#235 - Grey is the New Black (with Ryan Gooler) - CISO Tradecraft®

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, i'm here in Chicago at THOTCON, andif you haven't been to a Hacker conference

(00:03):
in a while, stick around 'cause youmeet some of the most amazing people.
Hello and welcome to the podcast thatprovides you with the information,
knowledge, and wisdom to be a moreeffective cybersecurity leader.

(00:26):
My name is G Mark Hardy and today Ihave Ryan Gooler who am I have spent
some time here at THOTCON was on mypanel the other day and we talked about.
Being what gray is, the new black?
Why should listen to theold person in the room?
And so Ryan, welcome to
the show.
Thank you very much.
Pleasure to be here.
you don't have as much gray, butyou certainly have a much better

(00:46):
beard than I. So well done, sir.
But, us
a little bit about yourself and yourbackground, how you got involved
in, doing the cybersecurity things.
So I've been around for about 18 years.
Professionally at this point.
I got my starch fresh out of college.
Fresh out of dropping out ofcollege, doing network and system

(01:10):
administration as a goal, startingoff filtering spam for a living.
And then after a few years, I got todo system administration as a job.
And when talking to otherfolks around me found, oh,
I know more about securitythan my coworkers.
And so I had a very good guiding mentorof a manager at a time who said, okay, you

(01:35):
clearly know what you're talking about.
You are our security guy now,and that ended up pushing the
rest of my career forward.
So you really didn't startout cyber security, but you're
doing successfully here.
But then you didn't even start outwith a, four year sheepskin to get out
there, and yet you're doing quite well.
So there's a lot of what we'vebeen telling people had an
episode several weeks ago.

(01:56):
How we're doing a disservice to thepeople who wanna get into cybersecurity
saying, oh, you have to go aheadand you have to get this degree and
then you have to apply for this job.
And of course everybody wants to hirenew hires into cybersecurity and you get
all kinds of money just like a draft.
It doesn't really work that way.
And there was an article that wasjust sent to me by a friend last
night about how we've been tellingpeople learn how to code and you'll

(02:17):
have a lifetime job and course AIand everything not doing so well.
But yet you did pretty well, considering.
So what are your thoughts about.
The conventional wisdom of having to gothrough the narrow path because at the end
there's gonna be a pot of gold waiting.
I think you have to makeyour own path, right?
So I've been asked this questionmany times for many folks.

(02:41):
How did you get your little people?
I've had my path.
It worked for me at the timeof the situation I was in.
It may not work for you.
However, remember, a degreeis a path to success.
There are other options.
You can go, you can start your own thing.
You can, get in early onsomebody else's startup.

(03:02):
You can go for the degree, youcan make something interesting
and see what happens.
All of these are optionsthat are available to you.
Keep trying them until they succeedand you don't have to say, oh,
if I don't have the degree, I'mnot valuable enough for this.

(03:23):
Entirely incorrect.
That may help you, that may getyou other things that you want
for your career and your life.
And if it doesn't, don't chase it.
You're just going to be frustratedchasing something in order to continue
going down a direction you're not liking.
And in a way, that's theessence of hacking, isn't it?

(03:43):
Keep trying until you succeed.
So if you try one attack and it doesn'twork, you don't say, ah, it's too tough.
You try something different.
You try a different approach, andyou keep working at it because you
understand that not every singlechallenge has the same solution.
And so life is that way in away where we look at the problem
and we simply say, trying to gothrough that door doesn't work.

(04:04):
Don't give up.
Try a side door, try the go throughthe bedroom window, whatever it is.
You get there.
And so as you had made that transitioninto security and you, we talked
earlier about somebody kind ofpointing you in that direction.
What are your thoughts of the valueof mentor at working for somebody
who actually has your interest inmind and not necessarily just the
profitability of the organization?

(04:28):
great to mention this.
So the manager I had at thetime was a man named Nate and
the mentorship I got from him.
Cut 10 years off of my career path, bingo.
And this was to the pointwhere I found a good mentor.
He realized I had massive thirstto learn, massive drive, and

(04:51):
some talent to go along with it.
And he ended up hiring me three times.
As we went to differentcompanies, it was okay.
This job ended, he got to a new place.
Alright.
Hey, Ryan, are you looking for a new job?
I need you to come over here.
I was like, okay.
I know what I'm getting into.
I know who I'm reporting to.

