November 1, 2022

The Secret Sauce of SANS Instructors with John Hubbard

by Hacker Valley Studio

Show Notes

John Hubbard, SOC consultant, SANS Sr. Instructor and host of the Blueprint Podcast, joins the Hacker Valley team this week to discuss SANS, SOCs, and seeking new hobbies. As the curriculum lead for cyber defense, John breaks down what makes a good SANS instructor and how to inspire passion in students when teaching for long hours. Additionally, John gives away his life hacks for pursuing passions outside of the cybersecurity industry, including podcasting, video editing, music creation, and nutrition. 

 

Time Coded Guide:

[00:00] Instructing for SANS & what it takes to be a good instructor

[07:33] Exploring the potential of a SOC-less cyber industry

[13:38] Teaching complicated topics with clear visuals & simple comparisons 

[19:37] Podcasting his way to better SOC consulting skills 

[26:12] Finding a balance between jack of all trades & single skill master

 

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

 

What do you think are the makings of a good instructor, especially for SANS? 

Transitioning from the world of electrical and computer engineering, John’s journey to becoming a SANS instructor took over 3 years of study. Although he jokes that training to be a SANS instructor was the longest job interview ever, John is thankful for the mentorship and inspiration his training gave him. SANS courses require long hours and hard work, but John believes the best instructors bring a real love for what they do to each class. 

“The technical aspect has to be there in a very strong way. Beyond that, you have to deliver this message not only with razor sharp clarity, but also with passion and energy. People are sitting there watching you talk for hours. If you aren't excited, they're not going to be excited.”

 

Cyber defense is a pretty broad topic. What makes you feel comfortable teaching a course on cyber defense?

Cyber defense can be a topic that’s both broad and confusing for students, but John has been dedicated to building a curriculum that cuts through the confusion and inspires innovation. Teaching his students to focus on priorities, John wants to bring clarity to complex topics like SOCs, Kerberos, and related security issues. While the topics can be broad and debatable, John wants to equip his students with real world examples and simple comparable concepts.

“If there was one word I was going to summarize both of the classes I teach with, it’s ‘priorities.’ It's getting the right stuff there first, and not getting distracted by all the other details that are potentially trying to pull you in the wrong direction.”

 

Have there been unintended benefits to being a podcast host, that either helps you as an instructor, or even someone that does consulting in the SOC space?

Taking the chance to start the Blueprint podcast was inspired partly by John’s previous interest in podcasts like Security Now, but also by his pursuit of learning content creation. Starting a podcast, for John, was an exercise in testing his comfort zone. Learning the technical aspects as well as the creative aspects of content creation and podcast hosting continues to build John’s confidence in his storytelling and teaching skills. 

“For me, a lot of things have come out of podcasting. Probably one of the biggest things is just flexing that muscle of doing things that are slightly uncomfortable and scary. Any time you think, ‘I don't know if I can pull this off. Should I do it?’ The answer should always be yes.”

 

What is one piece of advice or philosophy that enables you to do more and squeeze as much as you can out of life? 

In the same way that he teaches his SANS students about priorities, John focuses on his personal priorities often in order to accomplish his well-rounded, jack of all trades lifestyle. Building new skills and cataloging new experiences feels vital for John. Taking full advantage of the time he’s been given and getting curious about expanding his comfort zone is an essential philosophy that has taught John not only about cyber defense, but about every hobby he enjoys as well.

“I try to get up as early as I can manage to get up every day, well before I start getting emails and meeting requests and all sorts of stuff like that, and try to plan out my day and ask myself, ‘How am I going to actually approach doing the things that matter the most to me?’”

