November 22, 2022

Sharing Cyber Outside of the Security Bubble with Lesley Carhart

by Hacker Valley Studio

Show Notes

Lesley Carhart, Director of Incident Response at Dragos, takes some time off mentoring cybersecurity practitioners, responding to OT incidents, and training in martial arts to hop on the mics this week. Named Hacker of the Year in 2020, Lesley’s impact on the industry stretches far and wide. As an incredible content creator for cybersecurity, Lesley advises listeners on how to find their niche and who to be willing to educate along the way.

 

Timecoded Guide:

[00:00] Giving back to the community through martial arts & cyber education

[06:13] Being excluded from the cyber industry & turning to content creation instead

[12:33] Comparing incident response in IT vs OT environments

[19:46] Dealing with post-COVID problems with the wrong OT systems online

[26:51] Finding your cyber niche & exploring education options within it

 

Sponsor Links:

Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone

For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.

 

What inspired you to start creating cybersecurity content?

Lesley’s cybersecurity content has vastly influenced and impacted many cyber practitioners in the industry, including Ron and Chris. Unfortunately, Lesley’s journey into content creation was inspired by the lack of mentorship they received from other professionals when they were starting out. Never wanting anyone to feel the way they did, Lesley created an online world of resources to warmly welcome and educate new practitioners.  

“It's not a really glamorous story. When I got into cybersecurity, I wanted to do digital forensics and nobody would help me, nobody would actually take me seriously and give me a shot. Everybody should have a chance to get into cybersecurity if it's something they want to do.”

 

How has teaching cyber to a general audience been appealing to you?

When not educating new cyber practitioners or tearing it up in the martial arts studio, Lesley likes to reach out to their community and give talks to audiences outside of typical tech and security groups. From churches to universities, Lesley loves meeting people outside of the cyber industry. These individuals always offer them a new perspective and a feeling of accomplishment for showing someone something new. 

“It's enjoyable to me to find other people out there who want to learn about an entirely new topic and expose themselves to its problems and how it impacts society and things like that. I appreciate that. Cybersecurity is important and it impacts everything around us all the time.”

 

In your world, where does incident response start, and where does it stop?

Like many of cyber’s most complicated concepts, the answer to where incident response starts and ends is subjective to certain resources and elements of an organization. Lesley explains that incident response has to be planned and that the planning process has to involve when to declare an incident and when to close the said incident. Without proper planning in advance, an organization is at risk for a crisis that could’ve been responded to quickly turning into an out-of-control attack. 

“There's no perfect defense against an incident, everybody's vulnerable. You do your best to mitigate and avoid having a cybersecurity incident, but there's only so much you can do. Eventually, you have to assume that you're gonna have an incident.”

 

What piece of advice do you have for anyone looking to share more knowledge and make the cyber industry better? 

Although everything in cybersecurity can seem daunting, expansive, and interesting to everyone, Lesley’s recommendation to new practitioners is to find a niche in cyber and stick to it for a while. Finding a niche doesn’t have to be permanent, but Lesley believes that niche will help you carve out extensive knowledge worth sharing and creating content around. When you discover that niche, don’t be afraid to reach out to other industry experts along the way.

“Pick an area and then find mentorship in that and try to focus for a couple of years on a particular area. You can always change your mind later on, just like degrees, just like training programs, but it's going to help you a lot to focus for a little while.”

