what's my USP what's my
what's my USP uh
but I feel like if you get out there and you start doing the lives

(52:02):
you figure out pretty quickly
like what makes you unique versus like what makes me unique
just in like
in terms of your personality and your expertise and like your journey
so that's sort of when you're doing these lives
and that's what you're kind of promoting
and it feels like natural in that sense
so for me like I love working out
I'm doing Spartan Race in may
so like a 50 kilometer obstacle racer

(52:23):
I'm really all about fitness
getting shit done here's the advice
let's go and that's just my personality
but your personality might be different
and then people will be like
the right audience will be attracted to that
and then that's how it'll sort of build
and then as you getting more people that are joining at your start
if you like more comfortable in your own skin just being like yourself
you know like that's my social media gurus feel

(52:47):
what about LinkedIn Live you ever done one of those ah
I haven't I haven't done the LinkedIn live
I I probably could
I feel like I probably feel like LinkedIn like well
I buy take is LinkedIn is like
like a way more sort of professional sort of doing like a webinar
something right sort of vibe
it needs to be on like you know
I'm delivering like a webinar and how to do effective risk management

(53:08):
and communication with the TikTok
stuff works on LinkedIn it's like yeah
it almost feels like the stuff from TikTok is like
what's gonna be on LinkedIn in like 3 months yeah
well I
I I like my my videos that I put on TikTok
I don't sort of filter them
so like on LinkedIn on putting the content on there
I'm getting I'm getting some some engagement like
you know people find the videos funny

(53:29):
like I guess but I think that's what's helping me stand out as well
like a lot of people probably don't do the funny
like you do like the engaging content
I do the engaging content
not a lot of people like do that on TikToks
even that in its in its own right
I guess is helping you
and I stand out because people are getting to know us right
people are getting to know us yeah
yeah yeah yeah

(53:49):
yeah well
that's right they say every time I turn on my phone
they see my haters are good
pay for my services you're in my people
that's right you can't get rid of me exactly
exactly it's good to know that
you're looking at me when you're sitting down on the toilet
you know
are you called the dunny the dunny
the dunny the dunny
and ask me like what that John sometimes yeah

(54:10):
gone probably done it
yeah I had my cup of Joe this morning
nice what's that say on it
Canberra thinks you're boring too
so I'm from Canberra that's the nation's capital
and it's people that don't live here it's boring

All Episodes

How to get into Cybersecurity with Sam Romanov - EP 8

Episode Transcript

Popular Podcasts

Are You A Charlotte?

Dateline NBC

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}How to get into Cybersecurity with Sam Romanov - EP 8