(05:12):
I can just let have my stuff in.
Interesting.
So in a way, you were able to notnecessarily ride the coattails, but you
had somebody who realized that valuethat you provided at one organization
and then said, Hey, I'd love to haveyou on my team at the next place.
Now, from that perspective.
It used to be that when we joinedthe company, you worked there

(05:33):
and if you go back 50 years,you retire with a gold watch.
And there you go.
And you're 65, here's yoursocial security check.
And by the way, statistically you'llbe dead in 24 to 36 months anyway,
so you won't stress the system,have a nice retirement bondage
grandkids until you're in the ground.
Very different world today.
Absolutely.
and so part of our career managementis not necessarily waiting.

(05:55):
For our master, some known career pathto say, okay, fine, just stick here
another three years in two months, andthen you can get your next promotion.
We really need to be in charge of our owncareers, but in doing so, we can't blindly
just grab at the next bright, shiny objectthat comes along because there'll probably
always be a little bit more money.

(06:16):
There'll be a little bit more somethingor other, but it's not necessarily what's
gonna get you to where you want to go.
So did you ever stop and say, wheredo I want to be in five or 10 or 20
years and work your way backwards?
Or is it really like Zelda, whereyou uncover a new level, oh wow, I've
just opened this part of the jungle.
So I started off with the plan ofokay, by time I'm 30, I want to

(06:44):
have visited Japan for two weeks.
I want to establish myself as.
Have some sort of career doing like systemadministration or some other similar work.
And I want to, have developedsome sort of relationship with
a, partner of, mutual choosing.

(07:07):
By 26, I had hit all threeof those and thought I didn't
make any goals for after this.
At this point, my career and myopportunities were accelerating
so fast and I was so farahead of what my plans were.
I decided to, let my hands off the drainsfor a while and say, okay, I'm going

(07:30):
to chase what is most interesting andmost challenging and see where I end up.
And that was probably one of thebest decisions I have made because
it's landed me in amazing places.
I think a very zen sort of a thing.
Just the life will unfold for you.
But one of the things youmentioned I thought was really
important is what comes after?

(07:52):
What comes after next.
Because I've gone through in set goals.
When I started my first company, Ihad set written in writing a three
year gold set that I'll have myown business within three years.
And I made, it actually took twoyears and six months, from when
I started and probably two years,eight months when I wrote it down.
So check, but then the thing is, thatnow you're there and you go, okay.
I'm king of the hill.

(08:16):
There's other hills over there andother hills over here, and there's,
you can eventually, nothing left here.
So to get to the next level, often wehave to come down the hill, we're on Go
through the valley and come back up again.
And sometimes that's forced uponus, either through restructuring or.
Being laid off or being cut back,which is always a bit of a traumatic

(08:39):
thing the first time it happens to you.
Until you realize it kindahappens to all of us.
and then the second one is, that howdo you avoid staying, if you will,
in desperation mode where you needsomething and therefore the first minimum
qualifying job comes along, you take it.

(08:59):
Compare it to, this is what I want.
Because to go back with HermanHesse, Siddhartha, one of the
things he said is, I can fast.
And what he was saying withthat is, I don't have to grab
the next job that comes along.
I can wait.
I can not eat for a day or two and I won'tdie, but I find something I really want.
So were you able to find things youreally wanted, or if you found you were

(09:24):
things that they weren't what you wanted?
What would you have changed togive yourself a better positioning
to be able to, if you will, fast?
So I came from Boy Scouts, as a childs.
And so one of the things that was reallyingrained early on for me was preparation.

(09:45):
You prepared.
And in the modern career path, thevast majority of positions I have been
in about the two to three year range.
Then something happens intrinsicallyor extrinsically that says it
is time for you to move on.
And so I make sure that I takethe, a part of the salary that I'm

(10:10):
making and I make sure I have a,I have, three tiers of savings.
I have a oops fund.
Which is put about 50 or ahundred dollars a month in there.
That's four.
Oh, tire blew out of my car.
I need a couple hundred dollars for this.