---------------

Links:

Keep up with our guest Lesley Carhart on LinkedIn, Twitter, and their blog

Learn more about Dragos, Inc on LinkedIn and the Dragos website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase Hacker Valley swag at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley Studio 00:07
Who says tech can't be human?
Lesley 00:10
Pick an area and then find mentorship in that and try to focus for a couple years on a particular area. You can always change your mind later on, just like degrees, just like training programs, but it's going to help you a lot to focus for a little while.
Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
NetSPI Ad 00:38
If you or your team is considering a strong partner to help with pen testing check out NetSPI. For over 20 years, NetSPI has offered the most comprehensive suite of offensive security solutions, attack surface management, penetration testing as a service, breach, and attack simulation. Visit NetSPI.com/HVM to learn more. Thank you, NetSPI, for sponsoring this episode.
Chris 01:10
What's going on, everybody? You are in the Hacker Valley Studio with your hosts, Ron and Chris
Ron 01:15
Yes, sir.
Chris 01:18
Welcome back to the show.
Ron 01:21
Glad to be back again. In the studio today, we brought with us a big guest, a guest that was actually recognized and awarded Hacker of the Year at Def Con 2020. Our guest this episode is Lesley Carhart. Lesley is the Director of Incident Response at Dragos, and someone that we've been looking so forward to speaking to. Lesley, glad we could make it to happen. Welcome to the show.
Lesley 01:46
Thank you so much for having me, it's really exciting.
Chris 01:48
First, I have to commend you on everything you've done for the community. In fact, personal story of mine, I think it was around maybe 2014, 2015, somewhere in there, when I found some of the stuff that you were putting out into the world. In fact, your article on studying for SANS exams, I used that to prepare for my GCIH. So, first of all, thank you so much for everything that you've done, and you continue to do for our community.
Lesley 02:15
It's a huge privilege to be part of the community. I always like to try to give back. Thank you so much.
Chris 02:21
Absolutely. The thing that really just, completely outside of the cybersecurity arena, we have to bring Lesley on to talk about it, is this journey that you're going through with martial arts. It looks like you're going through some really rigorous evaluations and you're gonna have to stand in front of a board to talk about your life's work in martial arts. How did all of that come to be? Did you start martial arts when you were younger? Did you start later in life? And then, how did you get to the point where you're going through such a rigorous process today?
Lesley 02:51
I guess, there's two types of people in the world. There’re the overachievers and the people who do things in the normal, sane way. But I didn't start martial arts as a kid, I started in my 20s, and it was something that I had always wanted to do because I love the history of martial arts and martial arts movies and things like that. I found a good school with a friend and they offered a style that I really had wanted to learn for a long time. So, that was a form of our nice or a screamer. I started and then, I picked up one martial art after another one, it's like getting tattoos or piercings or something, you start one and then you're like, "Hey, I want to learn more about this and I want to learn how a different style does things and I want to be a white belt again," because it's fun, it's easy. I've been picking up martial arts since then, and I have this pipe dream where I'd love to start my own school someday. It's incredibly expensive and out of reach, but yeah, that's something I'd like to do someday, it'd be pretty cool. So, I've been studying and trying to get certifications with that goal in the back of my mind for
some time now.
Ron 03:45
I love that. And whenever I mentioned martial arts to Chris, he always lights up like a Christmas tree. He's been trying to get me to do jujitsu for quite some time, but I took the easy road and I did Tai Chai. I felt it was very good for my 30-year-old body compared to getting hit, but I gotta ask this has happened to me when I started my Tai Chi journey, which I'm sure is very different than the martial arts that you're doing, but I got control of my breathing, especially in extreme or what I feel like maybe are dangerous, compromising situations like, a breach or a tough conversation. But just through focusing on my breath, I see a lot of things change in my day-to-day life, especially my work. What has been the aspect of martial arts that you've brought in the most to your work?
Lesley 04:31