---------------

Links:

Keep up with our guest John Hubbard on LinkedIn, Twitter, and YouTube

Listen to John’s podcast on the Blueprint Blog

Learn more about John’s work on the SANS Institute website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley Studio 00:00
Who says, tech can't be human?
John 00:10
Are you hitting a bar with your SOC that's good enough, right? Things are not completely falling apart.There’re no disasters. Maybe the most important thing for you to do right now is figure out how you canremove future work from the SOC. That's kind of the term I love. What can you do today that prevent you from having to do something tomorrow?
Hacker Valley Studio 00:28
Welcome to the Hacker Valley Studio podcast.
Axonius Ad 00:33
Too many cybersecurity assets and SaaS applications, not enough visibility. Enter Axonius. The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action, giving IT and security teams that confidence to control complexity. Visit Axonius.com/HackerValley to learn more and try it out for free.
Chris 01:04
What's going on, everybody? You are in the Hacker Valley Studio with your hosts, Ron and Chris.
Ron 01:16
Yes, sir.
Chris 01:19
Welcome back to the show.
Ron 01:22
Glad to be back again. In the studio today, we have with us, John Hubbard. John is the host of the Blueprint podcast. John is also a Senior Instructor for SANS and leads the curriculum for Cyber Defense. John, anyone who is changing the game and leveling the playing field in cybersecurity has a near and dear spot in our hearts. Thank you for all that you do, and welcome to the podcast.
John 01:48
Thanks guys so much for having me on the podcast. I'm a big fan, so I'm real excited to be here.
Chris 01:52
We are excited to have you. I gotta be real with you, I went through the initial stages of becoming a SANS instructor. I tell you what, the intention and the thoughtfulness that goes into creating a SANS instructor is really beyond any comprehension that I think most people can't even realize. The folks that have taken a SANS course, you know that they're going to be a great instructor, but really, just seeing everything that goes into creating instructors is really awe inspiring, and to be the curriculum lead, I'm sure, is even another level above and beyond that. What is the secret sauce of becoming a great instructor to that caliber, especially when it comes to being in complex topics like in cybersecurity?
John 02:38
So, we always joke that this is one of the longest job interviews ever, and I can tell you from the very first moment that I started getting involved with SANS, I was a nobody to SANS, right? I was a student like anybody else ever was. I took my certs kind of did my thing, got that intro email, it's like, "Hey, you're qualified to kind of start down this path." Basically, from that moment to the point that I hit certified instructor, which is like the first level of like, you're an official instructor was about three years. So, it's a whole lot of practice and preparation, just for teaching the class, getting up on stage, being comfortable in front of the classroom, answering questions and training and just really trying to learn your topic as deeply as you possibly can. So, it's kind of the mix of technical knowledge and being able to deliver and present and teach people effectively, which is why it's a three year process for many people.
Ron 03:26
And it almost seems like this would be a full-time job. Is this the main thing that you focus on these days?
John 03:31
So, for most of the people who are instructors, we're not full-time SANS, because SANS doesn't want us doing full-time teaching. We will teach somewhere between, I would say anywhere from like, six weeks a year up to like, a max of maybe 20, for some of the craziest people that really like travel. But they encourage people to stay kind of with one foot in the game, doing consulting or holding down a full-time job, if they have an employer that's nice enough to let them be gone that much and still teach. So, it's kind of a mix of stuff. Most of us have some kind of side work, and you know, I do side consulting and with me, it's a little bit different because of the curriculum, it kind of brings it more fulltime for me. But yeah, most people were like, one quarter SANS and then three quarters, something else.
Chris 04:10
That makes a lot of sense. When you look at a good instructor, I think the thing that sticks out, in my mind, is being magnetic. When you see a SANS instructor and they're talking about these really, really complex ideas and terminologies and concepts, you're glued to them, and not just because you know that tough test is going to come at the end of this journey, but they're just so inviting and they're so fastpaced, and a lot of them have styles that lean towards the more comedic side, they're humorous. Some folks are really awe inspiring from the position of being able to tell stories about when they were doing things, whether it's incident response or being a pen tester. When you look at some of the instructors that I'm sure you've helped cultivate over time, what do you think are the makings of a good instructor?
John 05:00