(10:31):
No problem.
I have that already saved up.
It'll refill naturally over time.
When the next oopshappens, I'm ready for it.
I have an emergency fund, which is,okay, I'm out of a job for a while.
Let's start tapping this anddecrease some of the luxuries in
life until I can afford them again.

(10:53):
And then I have, I. investments forlater In life that if I really need to,
if things are dire, they are available,
but you never want to get downto plan C if you can avoid it.
But I found when you get to thispoint, I always give myself, when

(11:15):
a job ends and I wasn't preparedfor it, I give myself a week to.
Grieve and be sad and think anddecide where do I want to start
aiming my career from here?
And at the seven day point I am done.
It's time to put that plan into action.

(11:37):
And realistically speaking, I'll tellfolks when you are going through and you
do all of your interviews and you geta job offer and you're really thinking.
I'm not really sold in this place.
Just because they said yesdoesn't mean you can't say no.
At that point, it's completely fineand it may be a very good decision

(12:02):
to do and I've read by some of themotivating officers who said, if
it's not a hell yes, should be no.
If it's something I don'tknow, do we really wanna do it?
It was like last night,we really want to go out.
Until two in the morning at the afterparty here at THOTCONn in Chicago.
It's not really.
We had a really good day.

(12:22):
We met some really amazing people andI don't really feel like dragging in.
I gotta get up in the morning,I gotta go catch a flight.
I do a podcast, of course.
And so we said last night,it's not a hell yes.
It's a note.
So we hung around and, enjoyedthe White Castle Gourmet meal,
which is my first one, by the way.
I have to admit there.

(12:42):
So if there's any White Castle fansout there, let us know in the comments.
But, so yeah, so three funds.
You've got the hoops fund,the short term, if you will.
Let's go ahead and cover some stuff.
And then the longer term, whichideally you never touch, because
eventually you're gonna get old andgray and maybe social security is,
was envisioned, is not gonna be there.

(13:03):
And even if it is there as envisioned,you're not gonna live well.
If that's the only thing you've got,what's different today I think, is
that you don't have situations likemy dad who had six children and never
made more than 30 grand a year in hiscareer, but he was always surrounded
by friends and family and fun.
But when he retired, that's it.

(13:24):
Social security.
And, fortunately he wasn't eating catfood out of a dumpster behind Walmart.
But some people end up therebecause of poor planning.
In his case, his time and energyand money went to his family,
and I deeply appreciate that.
But for a lot of us in thisgeneration, we don't have six kids
or five, or sometimes even one.
or if you have one,wow, that's pretty cool.

(13:46):
So the dynamics are different.
We can do a little bitbetter for our future.
But the same thing is you don'twanna necessarily take it all with
you over the horizon because as theysay, you don't see the Brinks truck.
Going behind a hearse.
And so at the same time as wethink about making sure we plan
for our future, let's not waittill the last minute to give back.

(14:08):
It's a little bit of life advice here.
be a little bit generous as you go along.
The fact that in somebody's will theyleft such and such would rather say
somebody has said, Hey, while you'restill alive, let me give you this.
Let me see you enjoy.
You have, whether you have kidsor potentially grandkids or even
some charity that you care about,or even a nonprofit or even the

(14:30):
hacker world, do some good now.
And the people that argue, if I keptit in the bank and I compounded it,
or I put all my VOO and it'll be worthso much more later, people, the time
value of money is important, but alsothe time value of life is even better.
And I'll especially say, since I grew up.

(14:51):
Not, super broke, but not a lot extra.
my grandmother did a bit of this for mebecause it turns out about a thousand
dollars when you are in college,scraping by being able to afford either
a bus pass or a haircut every month.

(15:14):
A thousand dollars then is a lotmore valuable to me than $50,000 now.
Good point.
And even if you think about it, if you'restarving, you get a ham sandwich now is
better than a gourmet meal two weeks fromnow, you might not be around in two weeks.
So yeah, I think one of thethings I remember years ago, I

(15:37):
was approached by somebody at asecurity event and said, Hey, G Mark.
I'm making more money than my parents evermade in their lives, and I'm 24 years old.
I don't know what to do with it.
Somebody said, go out and buy thebiggest house you can and then make
double payments on the mortgage.
Somebody else said, go ahead andput it all by treasury bonds, or
put it all in the stock market.

