April 19, 2025 • 26 mins
Discover how to navigate the complex landscape of cybersecurity careers with Fletus Poston III, Senior Manager for Security Operations at Crash Plan. Drawing from his diverse background spanning regulated utilities, financial services, and software development since 2007, Fletus shares transformative insights about finding your place in the security ecosystem.
The conversation challenges conventional wisdom about breaking into cybersecurity, with Fletus presenting a compelling metaphor: "Security is like a city" with diverse roles from entry-level positions to executive leadership. Rather than fixating solely on offensive security roles, he encourages newcomers to explore various disciplines to find their perfect fit, whether in SOC analysis, governance, or offensive security.
What truly sets this episode apart is Fletus's counter-intuitive approach to career advancement. Instead of mass-applying to positions, he advocates for a strategic "long game" - identifying target companies, building relationships with their employees over time, and positioning yourself as a knowledgeable peer rather than just another applicant. This approach leverages the power of internal references, dramatically increasing your chances of success.
The discussion delves into the often-overlooked human elements of security, from establishing effective mentorship relationships to implementing practical safeguards against emerging threats like AI voice scams and deepfakes. Fletus shares actionable advice for creating secure password practices and verification techniques that protect against sophisticated social engineering.
Whether you're just starting your cybersecurity journey or looking to advance to the next level, this episode delivers practical wisdom from someone who's navigated the field's challenges firsthand. Remember Fletus's parting advice: "You add value to every room that you enter," and approach security problems with perspective and understanding rather than simply saying "no."
Socials
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
is from a cooperative project for acquiring skills
essential to learning.
Welcome to the SecurityChipmunks podcast, where we keep
chipping away at it.
I'm your host, edna Johnson,and here we have our co-host,
neil Smalley, and today's guestis Flitas Poston III.
(00:21):
Flitas, please introduceyourself.
Speaker 2 (00:24):
Sure, First off, happy to be here.
Love the tagline of chippingabout it, so I think that's
important, as this field isalways about taking the
bite-sized chunks and thendigesting them.
So with that Fletis Poston,been in this field since 2007.
Started as an IDS handler, thendid a little bit of a stint in
(00:44):
the IT field doing IT servicemanagement, web application
monitoring and then electronicdocument management During the
time as an electronic documentmanagement analyst BA 80 groups,
process accounts, serviceaccounts for about 300-plus
(01:06):
servers at a regulated utilitybefore putting cyber formally
back in my title the year or twoafter that when I became a
cyber systems engineer helpingbuild out the SOC for a large
regulated utility here in NorthCarolina.
During that time supportedanything from the endpoint all
the way to cloud and anything inbetween.
So email gateways, networkgateways, proxy server, SIM.
That time supported anythingfrom the endpoint all the way to
cloud and then everything inbetween.
So email gateways, networkgateways, proxy server, sim.
(01:29):
We had soar when I left andwhen I was leaving that
organization before I joinedcrash plan, where I currently
serve as the senior manager forsecurity operations.
In that role I own pretty muchanything but grc.
So identity, threat andvulnerability management,
security operations as well asapplication security.
So been around the block alittle bit, been in different
(01:50):
industries, saw different things.
Pretty much always been in theprivate public sector.
So currently in a PE backedfirm, so done small business as
well as large enterprisesecurity.
Speaker 1 (02:05):
That's a very impressive background, flores,
so you have a diverse experiencein the cybersecurity field.
So when you see newcomerscoming to this field, what are
some things that you recommendthat they do when they are
thinking?
Speaker 2 (02:25):
about getting into cybersecurity.
So, first off, similar to someof your path, from what I've
seen and listened to, yourSimply Defensive today, it's
being curious, asking questionsand understanding what about
cybersecurity interests you?
Most individuals today thinkcybersecurity.
They immediately go offensive,they think pen tester, they
think ethical hacking, theythink compromises.
(02:45):
And I always tell peoplesecurity is like a city, so
there's diverse rules that makeup the entire thing.
So you have anything from thejanitorial staff, which is your
entry-level role, all the way upto the mayor, which would be
your CISO or CSO, and there'severything in between.
You can also look at it likethe military.
You have cooks all the way toyour captains, colonels,
generals.
So what is your discipline?
(03:06):
What is your lane you want toget into?
And let's develop that.
If it's a SOC analyst, let's gotry HackMe, hackthebox.
Let's learn about all thedifferent tools out there with
TCM and other vendors who areputting stuff out.
If it's not SOC analyst, let'ssay you're more of a governance,
risk and compliance.
Let's go look at grc.
Maybe that's where your breadand butter is.
(03:27):
You like doing policy andprocedures or security awareness
, or you like to study thelatest threats that are
happening from a compliancepoint of view.
And if neither one of those,then you get the offensive side.
Where a lot of people get backinto.
The original thing is let'sbreak it, let's fix it.
So that's where your purpleteam comes back.
So I push a lot of people tolook purple just because I'm a
blue teamer.
(03:47):
I want them to see both.
So I push a lot to the purpleside because I don't want you
just to break it and walk away.
I want you to break it but helpthe blue team catch it and or
defend against it next time.
Speaker 1 (04:02):
Yeah, that's excellent advice.
Yeah, that's excellent advice.
What about if somebody iswanting to be more competitive
in the market?
Speaker 2 (04:15):
Do you have any recommendations for that?
So this is thenon-stereotypical answer To be
the most competitive.
It's to go find someone.
It's when you know them, notwho you know, it's when you know
them.
So I push people to go to localmeetups.
If that's your B-sides, ifthat's your DEF CON chapters, if
(04:35):
that's your ISSA, isaca, get toknow people as quick as
possible and it's get to knowthem with intention.
So go in.
Don't immediately ask them forsomething, but get to know them.
Spend the first couple monthsbuilding that relationship and
figuring out who they are.
It's a long game.
Most of the people I talk towhen I mentor is I tell them to
go ahead and pick three or fourcompanies that they want to work
for at some point in theircareer.
Follow them, connect with them,watch when people get a job
with them, connect with themagain.
(04:55):
Introduce yourself.
Hey Sally, I saw you got thisinformation security role,
congratulations.