First of all, Tai Chi is really hard, so good on you. Tai Chi is a very difficult martial art to master because you're slowing down a style, which is incredibly complicated. You've got to get every motion right and stuff. So, huge kudos to you about studying Tai Chi. That's awesome. That's something a lot of people don't take on until they're older. Things that I learned from martial arts, perseverance is one of them. Just those moments of things that you think that are absolutely impossible, that you just have to fight your way through and that's how you really reach the next level in martial arts is just doing things that you thought weren't possible. I've always been that kind of person, but it's really struck home in martial arts, you see it all the time, you just have to manage to find a way to stick with it and get through the challenge that's presented to you. If you have a good instructor, they're never gonna give you something that is impossible to do. There's always a way to do it. You just have to find it in mental ability and your mental perseverance to get through these intense physical challenges. So, that's part of it. And then, the other thing is how to teach. I don't have kids, I've never had kids, never wanted them, but I found that I love to teach kids. I love working with them. I teach middle schoolers right now in martial arts, and I mentor them. I really enjoy that. Teaching during the pandemic, over Zoom, martial arts especially was incredibly challenging and it taught me a lot about how to teach topics and instruct people in complex tasks in different ways. And then, deal with the mental stresses that people, especially young kids, were going through during the height of the pandemic in lockdown and things like that. So, I've taken a lot of lessons about dealing with people and teaching people, instructing them from martial arts, and I use them all the time in my daily life now.
Chris 06:13
You are a triple OG when it comes to creating content for cybersecurity practitioners. How did that really start for you? Because it seemed like you were documenting your journey, and you're like, "Hey,if this helped me, it seems like it might help other folks," and it just seemed like it snowballed from there. What was that journey like for you?
Lesley 06:30
I couldn't find a mentor when I wanted to get in. It's not a really glamorous story. I couldn't find a mentor. When I got into cybersecurity, I wanted to do digital forensics in the 90s and nobody would help me, nobody would actually take me seriously and give me a shot. So, of course, I don't want that to happen to anybody else. That's crazy. Everybody should have a chance to get into cybersecurity if it's something they want to do. We need people, and we need people who want to do the job. What are we doing? That's why I create content and I run clinics and I mentor people and things like that, because I don't want anybody else to have to face the same challenges that I did. That didn't necessarily make me a better person or anything, it just made my journey longer and it made me miserable.
Ron 07:11
Yes, we've been there. It's almost like that for our podcasting journey. It's been like that for our
cybersecurity careers. I remember when Chris and I first met, we didn't know anyone at the company for the most part. It was one of those organizations that a lot of people didn't want to help, whether they were on the security team or another team. I think we still face those big walls today of just accessibility, feeling included, feeling like you belong there. What has been the thing that's been most exciting for you today, when you're looking at all of the work that you're putting out? Whether it be content conferences, speaking. What excites you the most today?
Lesley 07:46
I wish I had time to put out more content. I've been really bad about that lately. So, definitely not that because I'm just tearing my hair out, trying to find time to write blogs and put videos out and things. I can't seem to find enough hours in the day to do it. I do love speaking and I especially love speaking to audiences that aren't cybersecurity audiences. I recently got to speak at a church, I got flown out to a Unitarian Church in New Hampshire and I got to speak to their congregation because they had a lecture on just educating their congregation in the community members on the world and important topics. Cybersecurity was one of those. It was so fun. Those people, they had great questions about like, how to keep their data safe and what threats critical infrastructure really faces from a cybersecurity perspective. It was wonderful talking to that audience because it was totally novel to them and they wanted to learn. In cybersecurity, we can be in our little bubble and just talking to each other in that
sphere over and over and over again about the same stuff and it's fun, I like doing those talks too, but the talks where I get to go out to universities or to business audiences that aren't in IT, things like that, or even just my local community, that's what I love doing. I really enjoy that.
Chris 08:59
And what about it really stands out to you? Because Ron and I have been doing that a lot lately. We've been on other folks' shows, maybe they're focused on business or finance, and they bring us in to speak about security, and we get a chance to boil it down to the most basic units and tell fun stories along the way. But what about being able to communicate that to a general audience has been appealing for you?
Lesley 09:21
It's the fact that you're teaching them something entirely novel. I'm a person who, I like to call myself a lifelong learner. I love to learn how things work. I love to learn how things are made and how different cultures function, different languages, things like that. It's enjoyable to me to find other people out there who want to learn about an entirely new topic and expose themselves to its problems and how it impacts society and things like that. So, I appreciate that and I definitely want to share that knowledge to people who want to learn because cybersecurity is important and it impacts everything around us all the time.