(15:58):
We don't do a very good job, inmy opinion, of giving out solid
investment advice either throughour academic life in high school.
There ought to be a, here'show to manage your money for
the rest of your life course.
Even in the real world, and so wefind out that you look at professional
sports players who make millions,sometimes tens of millions of dollars

(16:20):
a year, and they're broke at 35.
It's just all gone because it justcomes in and it goes right back out.
What have you found is either thediscipline or just the thought
that allows you to be able topay yourself, if you will, and
put money into these three funds?
So there's two key things I do for this.

(16:44):
One, automate the finances automaticallyhave things taken out and put away
because you will forget to do it.
If you don't, and computersare very good at automation.
Stop spending your human lifetimeon the things computers are good

(17:04):
at and let them do their job.
The second thing is the, as I goin the funds, the Oops fund is
immediately in my bank account.
The emergency fund is atanother bank, so I don't see it
immediately, and the long-termfunds are at a third institution.

(17:25):
That requires me to actually spend someadditional time where really I check
those about once a quarter to make sure
and then leave them alone.
One of the worst things I think a lot ofpeople do when, especially when getting
started on that part financially, ispaying too much attention to your money.

(17:49):
You are looking at the numbers,you're focusing on the numbers.
You're thinking, I have thisnumber in my account at all times.
Stop, move a lot of that money out.
Give yourself a allowance from it.
And when you open your account,you're like, okay, I have
two grand in my account.
That's how much I have to spend.
Sure I have 50 in the other accountover here that's feeding it.

(18:10):
But you don't think about the 50.
You only ever see the two, so youspend the two, and then when you
get a job change or a raise ora promotion, you don't put all
that into your spending money.
No.
You live a little bit below your meansand you let those two diverge slightly.
So you're doing okay even ifyour income's going up higher.

(18:31):
So over time, you'reaccelerating your ability.
To provide for your future.
Yeah.
one of the things I really recommendto folks is if you get a bonus or an
unexpected windfall, you went out withfriends at the casino and actually got
something this time, 10% of that, take it.

(18:51):
Enjoy, indulge, dowhatever you want with it.
The other 90% move awayas quickly as possible.
You'll still remember the greattime you had with the 10% of
your bonus or whatever, and okay.
Is it a difference for youof oh, I got a 10,000 bonus.

(19:13):
Are you going to be just as happywith a new laptop versus a used car?
Probably, but you have a new laptopand $9,000 collecting interests.
Make money with a laptop and unlessyou're gonna drive for Uber, you're
not gonna make money with that car.
No.
So it's one of those thingsof, don't put limits on what

(19:38):
you're indulging yourself in.
That lets you still enjoy it, but doesn't.
eat up the entirety of your winnings.
And about 20 years ago, I took acourse by, from a guy, the name of John
Childers, and he had a bit of advice.
He said, 'cause he was gettingpeople into speaking gigs.
I've been a professionalspeaker for years.
He said, when you make money, whenyou get a big chunk of change,

(20:00):
come in, take 10% and blow it.
Just go out and have fun andenjoy it with the other 90%.
I've never been very good at 10% blow.
Starting out, I remember when Igraduated from college, I probably
had a net worth of about $1,400 andthat's 'cause my grandmother gave me
a thousand dollars for graduation.

(20:22):
And then even after five years in theNavy active duty, I. It didn't have a
whole lot because my starting salarywas 11,000 a year as a commissioned
officer with three undergraduate degreesin a leadership management position.
things have come a little bitbetter since then, but if inflation
adjusted, not a whole lot better.