I'd love to work for company Aat some point.
Is it okay if I stay in touch?
Give Sally a couple of weeks.
Reach back out to Sally.
Hey Sally, how was your firstmonth on the job?
Is it what you expected?
Is it not what you expected?
What do you wish you knew amonth in that you knew on day
(05:16):
one.
By doing all this, you'regetting yourself a competitive
advantage because at some pointthey're going to post a job
again and you're going to belike okay, sally, I've applied,
here's my resume, can you handit to the hiring manager?
Most companies, including myself, as a hiring manager, I get an
internal reference.
I'm at least going to do aphone screen or a video call
with you During that.
This is where you get to speakto your recon, your OSINT that
(05:38):
you've been doing of.
Hey, I saw you just got SeriesB funding last week,
congratulations.
Or Sally was telling me about aproject you threw on day three.
I'd love to be part of that andthis is how I can add value.
What you just did there is.
You now sound like an internalemployee because now you're
referencing my core values.
You're referencing whatprojects my team was working on.
(05:58):
You're referencing what mymarketing team or PR have done
to position yourself to lookmore like a peer than a
candidate.
So play the long game byfollowing what they're doing.
Like their comments, reposttheir articles, comment on
things and be selective with howyou engage on LinkedIn.
I recommend everyone to link,but don't just immediately ask
(06:19):
for a job.
Like their comments, comment onthem, engage with them and then
just wait.
And that's why I say three tofour companies, because you may
want company A in 2025, butcompany B might be hiring.
Well, in 2029, a is now hiring.
You've made that connection forthe last three years.
(06:40):
You're going to have a lot ofOSINT and RUCON to talk about in
three years because you've beenfollowing the company for three
years and interacting with oneto many employees at that point
in time that is such incredibleadvice and I love how you're.
Speaker 1 (06:53):
You're telling people , like, play the long game,
because really that's what youwant to do.
You're building a career andthat's going to be over many
years.
It's not just you just gettingyour first job in the field,
which a lot of people arefocused on they want to get that
first job but also thinkingabout the future and making a
plan and following up on that.
(07:15):
That's such great advice.
You mentioned mentoring, andthat is something that I think
is a wonderful step that peoplecan do to help themselves, to
see outside of themselves andthink of other ways that they
can approach problems.
(07:36):
So what are some of yourthoughts on mentoring?
Speaker 2 (07:40):
So, alluding to what I just said, there you're going
to get passive mentorship byfollowing industry professionals
.
It doesn't have to be the DaveKennedys, the Jake Williams, but
it could be the individuals onthis call.
What we post is valuable, whatwe do in our day-to-day jobs.
As you alluded when you heardme say earlier, I have a diverse
background.
I've touched regulated utility,I've touched finance, I've
(08:00):
touched software development, soyou can pick my brain passively
to learn what these industriesdo and how the day in the life
works.
The other thing that you canget from a mentorship is just
making sure that you either setup a formal or informal
relationship.
If it's formalized, tell mewhat your goals and objectives
are.
Let's do this for three months,six months, one year, and then
(08:21):
we're going to end it.
If it's informal, it usuallyturns into a friendship.
Months, one year, and thenwe're going to end it.
If it's informal, it usuallyturns into a friendship.
It starts as what I would callcontractual of what you're just
pinging me and we're going backand forth in Discord, slack,
signal, linkedin, whatever theplatform in which we connect on,
and we're just passively givinginformation.
That informal can turn into aformal or just turns into a
lifelong connection.
(08:41):
And when I say a lifelongconnection, there will be times
when I'm stuck.
But I know that Neil has dealtwith this, so I'm going to ping
Neil, or I know that Edna's donethis I'm going to ping and so
you can quickly send a note.
Keep working, knowing thatyou've got that connection where
you've more or less scratchedeach other's back and you're
going to get an answer, becausewe joke we don't disconnect.
(09:05):
Well, I have three differentmonitors around me right now.
I have discord open on one ofthem.
I have slack open on one.
I've signal on another.
I'm going to see your messagein almost real time.
I may not be able to respondreal time, but I tell my mentees
because slack is on everydevice I have.
Discord is on every device Ihave.
I'm going to see it before I goto bed.
I will acknowledge it andeither answer it because if not
(09:27):
I'm going to forget or I'm goingto tell you I'm not the right
person.
But Jack is, susan is, billy is, and let me make an intro to
those.
So that's where mentorship isnot just trying to create a
clone of I.
Don't need clones of me.
That's why I didn't name my sonFleetus, I need to build
practitioners' engineers,analysts, who can learn from my
(09:50):
mistakes, because withmentorship, you're teaching them
how to get out of the ditchbecause you've already been in
the ditch.
You don't want to see them runoff the road and not how to get
back in it, but at the same time, you want to teach them that
when they get in the ditch, thisis how you get out.
Not keep them from the ditchper se, but teach them how to
get back out of it.
Same thing goes for everymentee.
I ask, I turn and ask them to bea mentor as well, because if
(10:12):
you've been on the job one dayor 30 years, your life
experiences allows you to giveback to the next person.
Next, it's having three tiers.
So you have someone in front ofyou that could be a business
leader outside of yourorganization, outside of cyber.
Altogether you have someonebeside you.
We build that healthycompetition.
So the three of us arecompeting to see who's going to
(10:32):
find the next CVE, who's goingto find the next promotion,
who's going to get the nextkudos.
So it's a healthy competition.
But we know that when therubber hits the road, we have
each other's back and thenthat's that buddy system or
mentor system, where that nextperson who's behind you, it's
that middle schooler, that highschooler, that associate level
person or bachelor's levelperson who's like I have
(10:55):
imposter syndrome because youguys know all this stuff and I
know nothing.
Well, it's that curse ofknowledge issue.
Remind them, at one point I wasa novice.
I can't think like a novicebecause of the curse of
knowledge that I have.
I've done it too long that Ican't remember what it's like to
be a novice.
Like I say this phrase rightnow, you're going to know what I
(11:16):
mean, someone else loop, swoopand pull.
I'm talking about tying yourshoe.