Ron 09:55
I've almost feel like sometimes, when you do cybersecurity at an organization, it's a lot different than an individual practicing cybersecurity. What have you noticed, or what have you explained to be some of those things that an individual can do? I'm interested, for myself. I focus mainly for the enterprise and big organizations, I do some stuff for myself, but what have you recommended to your community?
Lesley 10:22
So, a lot of it is, here's some things you can do, pick the one that will work for you that is the most possible for your life that you will actually do. So, one of those things is threat modeling, and actually thinking about the threats that you face. I talk through that with audiences a lot. I got to go to Los Alamos and that was really exciting, too. I get to speak at some really cool places, but I spoke there about threat modeling and determining your own threat model and how important that is because threat model is different. The risks that you deal with on a daily basis change based on your relationships and where you live and where you're traveling and what you're doing that day and who you work for and what you just bought and things like that. That all changes the threats that you face and how you have to respond to them. So, your threat model could be totally different from your neighbors and that might mean that you should use different smart devices, or think about installing an alarm system differently. Something might make you more secure and them less secure. So, really having those personal, introspective self-discussions about, "Hey, what threats do I really face and what does that mean to me and my cybersecurity?" It is really important. So, that's one thing. And then, in terms of technical controls, trying to get everybody to use a reputable standalone password manager application. It would be fantastic if everybody did that, because we're trying to get over the problem of password reuse. Password reuse is just such a self-destructive thing. Everybody's doing credential stuffing. Once your password gets stolen from one site, it gets tried on every other site very, very rapidly. So, if you're reusing credentials, you're going to be up the creek. And so, password managers are a great solution for that. They're not necessarily fully intuitive to everybody, but they can be a bigtime saver once you do learn how to use them. But if you can't do that, I always tell the audience, "Hey, if this is too much. If you're like, 'I don't understand this password manager thing,' for a lot of people's
threat model, just writing passwords down in a notebook and using a strong different one for every site makes a huge difference." Even just have a paper or notebook, and then, multi-factor authentication, too. We're trying to get everybody to turn that on. SMS isn't great, but it's better than nothing.
Chris 12:33
Yeah, we got a chance to chat with Director Jen Easterly about the work she has been doing and she's been really focused on this "more than a password" movement, getting folks involved, and hey, as long as it's more than a password, you're going to be all right, which I think is absolutely beautiful. We got to go deep into your experience with incident response, I did incident response for several different companies, but I really bit into incident response, I think, around the Netflix time. I have to say, like, leading incidents and being an incident commander is such an important role, especially for a company, but being able to do it for industrial controls, being able to do it for critical infrastructure, I'm sure, is a beast unto itself. What are some of the marked differences between running incidents for your traditional IT environments versus OT?
Lesley 13:24
Yeah, so, a lot of it has to do with the consequences involved. Sure, there's lots of legacy stuff and you're going to be doing forensics from 20 years ago, which is a big difference when everybody's used to EDR today, but the big functional philosophical difference is that everything comes down to real life consequences when you're talking about those systems. So, they're doing something physical and kinetic in the real world, so that means that you could cause danger to life or limb by doing your security response that's worse than whatever the piece of malware or the adversary is doing. So, you always have to be thinking about that. What are you trying to avoid happening to this industrial process? Can I cause it potentially during my incident response efforts or my cybersecurity efforts? What could the adversary potentially do? What are their mitigations to prevent that will be effective? So, I really need to
understand how the real world is going to be impacted at all times by what's going on in the computer space, in the digital space, and that's a huge shift in thinking. That means I need to have really good conversations with the engineers and operators, and I need to be humble and listen to them. It's a different way of thinking, definitely.
Axonius Ad 14:32