(20:43):
And yet somehow I had heardalong the lines, I think it was
as a lieutenant's junior grade.
So I've been in the Navy a littleover two years, and we're getting
ready to deploy over to the.
West Pacific for seven month cruiseand they had a stop and they had to, a
couple guys from called USPA and IRA.
It was a mutual fund company and theygave a little lecture about pay yourself

(21:05):
first and you should set money aside andput money in now into your future and da.
And it's okay, that makes sense.
Pay myself first.
I remember we had a port visit inHawaii and I went down to Charles
Schwab branch so I could say,here, let me open an account.
And I started puttingmoney away and every.
Payday.
There was an allotment automaticdeduction that went to that,

(21:28):
and it just accumulated.
Now, after a couple years, I gained alittle bit more financial sophistication.
Had none.
At that point, I realized that theseguys are getting a 7.5% sales commission.
It's okay, I get it now.
I don't need to pay a seven anda half sales commission forever,
much as they'd like me to do.
I can go ahead and getno cost mutual funds.

(21:48):
I can diversify.
But they earned every penny ofthat seven and a half percent for
those first couple years to causeme to get that behavior locked in.
Good habit.
Pay yourself first.
Pay yourself regularly, andas you said, automate it.
What about other things in life?

(22:09):
Are there things that wecan automate in life that.
Take away from the, as you had said,lets computers do the stuff they
do best and then go live your life.
And some of us, we get, anybody who's,OCD or a DH, ADHD or whatever, you
willing to get all the details right.
And all of a sudden, you don'tneed to do all those details,
let the computer do them.
How do we let go?

(22:30):
If you figure, I don't know ifthat's something you've ever
struggled with, absolutely.
I've struggled with that.
Yeah.
I.
Much more prolific when I was youngerthat went by the name Zif Frank and his
videos are still available and stillfantastic, and one of the concepts

(22:53):
he has is of a finishing stand, whichis a logo or something small that
you make that you say, I have put thefinishing stamp on my product project.
It is now finished.
I am not allowed tocontinue to work on it.

(23:13):
I have made mine, if you run ontome on online, if I give you one of
my stickers, my finishing stamp ison every sticker I give people, and
it's my icon on every platform I use.
To say, okay, I had this idea fora sticker to give to people, due

(23:33):
to no contact with anti-matter.
This idea is done.
I have completed it successfully.
I can print out as many as Ilike, but I've done with that.
And the other thing to rememberis just the standard rule of

(23:53):
20% of your time is spent on 80%of your project and 80% of your
time is spent on the last 20%.
If you stop.
When you're 80% done and it's notquite perfect, you have enough
time to do four more projects.
And ideally, if you have other people whocan pick up and run with it, it works.

(24:17):
So I had, created a command in theNavy, the Center for Naval Leadership.
I had been the National director forthe Reserve Officer Leadership course.
We got together with some other captains.
We said, Hey, we're gonna build this thingout in the Navy Reserve for Leadership
Training because there's an act.
Counterpart and we put this wholething together, we built it all out.
And when I went from, and I tellpeople, never join a crew with

(24:40):
a pre-commissioning size of one.
'cause that was it in August of 15.
And then by September of 2016 had170 instructors, 72 classrooms, or
teaching 10,000 students a year.
that seems bigger than SANS.
but of course you get a medal for it.
You don't get stockoptions or cash for it.
But I remember talking toa friend of mine who is.

(25:00):
Quite successful.
He was a two star admiral at the time.
It was a little bit senior tome and I said, I've got this
thing up at about the 90% level.
I can take it to about 99 or more.
What do you think?
He said, move on.
So let somebody else finish it.
You go ahead and takeon the next challenge.
I, sir. Good idea.
I went ahead and I threw myhat in the ring and I ended up

(25:22):
getting command of the US Pacific.
Operations where I was the jointoperations center director for two years.
I made 24 trips across the Pacific.
And again, there the general's so I'mhere for my two executive duties, says,
Hardy, you're gonna be here a lot.
I said, what do you mean?
all our colonels and captainsare in Iraq and Afghanistan.

(25:43):
You reserves all I got left.
I serve.
So not only did get a chance to do somereally interesting work there, I gotta
see the world from the four sta level.
But I was able to hand off to mychief of staff, who was my number
two guy, make him the number one guyand let him go ahead and paint into
the corners and, move things later.
And it's fun because you comeback years later and then you

(26:03):
look at what you had created.
When it's a business, small businessor a military command or something like
that, you get to put your stamp on itas a CEO or the founder, or in that
case, the CEO and the pre-commissioningCEO, and you create the culture.
And in creating that culture,you tell people what's
important, what's not important.