But if I say loop, swoop andpull to a four-year-old, it's a
context issue.
So you got to learn how to usea lexicon or a vernacular that
resonates with someone who'sgreen, new, and not assume that
(11:37):
they have a baseline knowledge.
And that's where we have aproblem, not just in mentorships
.
In our field, we talk likeeveryone knows what we know.
As your accounting team, asyour finance team, your
marketing team, your R&D team,we all have our own lexicon and
we're all SMEs, which doesn'tmake us any less intelligent.
Speaker 1 (12:04):
It just means we have diverse knowledge.
That's so true.
I know that, like as I've beenlearning, it's been.
I've looked up to people andthought, wow, they're incredible
.
As time goes on, you start tobecome friends with some of
these people and you learn moreand more.
(12:25):
Those people that you looked upto start to become your peers,
that you looked up to start tobecome your peers.
Speaker 2 (12:32):
The other thing, too and you hit the nail on the head
is this is a small field.
There's only a couple hundredthousand to a few million of us,
depending on which statisticyou look at.
At some point in time, I'meither going to work for you,
with you, or against you, so weneed to have a healthy
relationship because of that.
You're either going to work forme, I'm going to work for you,
or we're going to be competitorsat some point, so we need to
(12:54):
have a cordial enoughrelationship that I can be your
subordinate, you can be mysubordinate.
If we get into that position,or if we're competing because we
both started our own cyberfirms, we still need to be
healthy companions Because, atthe end of the day, we're all
here to protect the country inwhich we live in, and then,
ultimately, the organization inwhich we're hired onto, and then
(13:15):
, finally, ourselves and ourfamily members, because security
starts from the time you wakeup to the time you go to bed.
So we apply it to all aspects ofour life.
We protect us personally first.
Then we go into the communitywe live in, and then we go into
the nation we live in, and thenwe get to the country we live in
.
So security just moves from thetime you wake up to the time
you go to bed, and it's justwhere do you apply it, no matter
(13:35):
if you're in security or not.
Security is something you doevery single day, and you either
do it through the school ofhard knocks you've been burned
by the stove, you've had youridentity stolen, you've been
robbed, or someone taught you,formally or informally or
someone taught you formally orinformally.
Speaker 3 (13:54):
You know you meet people who are like oh, help me
with this, or what's it likedoing this?
Speaker 2 (14:06):
And you know it really does come full circle,
yeah, yeah, and to pull on somemore stuff and to go back to
that.
The human-centric approach tosecurity is something that I
think we've all forgotten.
We're used to process andtechnology, but if you think
about it, there's people,process and technology.
I asked several CISO friends ofmine either or just I've met
(14:26):
what is your line item forpeople?
And a lot of them are like well, I have a security awareness
program or this is how much Ispend on their endpoints because
I harden their endpoints.
That gets back into technology.
What are you actually spendingper capita on each employee of
your company?
It's very tiny when you look atyour total budget for your
(14:49):
security firm.
We rely on technology a lot,but the most preventative way is
teaching us to see somethingand say something, To be
cautious.
Ultimately, I want you to slowdown.
That's not something you hearin 2025.
Faster, faster, faster.
As a human, I want you to stop.
I want you to assess.
I want you to pause, Goodfriend of mine, sometimes.
(15:13):
I want you to put your handsbehind your back for a moment,
Twiddle your thumbs for a secondand then put your hands back on
the keyboard.
Do you still feel like clicking?
Do you still feel likeanswering that question?
Do you still feel likedownloading that piece of
software?
Because sometimes just thatthree to five second pause can't
do that on every decision youmake, but you can do that when
you get the hair on the back ofyour next hand up because
(15:33):
something just doesn't seemright, legitimate and not been
cloned because it can be donewithin milliseconds or seconds,
(15:53):
where it used to take minutesfor the adversary to spoof
something.
Speaker 3 (15:59):
It also kind of goes back to the aspect of developing
those connections of thedifferent companies.
You can actually figure out whoactually works at these
companies if you're spendingyears following at these
companies.
If you're spending like yearswith the different, following
the different companies, andyou're like, oh, this person
isn't actually a recruiter forthem, maybe I shouldn't talk to
them.
Speaker 2 (16:19):
And the other thing is fake jobs.
To go back, earlier, we weretalking about people who just
apply for everything.
Ghosting was real during COVID,fake jobs were real during the
pandemic.
There are fake jobs now just tocollect personal, identifiable
information.
They just want you to interview, apply, give away your
(16:39):
information, because that's theapplication process, and then
we've all seen it the scam.
Hey, go ahead and go ahead andbuy your laptop from this
website and you can expense it.
Most people don't think aboutthat because they're hurried to
get a job.
If someone's never been in thefield, they think that's normal
practice.
It's not normal practice tofront your own hardware expenses
or to send in an ACH payment tosomething else so that you can
(17:04):
set up your direct deposit orgive gift cards.
I mean, we all know this.
Now back to that commonknowledge.
Your C-level never needs anApple gift card ever, and if
they do, they're not coming toyou, they're going to their
executive assistant yeah, sorrygo ahead, neil.
Speaker 3 (17:24):
Oh, it's just always an important reminder.
I know somebody who, like, hasdone all the trainings and stuff
and then they still like itwasn't work related, but they
got the scan thing for somethingelse and then they're like
going, they are like part waythrough it like you've gone to
the store and it's like yeah, Ithink I heard and it might not
(17:47):
be the right store but target orsome of the other big box
stores have started trainingtheir employees that if they see
people walk up with largeamounts of gift cards, to call a
supervisor over, not to makethe sale.
Speaker 2 (17:59):
Just like western union implemented something, I
believe, in the early 2000s forthe same wire scam issues it was
happening just to keep the oldladies and your grandparents or
your neighbors from giving theirretirement away because their
grandson's stuck in a mexicanjail and they need the money
wired right now.
So that's where the trainingcomes back in.
And I alluded earlier.
(18:19):
Security is everyone's job.
We just happen to put securityin our titles or have security
in our titles.
So, getting people to stop andassess at the bank, at the
checkout system yes, we've movedto self checkout, which makes
it a little harder, but it'sstill putting more what I would
call safeguards and gates.