Hey, everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast, like me, or an IT, or a security pro, complexity is inevitable. And I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Ron 15:00
I would imagine, for an organization, maybe there's a new leader on deck that wants to hire some incident responders, they might not know what type of incident responder to hire, because I feel like sometimes we speak to incident response managers, directors, like yourself, even practitioners, and sometimes it's almost like they're describing threat hunting or they're describing forensics or other areas that just involve a cybersecurity event or attack. In your world, where does incident response start and where does it stop?
Lesley 15:39
It really depends on the size of your organization and what resources you have available to you for incident response. You have to define that though, it should be defined in your incident response plan. When do you declare an incident? And then, when you close it out? When is it now a restoration effort that's managed by IT or something? And personnel and staffing and organizational structure is going to vary by company, and you're gonna have different answers to those things in every organization you're in. Who does the monitoring and detection? Is that different from the people who do the incident response? Do you have a third-party retainer involved? Do you have a parent company or regulatory organizations involved? But the bottom line is you need to plan for this stuff in advance because there's no perfect defense against an incident, everybody's vulnerable. You do your best to mitigate and avoid having a cybersecurity incident, but there's only so much you can do. Eventually, you have to assume
that you're gonna have a cybersecurity incident and you need to answer those questions in advance because it's going to be a crisis and you're going to need to know: Is it an incident yet? Who do we contact? Who's responsible for each phase of the incident? Who's responsible for keeping control of the incident? Things like that.
Chris 16:45
When you look at your particular role now, would you say that you're more in the people management side? Are you ensuring folks get to the right jobs at the right time? Are you more on site? Are you filling the role of incident commander? What is the makeup of your job these days?
Lesley 17:00
I'm in the luxurious situation where I'm in between the two. I manage a team currently. I have no ambitions to get promoted anytime soon. I have enjoyed a spot where I'm in where I'm still highly technical, but I'm a people manager. Of course, my first priority is my people doing well and being successful and being safe in their jobs. That's first and foremost, my job, and when you become a manager, you do have to— Not to disappoint anybody, but you do have to be a good people manager and you have to be cognizant of your people's passions and interests and problems and successes and their goals in the future. That's part of your job, as well as where they fit into a team and their personalities. That's tough, it's definitely not for everybody, but yeah, I do a little bit of both right now.
Chris 17:44
Love it. And obviously, without giving away any confidential information or anything, what has been one of those situations where you felt like everything was clicking together for you? Because I'm sure, just from your background and all your experiences, maybe even some things from martial arts, sometimes things have to just align for us to be in the right place at the right time and take the right action. Is there an incident that you felt where everything just came together and you were really proud of?
Lesley 18:11
I've had some cases where I had to really, really, really think outside the box. I've had cases, certainly in industrial situations, where the root cause was not cyber, but I was called in because they didn't know. Having enough of a background, I have fixed airplanes, I worked in manufacturing, I have a degree in electronics, I was in the Air Force. So, I've got a wide background in a lot of things. Oh, my degree is in network engineering, too. So, a wide variety of things and there's been a few cases where the cause of something everybody thought was an adversary and a major cybersecurity incident was something off the wall, maintenance related or human related, and I was able to identify that problem just because I had a lot of experience with weird things breaking and weird things happening in all these different technologies. So, yeah, there's been a few cases that I can't really go into details of, but
where I've walked into a situation and I've gone within the first 15 minutes and just stared at what's happening and said, "This isn't a hacker. Let me tell you what's actually happening here to the system, because I've seen it before, or I know enough about these oddball things that I can put together that this is not a cybersecurity incident. It's this bizarre configuration of the system that happened when you lost power, yada, yada, yada, because a mouse ran across the keyboard," that type of stuff. I have cases like that all the time because industrial systems are legacy and they're weird and they're in dirty environments and in high and low temperature environments, things like that. So, they face a lot of problems that aren't necessarily normal IT problems.