(26:23):
Culture is the expectation that a grouphas on each other, and therefore, if one
person leaves and a new person comes in.
Everybody else expectsthem to do such and such.
I wanna fit in.
Most people do.
And so serve the culture.
And as a result, it seems, andalmost like the cells in our body,

(26:47):
you wait enough years, every singleone of them has cycled through and
replaced, but they're still you.
So how do you know we stay ourselves.
And when we go through thesetransformations, but we also build
our personal culture, it becomesyour reputation, if you will.
Hey, let's get this Ryan Guy.
He's really good at thisor he is good at that.
Sometimes we go places where theculture is toxic or it's not what we

(27:13):
think aligns with our core values.
Have you ever run into that, and ifso, what's your survival technique?
I'll, definitely say my survivaltechnique, straight off leave.
If you are not fitting inthat well, your choices.
Very much are going tobe, do I try to fake it?

(27:36):
Do I try to change myself or doI find a place where I do fit in?
And you will notice none of those optionsare change the environment to fit mine.
Because that's not going to work becauseMaya Angel who said, go where you
are celebrated, not merely tolerated.

(27:59):
And I think that was very goodadvice and I think a lot of
us have found ourself in that.
And it all ties into if I've gotthose reserve, that fallback fund.
And I thought Seth might begood, but it wasn't a hell yes.
And anyway, because Ididn't have the money.
And then you find out it's not whereyou want be, it's stripping your gears.

(28:19):
You can spend a lifetime being miserable.
And what you end up doing is as I printon the back of my business card, I've
got a number of things, little philosophyfrom G Mark and one of them is if you
don't have a plan for your life, youwill be part of somebody else's and
you'll trade the most valuable thing.
You have your time forsome fixed amount of money.

(28:42):
Which you then redistribute it andyou pay your taxes and you pay your
rent, and you pay your car paymentand you pay for your food, and you pay
for your computing time and you payfor, and whatever's left is maybe the
stuff we can put ahead of these funds.
And then even what'slittle left beyond that?
We live our life, but then we gotta carvethat out around the time we're working.
It doesn't seem like a very gooddeal, and yet this is what society

(29:02):
has sold us for generations.
Go ahead, work, go to school, get adegree, get a good job, work for 40
years, go ahead and retire in socialsecurity or to get cancer and die.
And there's more to it than that.
And so for advice you've given, actuallyget out and other things you might

(29:24):
offer, insights that you've gained.
That if you could roll the clock backto, or even 20 years and tell a younger
self, Hey, you gotta be doing this.
Can't do it for our own lives, but we cando it for people who are our listeners
and our followers, what advice have youfigured out that you'd want to share?
So probably the two biggest things I'verealized have been very valuable that I

(29:51):
wish I had learned even sooner than I had.
One is the risk is not asbad as you think it is.
Take it, see what happened.
See where you end up,
especially when you areyoung and your net worth.

(30:11):
It's
when I left community college atmy net worth was negative $350.
There's not a lot of down from there.
You can take that risk land where youare and be like, okay, just get up.
And I've gone from 1% to 0%.
Okay.

(30:32):
I can get back up to 1%, no problem.
The other one is.
Look for the joy and wisdomin the things around you.
I mentioned taking a, I wanted tospend two weeks in Japan and did so

(30:52):
I booked a tour and I did not realizeI had booked a seniors tour to Japan.
Until I got there and everyoneelse was white hair gray beards.
hey, it's not so bad.
But what I discovered with that wasI wanted to go visit all of these

(31:14):
places and by getting this tour,everything was slowed down so you
didn't have half an hour here torush to the next place, to rush to
the next place we go to the temple.
You have an hour and a half.
To enjoy, to sit to Rome,to talk to people with you.
You have time on the bus tosit and exchange stories and

(31:37):
know, Hey, how did you get here?
Where did your life get here?
And one thing I time again was I'm happyto see somebody traveling and doing this.
And it was one.
You can go in and you can landand be like, okay, it's great.