So anyone who's been incybersecurity you know you could
put gates in for a reason, forcollusion, for insider trading,
(18:42):
insider risk.
There's gates intentionally putfor your depth and defense or
your defense in layers,depending on how you want to
word it to do the same thing,and we have to do that with us
as humans.
I tie my shoes so I don't tripand fall.
I lock my door so I keep thehonest person honest.
At the end of the day, me tyingmy shoes is not going to keep
me from falling.
Locking my door is not going tokeep the adversary out, but it
(19:04):
does slow me down from falling.
It does slow the adversary downfrom coming through my front
door.
Speaker 3 (19:13):
Yeah, it definitely makes me wonder how long before
my parents will be getting callsfrom my clone boys.
Speaker 2 (19:21):
I've had that happen once already because I do
similar stuff to this.
I've given my voice out a lotfrom trainings, my own YouTube
channel.
I've had someone call my voice.
It was a friend of mine.
They wanted to test and see andit literally other than the
pauses because they weren'tusing a paid subscription, you
would have thought it was me.
The software they used hadenough delay that the human
(19:44):
mind's like that's not a realperson.
I can get rid of those pauses.
Now with paid subscriptions, Ican put my face on it.
Now I can put the voice behindit.
I can do a lot of things tomake it real.
I could schedule the Zoom calland people may believe it's me.
Speaker 3 (20:01):
It's definitely made me more cautious, having to
rethink how I do things and nottake the easy option and just go
through some extra hoopssometimes.
Speaker 1 (20:17):
Yeah, at this point people need to be sure to set up
a code word with their familiesand close relatives so that
they know that if somebody callslike I've already told my
parents, like we have this codeword, if somebody calls with my
voice because, like, like youfleet is, my voice is all over
(20:38):
the place.
So I've let them know that if Icall and say that I need money
right now or I'm in jail orwhatever the situation is, just
hang up.
If I don't say the code word,um and uh, then call me directly
on my, on my number.
Speaker 2 (20:55):
So yeah, I've done two things.
I mean, growing up, I alwayshad a safe word, so my
non-parent picked me up.
But now, because of fakes, I'vealso got to the point where I
asked someone to reach forsomething behind them Because I
want to make sure that thegeneration can change their face
quick enough.
This is as a hiring manager toprotect against the North Korean
(21:15):
.
Things we've had is reach backand grab something and hand it
to me, or take something and putit in front of your face
Because I want to make sure thatit stays the same.
And it could just be hey, canyou show me that picture behind
you?
So it's casual enough that anormal person would think
nothing about it, but theadversary who's trying to spoof
this person is going to be likeand they're going to jerk.
Or, to your point earlier, it'slike where's the car parked?
(21:38):
A normal answer would be in thegarage or the driveway.
Well, my safe word is it's inthe middle of the red unicorn.
The answer to that is redunicorn.
It's something that's off thewall.
It's nothing related to where'sthe car parked, but it's a
normal question that an AI botwill try to answer.
It's going to say in yourgarage, in the parking garage,
in your driveway, on the street,and it's going to try to answer
(21:59):
a real question.
So giving an obscene or randomword similar to your passphrases
if you're using password vault,never answer those things
correctly.
Folks, social engineering isreal.
I know what street you grew upon, I know the mascot of your
high school, I know your firstcar, I know you dated, I know
your spouse, I know your partner, I know your favorite ice cream
(22:20):
because you put it somewhere onsocial media.
And if you've fallen for mostof them, you filled out one of
those quizzes in the early 2000swhere you answered all 20
questions and three of thosewere your security questions.
First off, never give yourparents maiden name out to
anyone other than a bank.
No one else in the world needsto know your mother's maiden
(22:40):
name ever, and even your bankprobably doesn't need to know it
in 2025.
Sorry, that's my littlesecurity awareness tip for today
no, that's good tip.
Speaker 1 (22:54):
That is actually the first time I've heard somebody
say that out loud.
Speaker 2 (22:57):
So um yeah, if you've got a password vault.
You can put anything andeverything in that password
vault so you can answer everysingle question.
I have a good friend of minewho uses Star Wars for all of
his answers.
He just picks a character forevery single one of them and he
(23:20):
puts it in his password vault sohe knows this is which Star
Wars character I chose for thisquestion.
I have another one who usessong titles for all of his
secret questions.
Who uses song titles for all ofhis secret questions and he
knows again in his vault this isthe song titles I chose for
Netflix or for Hulu, or for bankof America, et cetera.
Speaker 1 (23:35):
That's brilliant.
I really like that.
Speaker 2 (23:39):
Personal story.
I called my bank up and theyasked for my, for one of my
answers, and I gave them, likeJabba walkie, and they literally
said, no, I'm asking for yoursecret question.
I'm like that's the answer.
They're like, sir, that's notwhat the question is.
It's like, well, type in Jabbawalkie, oh, it worked.
Like I told you, that's theanswer.
Answer the questionlegitimately, right?
Excellent, it turned into atwo-way communication.
(24:07):
You validated my identity and Itaught you something that you
may want to apply.
Speaker 1 (24:13):
Wonderful.
Do you have any final thingsthat you want to share with our
listeners?
Speaker 2 (24:22):
So we talked about it a little bit.
So I'll just reiterate again nomatter where you're at, no
matter what you've done, youhave knowledge, you have
intellect, you have diversity,which means you have value.
You add value to every roomthat you enter, every job that
you take, every talk you give.
So make sure that you rememberno matter if you're 18 or you're
(24:46):
65, you have life experiencesthat are going to be different
than the person you're speakingto.
Another thing remember fromCovey perspective is key.
When I sit across the table,I'm going to see a six, you're
going to see a nine.
It's not until I sit beside youand look at it from your lens
that I'm ever going to have yourperspective and I'm also going
to see the six, or you're alsogoing to see the nine.
(25:08):
So take time, especially as asecurity practitioner, security
leader, someone who's mandatingstuff, to look at it from their
point of view.
Get to know why they do thethings that they do, why their
process is the way their processis, the things that they do,
why their process is the waytheir process is.