Ron 19:46
A lot of factors that go into it. One of my earliest memories and this is a crazy memory to to bring up, but I was going on a walk with my sisters and we were walking down the street and there was someone that was taking their groceries from outside of their house to the inside, and they got all the way done, but they left their keys in the trunk and me, being probably around six or seven at the time, I thought there was a lot of keys on that keychain. So, I went up and I grabbed the keys. I ultimately gave the keys back because I couldn't drive, I had no use for them, but I would imagine that's what we face as security practitioners a lot. We go through a lot of work of transporting data, securing that data within a vehicle, whether it be our security program or something else, but if you forget to take the keys out, it's all for naught. What have you found to be the example or analogy where people leave the keys in far
too often, and that creates an incident?
Lesley 20:43
In industrial, it's going to be unique, too. During COVID, a lot of things were connected to the internet because people desperately needed to access things remotely right then. And repeatedly, we've seen cases of things popping up and getting attacked, exploited, etc, that were never supposed to be connected directly to the internet, but somebody just needed TeamViewer, or they needed RDP right then and it got hooked up. So, there's a lot of that, but unfortunately, we go into an environment there like, "It's air gap. It's air gapped," but I've seen maybe one truly air gapped industrial network a year, things are very rarely air gapped. Usually, there ends up being some critical connection between the internet and the industrial environment, or the enterprise network and the industrial environment that's the point of intrusion or infection. A lot of that, that's segmentation, and then, it's hard to choose. You
really can't fault people for not patching in industrial environments, because it's a vendor controlled thing and it can impact the operation of the system and the warranty and things like that. But bad architecture, bad segmentation causes a lot of problems. You've got to mitigate. You can't just ignore these environments because their legacy, you have to think about how to mitigate potential intrusions through other means. Good passive detection and good access control and good architecture in terms of segmenting the network from the enterprise and from the internet and different parts of it from one another. So, those are things you can potentially actually do. You just have to really think outside the box, but yeah, I see a lot of problems with that all the time.
Chris 22:14
When we do incident response, a lot of the times as the incident commander, we're thinking: What is the worst-case scenario? What is the most likely scenario? So, we hedge our bets for both. I love movies and, when you watch a movie, and I'm sure you watch a cheesy hacker movie, you got some hacking group that can shut down everything across the world and all that stuff. That's not super realistic, but there are definitely things that we've seen in the recent past that had serious damages, or may cause serious issues for a lot of people with the things that you've seen out in the wild. Do you see a potentiality for there to be this almost like, Armageddon-level type of attack against OT that is maybe in the realm of possibility?
Lesley 23:02
Yeah, so, a couple of comments on that. First of all, we hear a lot about people talking about like, the grid being taken down in the United States. As more people are becoming aware, there is not "the grid" in the United States, we have three grids. Texas, East, and West, they are incredibly complex, they're built up of many, many operators for generation and transmission and distribution. They're all running different technologies and they all have different operator teams. So, like, actually doing something like that requires a lot of coordination and a lot of knowledge of all these different operators, it's an incredibly heavy lift, that takes a lot of resources to even think about taking down a portion of it. So, that's really pretty implausible. The other problem is that we always think about power because in the United States, the vast majority of us, that's the only life-critical utility that we are used to seeing go down. We're very fortunate, unlike some places, there are places in the United States and a lot of places around the world where people lose other utilities. They lose sewage or they lose clean drinking water, or they never have it. They lose transportation, things like that are totally different and we don't think about those things in the United States. What it would be like to suddenly not have clean drinking water for an extended period of time, or not know about it and slowly being contaminated by it. There are certainly places in the United States that have had that happen, unfortunately, like Flint, but a lot of people don't think about that because it hasn't happened to them. They don't have personal experience