(31:59):
I'm gonna go on this trip, and oh man,I'm surrounded by all the old people.
Or you can be like,alright, I'm on the bus.
There's a bunch people around.
How can I make this as interestingand valuable as possible?
And when you approach with thatattitude, whichever path you choose,

(32:21):
you are correct and you'll find that.
So start with the positiveattitude of, I'm going to get
everything I can out of this.
If I have this, bad job that I don'tlike, okay, I'm looking for another
one until then, I'm going to getevery good outta this that I can

(32:41):
before I move to the next place.
Because there's something good inany bad job that everyone's ever
had, and you can ask them aboutit and you will find it's yeah.
That this was terrible.
Was awful.
Okay.
What was a good story?
there was that one, one time.
And, we lived for that stuff.

(33:01):
I remember Thoreau had written, wehave nothing to learn from old people.
He was very much, discard them.
But our talk that we gave here atTHOTCON and Gray is the new black.
Why you should listen to the oldguy in the room, was very well
attended and nobody walked out,which is always a good sign.
And I didn't see anybody withtheir head down or falling asleep.
but also the keynote was CliffordStahl, who's even older than I am

(33:22):
by a number of years, and that wascaptivating, because of that experience.
So it's not always that you getto go and spend the time with
people who have gone ahead of you.
For people my age, there was almostnobody to follow In cybersecurity,
you're Lewis and Clark, you're out thereexploring new things and you're figuring

(33:43):
stuff out, and you're doing thingsand you're writing it down hopefully.
And then you look back and youfind out that, wow, the stuff
that you thought of and did.
Then moved on has be bloomedinto an entire industry.
Like we stopped here for water at thatriver, and now it's called St. Louis.
There's an entire citythere 200 years later.
But at the time, we justneeded to get some water, it
seemed Yeah, it's a good place.

(34:04):
I luck it around.
Here
we are now at the point where instead ofgoing through the forest and colonizing
cybersecurity and figuring thingsout, we have well-developed careers.
You're not someone who does it all.
It's not like Sir Isaac Newton youwould go to in 1684 and say, Hey,

(34:27):
I need to know everything thereis to know about mathematics.
Come to the right place.
There's nobody can go to the state.
I dunno, everything.
Cyber security.
If somebody's starting out in a careeror if we as CISOs or security leaders are
trying to advise people getting into theircareer, how do we help them tune their.
Approach so that they end up onideally the longest possible path

(34:48):
that will be fulfilled instead of thestart, stop, start, stop, start, stop.
Eventually like brownie inmotion, bouncing to the right job.
So
this is one of the things that I'vegiven this advice to many folks.
Hey, I want to get into cybersecurity.

(35:09):
Oh, what do you wanna do?
Oh, I wanna be a pen.
Is that because that's the only jobyou know about in this industry.
Let me tell you about a lotother interesting things.
And when you're first getting startedand you're first learning and you're
just being absolutely terrible atthe thing because you're learning
and that's the most joyful part ofthe process, try as much as you can

(35:35):
and chase whatever captures you.
Because everything else you learnedgoing broad, early will show up and be
synergistic to what you're doing later.
But don't spend your time saying,okay, I thought I wanted to be a pen
tester, so I'm gonna keep chasingthat no matter how many signs.

(35:56):
I'm saying that actually forensicsseems way more interesting, but
I wanted to be a pen tester.
Stop change forensics is more interesting.
Chase it.
Go do that.
Your might be way more interestingand fascinating to you.
Do it.
don't follow your original plan ifyou find a better one along the way.

(36:20):
Yeah.
And remember for everybody's heard my,number of times G Mark's law that I wrote.
Over 20 years ago, it wasa corollary to Moore's Law.
Half what you know about securitywill be obsolete in 18 months.
Which means if you don't love learning, ifyou don't want to go ahead and add to your
body of knowledge, if you wanna go out andparty all the time and spend Friday night
there trying to figure out a new system,or you got your flipper zero and trying

(36:40):
to get something else or whatever, if youdon't passionate about it, don't do it.
I, and I've shared this before onthe show, I had an Uber driver in the
Bay Area when I told him what I did.
I wanna, goodness, cybersecurityhere pays a lot of money.
How do I do that?
That motivation.
I said, it's like national football,that you have a lot of talent and
then you work hard every week at it.