Obviously, the technical aspect has to be there in a very, very strong way. But beyond that, we have specific instructor camps and instructor development classes that we do with everyone, where we make it a big, big point to say you have to deliver this message, not only with razor sharp clarity, but you also have to deliver it with passion and energy, because people are sitting there watching you talk for 36 hours. If you aren't excited about it, they're not going to be excited about it. We're trying to get people who like, live this stuff, and just love, love, love talking about it. We hope that people can pick up the skill of kind of letting that energy shine through, and it's a little bit weird, sometimes, like getting excited, at first about some of these topics, because you're like, "Well, I don't know, if people in the class might already know this." So, it feels a little weird to be excited about it, but you think back to your own experience as a student sitting in the classroom and I know, there was plenty of times I was like, "Whoa, this is amazing," right? Going to SANS class has changed my life in a number of ways. I think back to those moments, try to draw on that and say, "I gotta deliver the most entertaining 36 hours of
coursework that I can so people aren't just falling asleep and dying by the end of the week." I'm focused pretty hard on that. It's really the delivery, the stories, the realistic applications, all that stuff, we try to emphasize as much as possible.
Ron 06:12
The course that you teach is cyber defense, and I would imagine that cyber defense is a pretty broad topic. What makes you very comfortable teaching that course? Also, what are some of the elements of the course?
John 06:25
So, there's actually two courses that I teach quite a bit, both of them on the same topic, but from different aspects. I teach Sec 450, which is kind of the technical aspect of working in a SOC. What are the tools? What's the technology for? What kind of workflows and automation and data do you need to collect? All that stuff. And then, I also teach Management 551, which is the management side of getting a security operations center whipped into shape. What are the things that a manager has to consider, in terms of team building, retention, and burnout reduction? And all that kind of higher level stuff. In both of those classes, we approach: What does it take to succeed? In both of them, if there was one word I was going to summarize both of those classes with its: priorities. It's getting the right stuff there first, and not getting distracted by all the other details that are potentially there, trying to pull you in the wrong
direction. You've got to take that threat intelligence focused look at: What's going on here? What are the attacks that are most likely going to bring the business down, or take a million dollars out of the bank account? At least make sure you're doing some big action to stop those things first. So, both classes are really oriented around: What are those things at any given moment in time? How do we get in their way and stop that know of stuff from happening?
Chris 07:33
When I look at my career as a practitioner, I've been in quite a few SOCs in my day, and I love that environment. But maybe four, five years ago, there was a lot of folks speaking about SOC-less security programs, where it's more of a distributed model for security, and a lot of folks were like, "Oh, how do we do it? How do we make it happen?" Honestly, from my perspective, it's a really tough thing to do. It can be beautiful when someone is able to implement it. But what were you thinking? Because obviously, the two courses that you really teach are really focused on having a SOC and operating a SOC effectively. When you see folks talking about these SOC-less models, what comes to mind from your perspective?
John 08:15
Yeah, it's funny you ask that, I was actually having a conversation about that yesterday. One of the ideas that's been put out there, I think, largely by maybe the Google security team, is this thought of the autonomic SOC. I don't know if you've read any of those kind of white papers on that. Have you?
Chris 08:28
Yeah, I have.
John 08:29
Yeah. So, that kind of thing of like, let's embed security with each mini group that's churning out different aspects of what this organization does, right? It's a really compelling idea, and I love some of the stuff that they're talking about and I go into some of that in the classes as well, but it's an interesting move. The conversation I was having yesterday was: Will it work for every organization out there? The ones that have been built in the more traditional, like, we have a security team and they help everyone, I think it's going to be a lot harder for them to transition into that. But if you have a brand new organization, building from the ground up with that as the way, that's probably going to be a lot easier thing to do. As with any question in security, as you both know, the answer is often, "It depends," right? What are you trying to pull off? What are you optimizing for in this particular decision? Is it a money play? Is it absolute security at any cost? There's a lot of valid solutions, and it all comes down a lot of the time to: What's the end that you're trying to reach? I think certainly it will work for some organizations. I'm not sure if it will work for all, or if we're all gonna get there someday, but it'll be interesting to see where it goes.
Ron 09:28
I am of the camp that we can absolutely get there. Me and Chris, argue about this all the time. How much can you truly automate? I feel like with the SOC-less model, you really have to have a lot of automation to bring the information to the right team members and the right organizations with right functions within your team. What do you think we could do today to start to realize some of that idea of a SOC-less model?
John 09:52