And then, once you know that,you can come in and say well, I
love what you're doing, but canwe change this?
(25:30):
Or it would be nice if youstopped doing this and did this
instead, and you've builtrapport at that point in time,
because you've taken the time tounderstand why they do what
they're doing.
Additionally, don't be themachine of no Good friend of
mine again.
Russell Eubanks, know your noK-N-O-W.
Know why you're saying no?
Know why you're saying no.
(25:53):
Yes and no are completesentences, but not in
cybersecurity.
It's yes but and no but.
Rarely ever use the yes and noas a complete sentence.
Speaker 1 (26:10):
That's great advice, thank you, and thank you so much
, flitas, for being on ourepisode today.
This has been an episode ofSecurity Chipmunks.
Please make sure to like,comment and subscribe and tune
in next time.
is from a cooperative project for acquiring skills
essential to learning.
Welcome to the SecurityChipmunks podcast, where we keep
chipping away at it.
I'm your host, edna Johnson,and here we have our co-host,
neil Smalley, and today's guestis Flitas Poston III.
(00:21):
Flitas, please introduceyourself.
Speaker 2 (00:24):
Sure, First off, happy to be here.
Love the tagline of chippingabout it, so I think that's
important, as this field isalways about taking the
bite-sized chunks and thendigesting them.
So with that Fletis Poston,been in this field since 2007.
Started as an IDS handler, thendid a little bit of a stint in
(00:44):
the IT field doing IT servicemanagement, web application
monitoring and then electronicdocument management During the
time as an electronic documentmanagement analyst BA 80 groups,
process accounts, serviceaccounts for about 300-plus
(01:06):
servers at a regulated utilitybefore putting cyber formally
back in my title the year or twoafter that when I became a
cyber systems engineer helpingbuild out the SOC for a large
regulated utility here in NorthCarolina.
During that time supportedanything from the endpoint all
the way to cloud and anything inbetween.
So email gateways, networkgateways, proxy server, SIM.
That time supported anythingfrom the endpoint all the way to
cloud and then everything inbetween.
So email gateways, networkgateways, proxy server, sim.
(01:29):
We had soar when I left andwhen I was leaving that
organization before I joinedcrash plan, where I currently
serve as the senior manager forsecurity operations.
In that role I own pretty muchanything but grc.
So identity, threat andvulnerability management,
security operations as well asapplication security.
So been around the block alittle bit, been in different
(01:50):
industries, saw different things.
Pretty much always been in theprivate public sector.
So currently in a PE backedfirm, so done small business as
well as large enterprisesecurity.
Speaker 1 (02:05):
That's a very impressive background, flores,
so you have a diverse experiencein the cybersecurity field.
So when you see newcomerscoming to this field, what are
some things that you recommendthat they do when they are
thinking?
Speaker 2 (02:25):
about getting into cybersecurity.
So, first off, similar to someof your path, from what I've
seen and listened to, yourSimply Defensive today, it's
being curious, asking questionsand understanding what about
cybersecurity interests you?
Most individuals today thinkcybersecurity.
They immediately go offensive,they think pen tester, they
think ethical hacking, theythink compromises.
(02:45):
And I always tell peoplesecurity is like a city, so
there's diverse rules that makeup the entire thing.
So you have anything from thejanitorial staff, which is your
entry-level role, all the way upto the mayor, which would be
your CISO or CSO, and there'severything in between.
You can also look at it likethe military.
You have cooks all the way toyour captains, colonels,
generals.
So what is your discipline?
(03:06):
What is your lane you want toget into?
And let's develop that.
If it's a SOC analyst, let's gotry HackMe, hackthebox.
Let's learn about all thedifferent tools out there with
TCM and other vendors who areputting stuff out.
If it's not SOC analyst, let'ssay you're more of a governance,
risk and compliance.
Let's go look at grc.
Maybe that's where your breadand butter is.
(03:27):
You like doing policy andprocedures or security awareness
, or you like to study thelatest threats that are
happening from a compliancepoint of view.
And if neither one of those,then you get the offensive side.
Where a lot of people get backinto.
The original thing is let'sbreak it, let's fix it.
So that's where your purpleteam comes back.
So I push a lot of people tolook purple just because I'm a
blue teamer.
(03:47):
I want them to see both.
So I push a lot to the purpleside because I don't want you
just to break it and walk away.
I want you to break it but helpthe blue team catch it and or
defend against it next time.
Speaker 1 (04:02):
Yeah, that's excellent advice.
Yeah, that's excellent advice.
What about if somebody iswanting to be more competitive
in the market?
Speaker 2 (04:15):
Do you have any recommendations for that?
So this is thenon-stereotypical answer To be
the most competitive.
It's to go find someone.
It's when you know them, notwho you know, it's when you know
them.
So I push people to go to localmeetups.
If that's your B-sides, ifthat's your DEF CON chapters, if
(04:35):
that's your ISSA, isaca, get toknow people as quick as
possible and it's get to knowthem with intention.
So go in.
Don't immediately ask them forsomething, but get to know them.
Spend the first couple monthsbuilding that relationship and
figuring out who they are.
It's a long game.
Most of the people I talk towhen I mentor is I tell them to
go ahead and pick three or fourcompanies that they want to work
for at some point in theircareer.
Follow them, connect with them,watch when people get a job
with them, connect with themagain.
(04:55):
Introduce yourself.
Hey Sally, I saw you got thisinformation security role,
congratulations.
I'd love to work for company Aat some point.
Is it okay if I stay in touch?
Give Sally a couple of weeks.
Reach back out to Sally.
Hey Sally, how was your firstmonth on the job?
Is it what you expected?
Is it not what you expected?
What do you wish you knew amonth in that you knew on day
(05:16):
one.
By doing all this, you'regetting yourself a competitive
advantage because at some pointthey're going to post a job
again and you're going to belike okay, sally, I've applied,
here's my resume, can you handit to the hiring manager?
Most companies, including myself, as a hiring manager, I get an
internal reference.
I'm at least going to do aphone screen or a video call
with you During that.
This is where you get to speakto your recon, your OSINT that
(05:38):
you've been doing of.
Hey, I saw you just got SeriesB funding last week,
congratulations.