(37:01):
I like what,
say this?
It's dude, that's why you driving Uber.
You have to really wanna investin yourself and continually
replenish that knowledge.
What we have through a series ofevents, either things like THOTCON
here in Chicago 3 1 2, by the way,for the name for THOTCON, or a lot
of the B sides that have emerged.
When that came out from DEFCON 12,and that was the year they said, all

(37:23):
you experienced speakers can't speak.
We want all new speakers.
A couple guys said, that's ridiculous.
We'll take the old 45 record modelthe A side and the B side and we'll
just do a parallel conference for allthe old guys to speak at and women.
And then it caught on.
We had over a thousand B sides worldwide'cause they made it into a Wiki.
But those resources are out there andnot just the knowledge, but the chance to

(37:44):
explore and poke around and learn thingsand then get in with a group of people.
And just hang out.
Almost everybody I know is morethan willing to welcome somebody
and show them the rope, so to speak.
Let them figure out what they want.
Observation is spot on that somebodymight say, oh, I wanna be a pen
tester because it sounds cool.

(38:05):
But once you figure out where they'reat, wait a minute, they're very
constructive in their thinking.
They like to have every I dotted andevery T cross, and they wanna make
sure that this thing all fits together.
He said, GRC actually might be whereyou wanna be because compliance.
Could really rock your boatif this is who you are.
And as we bend ourselves andtry to fit sideways into some

(38:26):
position, we're not gonna be happyand we're gonna be unproductive.
We're gonna be looking out the window.
And even though if we're not in the officenine to five, 40 hours a week, like the
old days, we're gonna get distracted.
We're gonna play with a dog,
perform well, and get somethingthat you're gonna overclock.

(38:49):
I
wanna keep going.
So in the interest of going, becauseyou gotta catch pretty soon, how
about some concluding thoughts?
Anything that we didn't talk about Youa?
the one thing I will sayfor, folks getting in, folks
who've been in for a while

(39:09):
always be teaching what you know.
Because it doesn't matter how much youthink, oh, I'm the new person in the room.
I, don't know all these stuff, allthese other folks know all these stuff.
You
are incorrect.
You have interesting stories.
You have good ideas.
You have things other people don't know.

(39:31):
And I personally had an amazing experiencewith this once where I went to a.
A bunch of amazing, brilliant people andsat down and taught a nuclear engineer
how to pick lock because she did not knowhow, and that was just okay in everything.

(39:52):
In that dimension.
This person will run circles aroundme educationally, but I know more
than her than this thing, and I canteach and I can learn in return.
And when you teach is one of the best waysto go ahead and be able to reinforce your
learning because you want to know morethan you're gonna teach so that you've got

(40:14):
the depth if somebody asks you a question.
And therefore, what I've found isone of the best ways to explore
something is to study it and teach it.
Or what I've been doing the lastfour and a half, almost five years
now is find something interestingand then go write a podcast.
Okay, we're out time here.
So Ryan, thank you so very much for your.
Having you on the show here atCISO Tradecraft for our watchers

(40:36):
and your listeners, thank youfor being part of our audience.
If you like CISO Tradecraft, and forsome reason you're not yet subscribed,
please do so follow us on LinkedIn.
We have a whole lot more than podcasts.
We have a Substack newsletter.
We have information thatcomes out on a regular basis.
You can catch us on about 12 or 13different channels and let other people
know where it is that you're gettingyour knowledge and your insights that

(40:58):
are helping you with your career.
'cause we'd like to reach out to others.
So pass it along, let 'em know.
And as always, we'd loveto hear back from you.
If you've got any ideas or anythingyou'd like to talk about, drop us a note.
Best way to reach us is on LinkedIn.
Until next time, this isyour host, G Mark Hardy.
Thank you and stay safe out there.

All Episodes

#235 - Grey is the New Black (with Ryan Gooler)

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}#235 - Grey is the New Black (with Ryan Gooler)