Automation, as you said, is a big, big player in what's going on in any kind of security, or really any organization right now, in IT and as a whole, right? Robotic process automation is the term we hear a lot, where sore is the more security specific version a lot of people use in the SOC. But either way, that's going to play a huge role. The question really becomes, and maybe this is the debate you're referring to is: Can we automate away security practitioners to the point where the system is kind of taking care of itself? And we can approach that, again, back to Google's literature, if you read the SRE books and stuff like that, they have a big mindset around, "You're here to make the system run itself." I would love to see a world where security practitioners do a very different thing, because the systems are so secure and we're just designing how they take care of themselves. We may get there someday, I think that's the road that we have to chase, and that's ultimately the answer to the question, is to keep kind of following what some of these leading companies are doing. I don't know how close we are to
that, though, because as you know, when you get into a complex incident, there's a lot of human brain required. And so, while we can get automation to do a lot of the maybe controls and a lot of the pre-incident, maybe data gathering and context gathering, I'm not sure how close we're gonna get to full automation, "we don't need a security team anymore," at least in my career span, but we'll see.
Chris 11:09
Ron and I, we talk about this all the time, we literally had an entire Technically Divided episode
dedicated to that, definitely check it out if you haven't seen it. I think we can get 90% of the way there when it comes to automation, I still think in perpetuity, even beyond, from my opinion, and our lifetime, I think we'll never completely go away from having humans to be a pivotal cog in that process. But I do think we can get pretty far along with automation. When you think about the human endeavor, you think about the human side of cybersecurity, I think that we have some of the most brilliant people in different ways in our industry. When you look at yourself, when you look at your career, and even going as far back as your childhood, what about your life? What about your way of thinking really made it easy for you to first become a cybersecurity practitioner, but to ultimately become a great communicator of these ideals?
John 12:06
There were signs that I would go in this direction probably early on, if I knew what I was looking for. I was one of those kids that was overclocking my computer, penciling in traces on the top of my Athlon CPU to overclock it, do all that kind of stuff. I was always into electronics, I actually went to school for electrical engineering and did a computer engineering Master's eventually, and it was during that, I was listening to a podcast way back in the day, and started listening to the InfoSec podcast and that got me two specific things. One, it gave me the interest in InfoSec and told me, "Hey, this is a thing that you can actually do as a full-time career," which I'm not sure I was fully aware of back then, that was probably I would say, 2005 when I first got interested in InfoSec, and started self learning it.
John 12:43
And then, from there, just kind of hearing how people could describe these things so well, in just a basic audio format. Security Now is the podcast I listened to way back then, and Steve Gibson is so great at describing very, very complex things in audio format, that it was actually the podcast I would give like, sole credit to from even being able to get into InfoSec in the first place, from doing an engineer job at the time. So, I picked up a little bit of the communication aspect of that, and he was able to explain things and the applicability and why it matters in a way that was really exciting to me. Hopefully, that's something that I picked up and kind of carried into the classroom, and wanted to further perfect and kind of pass on to other people, which is what got me into doing my own podcast and YouTube channel and all sorts of other stuff out there. Just being able to share the excitement about these new technologies and concepts, and pass those on to the next people that are trying to get into this the same way I was back then, it's really, really fun.
Ron 13:38
I love that. We all got to attribute our success, our upbringing, our growth somewhere. And I do the same for podcasts as well, that's why we started a podcast. We wanted to have those same types of conversations that these podcasters that were having, like, Security Now and also Cyber Wire, explaining the complicated, complex topics of cybersecurity. What are some of the tenants that you like to live by when going about that, especially doing it for many hours at a time?
John 14:08
So, there's a couple of things that I try to stick to as many times as possible. One being drawing things out. Like, I think just having a clean, clear visual. A picture's worth 1000 words, right? So, if I can say like, "Oh, yeah, we're gonna collect data on the SOC," but I can draw it out as— Actually, the way I conceptualize a SOC in class, for example. We say, first, you have to collect the things that are going to be security relevant, and then, you bring those to a point where you're doing detection, and then, we move that to triage and then, we move that to investigation, then incident response. And I kind of draw it out like a manufacturing line, and I say like, "Every single one of these steps, no matter whether you're in a proper SOC or just a one-person security team, you're doing those things, right? You got to collect what's happening and identify the bad stuff, prioritize it, deal with it."
John 14:49