Or Sally was telling me about aproject you threw on day three.
I'd love to be part of that andthis is how I can add value.
What you just did there is.
You now sound like an internalemployee because now you're
referencing my core values.
You're referencing whatprojects my team was working on.
(05:58):
You're referencing what mymarketing team or PR have done
to position yourself to lookmore like a peer than a
candidate.
So play the long game byfollowing what they're doing.
Like their comments, reposttheir articles, comment on
things and be selective with howyou engage on LinkedIn.
I recommend everyone to link,but don't just immediately ask
(06:19):
for a job.
Like their comments, comment onthem, engage with them and then
just wait.
And that's why I say three tofour companies, because you may
want company A in 2025, butcompany B might be hiring.
Well, in 2029, a is now hiring.
You've made that connection forthe last three years.
(06:40):
You're going to have a lot ofOSINT and RUCON to talk about in
three years because you've beenfollowing the company for three
years and interacting with oneto many employees at that point
in time that is such incredibleadvice and I love how you're.
Speaker 1 (06:53):
You're telling people , like, play the long game,
because really that's what youwant to do.
You're building a career andthat's going to be over many
years.
It's not just you just gettingyour first job in the field,
which a lot of people arefocused on they want to get that
first job but also thinkingabout the future and making a
plan and following up on that.
(07:15):
That's such great advice.
You mentioned mentoring, andthat is something that I think
is a wonderful step that peoplecan do to help themselves, to
see outside of themselves andthink of other ways that they
can approach problems.
(07:36):
So what are some of yourthoughts on mentoring?
Speaker 2 (07:40):
So, alluding to what I just said, there you're going
to get passive mentorship byfollowing industry professionals
.
It doesn't have to be the DaveKennedys, the Jake Williams, but
it could be the individuals onthis call.
What we post is valuable, whatwe do in our day-to-day jobs.
As you alluded when you heardme say earlier, I have a diverse
background.
I've touched regulated utility,I've touched finance, I've
(08:00):
touched software development, soyou can pick my brain passively
to learn what these industriesdo and how the day in the life
works.
The other thing that you canget from a mentorship is just
making sure that you either setup a formal or informal
relationship.
If it's formalized, tell mewhat your goals and objectives
are.
Let's do this for three months,six months, one year, and then
(08:21):
we're going to end it.
If it's informal, it usuallyturns into a friendship.
Months, one year, and thenwe're going to end it.
If it's informal, it usuallyturns into a friendship.
It starts as what I would callcontractual of what you're just
pinging me and we're going backand forth in Discord, slack,
signal, linkedin, whatever theplatform in which we connect on,
and we're just passively givinginformation.
That informal can turn into aformal or just turns into a
lifelong connection.
(08:41):
And when I say a lifelongconnection, there will be times
when I'm stuck.
But I know that Neil has dealtwith this, so I'm going to ping
Neil, or I know that Edna's donethis I'm going to ping and so
you can quickly send a note.
Keep working, knowing thatyou've got that connection where
you've more or less scratchedeach other's back and you're
going to get an answer, becausewe joke we don't disconnect.
(09:05):
Well, I have three differentmonitors around me right now.
I have discord open on one ofthem.
I have slack open on one.
I've signal on another.
I'm going to see your messagein almost real time.
I may not be able to respondreal time, but I tell my mentees
because slack is on everydevice I have.
Discord is on every device Ihave.
I'm going to see it before I goto bed.
I will acknowledge it andeither answer it because if not
(09:27):
I'm going to forget or I'm goingto tell you I'm not the right
person.
But Jack is, susan is, billy is, and let me make an intro to
those.
So that's where mentorship isnot just trying to create a
clone of I.
Don't need clones of me.
That's why I didn't name my sonFleetus, I need to build
practitioners' engineers,analysts, who can learn from my
(09:50):
mistakes, because withmentorship, you're teaching them
how to get out of the ditchbecause you've already been in
the ditch.
You don't want to see them runoff the road and not how to get
back in it, but at the same time, you want to teach them that
when they get in the ditch, thisis how you get out.
Not keep them from the ditchper se, but teach them how to
get back out of it.
Same thing goes for everymentee.
I ask, I turn and ask them to bea mentor as well, because if
(10:12):
you've been on the job one dayor 30 years, your life
experiences allows you to giveback to the next person.
Next, it's having three tiers.
So you have someone in front ofyou that could be a business
leader outside of yourorganization, outside of cyber.
Altogether you have someonebeside you.
We build that healthycompetition.
So the three of us arecompeting to see who's going to
(10:32):
find the next CVE, who's goingto find the next promotion,
who's going to get the nextkudos.
So it's a healthy competition.
But we know that when therubber hits the road, we have
each other's back and thenthat's that buddy system or
mentor system, where that nextperson who's behind you, it's
that middle schooler, that highschooler, that associate level
person or bachelor's levelperson who's like I have
(10:55):
imposter syndrome because youguys know all this stuff and I
know nothing.
Well, it's that curse ofknowledge issue.
Remind them, at one point I wasa novice.
I can't think like a novicebecause of the curse of
knowledge that I have.
I've done it too long that Ican't remember what it's like to
be a novice.
Like I say this phrase rightnow, you're going to know what I
(11:16):
mean, someone else loop, swoopand pull.
I'm talking about tying yourshoe.
But if I say loop, swoop andpull to a four-year-old, it's a
context issue.
So you got to learn how to usea lexicon or a vernacular that
resonates with someone who'sgreen, new, and not assume that
(11:37):
they have a baseline knowledge.
And that's where we have aproblem, not just in mentorships
.
In our field, we talk likeeveryone knows what we know.
As your accounting team, asyour finance team, your
marketing team, your R&D team,we all have our own lexicon and
we're all SMEs, which doesn'tmake us any less intelligent.
Speaker 1 (12:04):
It just means we have diverse knowledge.
That's so true.
I know that, like as I've beenlearning, it's been.
I've looked up to people andthought, wow, they're incredible
.
As time goes on, you start tobecome friends with some of
these people and you learn moreand more.