with it. Same with like, sewage coming up your drains or not functioning. Those are scarier situations to me because those are much less resourced utilities, in a lot of cases. They're municipal and people don't think about it so they don't dedicate a lot of time and effort and concern to those things going wrong. There’re much more insidious ways to impact society, even in small geographic area, that would be very impactful and concern me a lot. So, the big booms are less than the slow, insidious things that could be done to region or a metropolitan area.
Ron 25:12
Yeah, I could see that, even with gas and oil. I would imagine that there's big opportunities or big consequences when we're not looking at security the right way.
Lesley 25:20
Yeah, it's troubling. It's definitely troubling.
Ron 25:22
So, I gotta ask, what are you looking at into the future? I've been asked quite a bit like, "Hey, Ron, what kind of tech are you focused on?" What kind of things are you hoping to create? I have my own bag of tricks, but what about you when you're looking at the next generation of security?
Lesley 25:38
The realm of industrial forensics, digital forensics is very much unexplored still. There's such a huge landscape of devices and verticals there, how to do forensics on all the varieties of VOCs and engineering workstation software and even low-level devices. That's daunting and it's a huge task. The interesting challenge that I'm seeing right now, though, is that some of our traditional forensic skills that we use in industrial are dying out. A lot of people who go through degree programs and get entry level cybersecurity positions now only learn how to use EDR, so it's very point and click, and they're no longer learning how to do traditional disk forensics, traditional memory forensics. So, it's not even a matter of teaching people the tools, they're not learning the fundamental thought processes. So, that's a challenge that we're going to face in the future, but it's also exciting on the other hand, because that means on the enterprise side of things, which I don't have the luxury of working in, things really are getting better, technologies really are improving, EDR and XDR and things like that are doing amazing
things for cybersecurity. New versions of Windows are building an amazing new level of cybersecurity.So, things are changing quickly and I think, in a lot of ways, for the better,
Chris 26:51
Things are changing quickly and it does seem like things are getting better, despite all the things that you see in the media, despite all the attacks that you see that are really, really public. When you look at all the things that you've done in your life, whether you're talking about martial arts and teaching other people about martial arts, or looking at cybersecurity and teaching in a church, or even the work thatyou're doing today in incident response, it all seems to center on this concept of knowledge; the cultivation of knowledge, and then, the dissemination of knowledge. I feel like more people are starting to step into that space, that space that you occupied almost 10 years ago and continue to do so. Do you have a piece of advice for everyone out there in cybersecurity? Because one of the things I think is super important is that, even if you're relatively new in cyber, you are still able to teach others, whether it's teaching people in your house, teaching folks that are right behind you in that phase. What is that piece of advice that you'd have for everyone out there to share more knowledge and make this entire industry a bit better?
Lesley 27:53
Find your niche. You can be a generalist for a while and change that niche and learn about something else, but it can get daunting right now because there's so much to learn and there's so many different areas of cybersecurity, which are super interesting. Unfortunately, when we do talks and interviews and things, we only talk about the coolest parts of our job. So, everything looks neat and everything looks cool, and you want to learn about all of it. You want to do all the jobs. To learn and not get overwhelmed and not burn out and feel like you're contributing, when you're trying to decide what to give talks on or write blogs on, it really helps to find an area to focus on and that could be like, vertical or it could be an area of cybersecurity research or practice. Just find something for a while that is something you want to focus on. You can choose that by reading or by watching talks, listening to podcasts, listening to us inanely Tweet, whatever works for you. But pick an area and then, find mentorship in that and try to focus for a couple years on a particular area. You can always change your mind later on, just like degrees, just like training programs, but it's going to help you a lot to focus for a little while.
Ron 29:02
Excellent. Lesley, thank you so much for jumping on the mics with us. We really appreciate the
conversation. I gotta say, for anyone that's listening that doesn't follow Lesley yet, I would highly recommend it. You've probably already learned from them, just like we have. So, we've dropped Lesley's information into the show notes for everyone to stay up to date with you and all the great things that you've got going on. Thank you again, and we'll see everyone next time.
Hacker Valley Studio 29:31
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.

Keeping Cyber Course Prices Equitable with Kenneth Ellington

November 29, 2022 Hacker Valley Studio

00:00:00