(12:25):
Those people that you looked upto start to become your peers,
that you looked up to start tobecome your peers.
Speaker 2 (12:32):
The other thing, too and you hit the nail on the head
is this is a small field.
There's only a couple hundredthousand to a few million of us,
depending on which statisticyou look at.
At some point in time, I'meither going to work for you,
with you, or against you, so weneed to have a healthy
relationship because of that.
You're either going to work forme, I'm going to work for you,
or we're going to be competitorsat some point, so we need to
(12:54):
have a cordial enoughrelationship that I can be your
subordinate, you can be mysubordinate.
If we get into that position,or if we're competing because we
both started our own cyberfirms, we still need to be
healthy companions Because, atthe end of the day, we're all
here to protect the country inwhich we live in, and then,
ultimately, the organization inwhich we're hired onto, and then
(13:15):
, finally, ourselves and ourfamily members, because security
starts from the time you wakeup to the time you go to bed.
So we apply it to all aspects ofour life.
We protect us personally first.
Then we go into the communitywe live in, and then we go into
the nation we live in, and thenwe get to the country we live in
.
So security just moves from thetime you wake up to the time
you go to bed, and it's justwhere do you apply it, no matter
(13:35):
if you're in security or not.
Security is something you doevery single day, and you either
do it through the school ofhard knocks you've been burned
by the stove, you've had youridentity stolen, you've been
robbed, or someone taught you,formally or informally or
someone taught you formally orinformally.
Speaker 3 (13:54):
You know you meet people who are like oh, help me
with this, or what's it likedoing this?
Speaker 2 (14:06):
And you know it really does come full circle,
yeah, yeah, and to pull on somemore stuff and to go back to
that.
The human-centric approach tosecurity is something that I
think we've all forgotten.
We're used to process andtechnology, but if you think
about it, there's people,process and technology.
I asked several CISO friends ofmine either or just I've met
(14:26):
what is your line item forpeople?
And a lot of them are like well, I have a security awareness
program or this is how much Ispend on their endpoints because
I harden their endpoints.
That gets back into technology.
What are you actually spendingper capita on each employee of
your company?
It's very tiny when you look atyour total budget for your
(14:49):
security firm.
We rely on technology a lot,but the most preventative way is
teaching us to see somethingand say something, To be
cautious.
Ultimately, I want you to slowdown.
That's not something you hearin 2025.
Faster, faster, faster.
As a human, I want you to stop.
I want you to assess.
I want you to pause, Goodfriend of mine, sometimes.
(15:13):
I want you to put your handsbehind your back for a moment,
Twiddle your thumbs for a secondand then put your hands back on
the keyboard.
Do you still feel like clicking?
Do you still feel likeanswering that question?
Do you still feel likedownloading that piece of
software?
Because sometimes just thatthree to five second pause can't
do that on every decision youmake, but you can do that when
you get the hair on the back ofyour next hand up because
(15:33):
something just doesn't seemright, legitimate and not been
cloned because it can be donewithin milliseconds or seconds,
(15:53):
where it used to take minutesfor the adversary to spoof
something.
Speaker 3 (15:59):
It also kind of goes back to the aspect of developing
those connections of thedifferent companies.
You can actually figure out whoactually works at these
companies if you're spendingyears following at these
companies.
If you're spending like yearswith the different, following
the different companies, andyou're like, oh, this person
isn't actually a recruiter forthem, maybe I shouldn't talk to
them.
Speaker 2 (16:19):
And the other thing is fake jobs.
To go back, earlier, we weretalking about people who just
apply for everything.
Ghosting was real during COVID,fake jobs were real during the
pandemic.
There are fake jobs now just tocollect personal, identifiable
information.
They just want you to interview, apply, give away your
(16:39):
information, because that's theapplication process, and then
we've all seen it the scam.
Hey, go ahead and go ahead andbuy your laptop from this
website and you can expense it.
Most people don't think aboutthat because they're hurried to
get a job.
If someone's never been in thefield, they think that's normal
practice.
It's not normal practice tofront your own hardware expenses
or to send in an ACH payment tosomething else so that you can
(17:04):
set up your direct deposit orgive gift cards.
I mean, we all know this.
Now back to that commonknowledge.
Your C-level never needs anApple gift card ever, and if
they do, they're not coming toyou, they're going to their
executive assistant yeah, sorrygo ahead, neil.
Speaker 3 (17:24):
Oh, it's just always an important reminder.
I know somebody who, like, hasdone all the trainings and stuff
and then they still like itwasn't work related, but they
got the scan thing for somethingelse and then they're like
going, they are like part waythrough it like you've gone to
the store and it's like yeah, Ithink I heard and it might not
(17:47):
be the right store but target orsome of the other big box
stores have started trainingtheir employees that if they see
people walk up with largeamounts of gift cards, to call a
supervisor over, not to makethe sale.
Speaker 2 (17:59):
Just like western union implemented something, I
believe, in the early 2000s forthe same wire scam issues it was
happening just to keep the oldladies and your grandparents or
your neighbors from giving theirretirement away because their
grandson's stuck in a mexicanjail and they need the money
wired right now.
So that's where the trainingcomes back in.
And I alluded earlier.
(18:19):
Security is everyone's job.
We just happen to put securityin our titles or have security
in our titles.
So, getting people to stop andassess at the bank, at the
checkout system yes, we've movedto self checkout, which makes
it a little harder, but it'sstill putting more what I would
call safeguards and gates.
So anyone who's been incybersecurity you know you could
put gates in for a reason, forcollusion, for insider trading,
(18:42):
insider risk.
There's gates intentionally putfor your depth and defense or
your defense in layers,depending on how you want to
word it to do the same thing,and we have to do that with us
as humans.
I tie my shoes so I don't tripand fall.
I lock my door so I keep thehonest person honest.
At the end of the day, me tyingmy shoes is not going to keep
me from falling.
Locking my door is not going tokeep the adversary out, but it
(19:04):
does slow me down from falling.
It does slow the adversary downfrom coming through my front
door.
Speaker 3 (19:13):
Yeah, it definitely makes me wonder how long before
my parents will be getting callsfrom my clone boys.
Speaker 2 (19:21):
I've had that happen once already because I do
similar stuff to this.
I've given my voice out a lotfrom trainings, my own YouTube
channel.
I've had someone call my voice.
It was a friend of mine.
They wanted to test and see andit literally other than the
pauses because they weren'tusing a paid subscription, you
would have thought it was me.
The software they used hadenough delay that the human
(19:44):
mind's like that's not a realperson.
I can get rid of those pauses.
Now with paid subscriptions, Ican put my face on it.
Now I can put the voice behindit.
I can do a lot of things tomake it real.
I could schedule the Zoom calland people may believe it's me.
Speaker 3 (20:01):
It's definitely made me more cautious, having to
rethink how I do things and nottake the easy option and just go
through some extra hoopssometimes.
Speaker 1 (20:17):
Yeah, at this point people need to be sure to set up
a code word with their familiesand close relatives so that
they know that if somebody callslike I've already told my
parents, like we have this codeword, if somebody calls with my
voice because, like, like youfleet is, my voice is all over
(20:38):
the place.
So I've let them know that if Icall and say that I need money
right now or I'm in jail orwhatever the situation is, just
hang up.
If I don't say the code word,um and uh, then call me directly
on my, on my number.
Speaker 2 (20:55):
So yeah, I've done two things.
I mean, growing up, I alwayshad a safe word, so my
non-parent picked me up.
But now, because of fakes, I'vealso got to the point where I
asked someone to reach forsomething behind them Because I
want to make sure that thegeneration can change their face
quick enough.
This is as a hiring manager toprotect against the North Korean
(21:15):
.
Things we've had is reach backand grab something and hand it
to me, or take something and putit in front of your face
Because I want to make sure thatit stays the same.
And it could just be hey, canyou show me that picture behind
you?
So it's casual enough that anormal person would think
nothing about it, but theadversary who's trying to spoof
this person is going to be likeand they're going to jerk.
Or, to your point earlier, it'slike where's the car parked?
(21:38):
A normal answer would be in thegarage or the driveway.
Well, my safe word is it's inthe middle of the red unicorn.
The answer to that is redunicorn.
It's something that's off thewall.
It's nothing related to where'sthe car parked, but it's a
normal question that an AI botwill try to answer.
It's going to say in yourgarage, in the parking garage,
in your driveway, on the street,and it's going to try to answer
(21:59):
a real question.
So giving an obscene or randomword similar to your passphrases
if you're using password vault,never answer those things
correctly.
Folks, social engineering isreal.
I know what street you grew upon, I know the mascot of your
high school, I know your firstcar, I know you dated, I know
your spouse, I know your partner, I know your favorite ice cream
(22:20):
because you put it somewhere onsocial media.
And if you've fallen for mostof them, you filled out one of
those quizzes in the early 2000swhere you answered all 20
questions and three of thosewere your security questions.
First off, never give yourparents maiden name out to
anyone other than a bank.
No one else in the world needsto know your mother's maiden
(22:40):
name ever, and even your bankprobably doesn't need to know it
in 2025.
Sorry, that's my littlesecurity awareness tip for today
no, that's good tip.
Speaker 1 (22:54):
That is actually the first time I've heard somebody
say that out loud.
Speaker 2 (22:57):
So um yeah, if you've got a password vault.
You can put anything andeverything in that password
vault so you can answer everysingle question.
I have a good friend of minewho uses Star Wars for all of
his answers.
He just picks a character forevery single one of them and he
(23:20):
puts it in his password vault sohe knows this is which Star
Wars character I chose for thisquestion.
I have another one who usessong titles for all of his
secret questions.
Who uses song titles for all ofhis secret questions and he
knows again in his vault this isthe song titles I chose for
Netflix or for Hulu, or for bankof America, et cetera.
Speaker 1 (23:35):
That's brilliant.
I really like that.
Speaker 2 (23:39):
Personal story.
I called my bank up and theyasked for my, for one of my
answers, and I gave them, likeJabba walkie, and they literally
said, no, I'm asking for yoursecret question.
I'm like that's the answer.
They're like, sir, that's notwhat the question is.
It's like, well, type in Jabbawalkie, oh, it worked.
Like I told you, that's theanswer.
Answer the questionlegitimately, right?
Excellent, it turned into atwo-way communication.
(24:07):
You validated my identity and Itaught you something that you
may want to apply.
Speaker 1 (24:13):
Wonderful.
Do you have any final thingsthat you want to share with our
listeners?
Speaker 2 (24:22):
So we talked about it a little bit.
So I'll just reiterate again nomatter where you're at, no
matter what you've done, youhave knowledge, you have
intellect, you have diversity,which means you have value.
You add value to every roomthat you enter, every job that
you take, every talk you give.
So make sure that you rememberno matter if you're 18 or you're
(24:46):
65, you have life experiencesthat are going to be different
than the person you're speakingto.
Another thing remember fromCovey perspective is key.
When I sit across the table,I'm going to see a six, you're
going to see a nine.
It's not until I sit beside youand look at it from your lens
that I'm ever going to have yourperspective and I'm also going
to see the six, or you're alsogoing to see the nine.
(25:08):
So take time, especially as asecurity practitioner, security
leader, someone who's mandatingstuff, to look at it from their
point of view.
Get to know why they do thethings that they do, why their
process is the way their processis, the things that they do,
why their process is the waytheir process is.
And then, once you know that,you can come in and say well, I
love what you're doing, but canwe change this?
(25:30):
Or it would be nice if youstopped doing this and did this
instead, and you've builtrapport at that point in time,
because you've taken the time tounderstand why they do what
they're doing.
Additionally, don't be themachine of no Good friend of
mine again.
Russell Eubanks, know your noK-N-O-W.
Know why you're saying no?
Know why you're saying no.
(25:53):
Yes and no are completesentences, but not in
cybersecurity.
It's yes but and no but.
Rarely ever use the yes and noas a complete sentence.
Speaker 1 (26:10):
That's great advice, thank you, and thank you so much
, flitas, for being on ourepisode today.
This has been an episode ofSecurity Chipmunks.
Please make sure to like,comment and subscribe and tune
in next time.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com