I try to make that as a comparison to something that people already understand and then, draw it out so they can remember that picture more easily. Some of the reference materials we talked about in the class point out that the easiest way to commit anything to long term memory is, you say, "This thing is like that thing." And so, when I'm explaining like Kerberos, for example, which is very, very complex, I try to distill it down to something very simple. Like, you came to a SANS event, you went to a table, you showed them your ID, that's like part of Kerberos, where you verify who you are. And then, you go and you take that lanyard, and you take it to a different table, and you get your books, that's like, getting a service ticket with Kerberos. And people like, "Ph, well, that makes a lot of sense," right? I identify who I am to one person, and then I get my service from the other one and that's kind of it. And if you can just draw those simple pictures out for people, it makes them learn a lot more effectively and quickly. Hopefully, it keeps their attention for the duration of class.
Chris 15:36
One of the things that I see quite often is, you start to build a security program. Obviously, you're starting to bring in different solutions for your environment, and in the beginning, things aren't well tuned, we know that. But what happens is, folks get caught up in the reactive, when now we're dealing with false positives, we're dealing with all these little fires constantly, and it's almost like we never can really get to proactive and that's where a lot of burnout comes from. That's where a lot of the alert fatigue really comes in. What are some of the things that you've seen or been able to advise on the managers of these SOCs on how do you go from being reactive to proactive, when you don't even have enough time to handle everything as is?
John 16:24
Great question. I love that one. That's one thing I talk about at length in any class, whether it's bad or not, I always love going into this. Over and over, I hear, "I'm too busy to automate things," and I immediately have to follow that up with, "Well, if you don't force that into your schedule, you're always going to be," because there's this interplay between short term and long term wins in a SOC and sometimes, you have to do that. You have to take that short term hit for a long term win, and automation is like the number one thing there. I break things down into what's called the Eisenhower Matrix, urgent versus important, right? What's urgent, what's important, all that kind of stuff. Automation is that box to "it's not urgent, but it's very important." And so, that's where creating these automated workflows sits, it's like, they're not blinking red at you, they're not emailing you. They're not saying, "Hey, create me," right? So, people don't do it. "I got alerts to work with." But I like bringing to people's mind: Are you hitting a bar with your SOC that's good enough, right? Things are not completely falling apart, there's no disasters. Maybe the most important thing for you to do right now is figure out how you can remove future work from the SOC. That's kind of the term I love. What can you do today that prevents you from having to do something tomorrow? And it might feel awkward, because you might say, "That alert that's blinking over there, I'm not gonna work that right now," because it's ultimately maybe not that important compared to writing this workflow that's going to free me up for an hour every day for the rest of my life. People have to just force themselves into that mindset, and we've all heard probably like, the stories about companies that have 20% time and all that sort of stuff. That's really what it comes down to, is acknowledging that there has to be a minimum required time for, "Let's make this job better. Let's make the SOC more so run itself than it did yesterday." We can get into the toil thing and all of that from Google's SRE books again, but that's really the perfect way of nailing it down
is: What can I do right now that's going to make this service better forever? And then, actually do those things, instead of firefighting, really is what it comes down to.
Ron 18:19
That's truly switching from being reactive to proactive, and I think that's what it's all about. It's not doing the same thing over and over and over again, because we weren't hired or trained to do that in the first place. With you teaching many, many people that work in a SOC, have you heard any transformational stories? Maybe someone that didn't take your course yet, and then, took it and came back and told you how they changed their security program, or even their SOC around?
John 18:45
Oh, yeah, all the time. I mean, I get random unsolicited messages on LinkedIn, where people just say, "Hey, I just took your class, I went back and I had tons and tons of ideas and just dumped on the team and things are working way better." Sometimes, I have zoom calls with folks and kind of see what their opinion is on the class and how we can take it even further than that. All sorts of conversations like that really all the time, even down to not even from class I got a message that I just loved the other day on LinkedIn, just from watching some of the YouTube videos I had out there a guy, I think his name was Mike, had messaged me and was like, "Hey, John, just wanted to thank you so much for your YouTube videos." I put out not even that many YouTube videos on just random basic, soft skills, and he's like, "I was a truck driver and I was able to make the transition into information security. Your YouTube videos
were a huge help." I love hearing stories like that. So, that's what really drives me and I love hearing those stories, and definitely, there are plenty of them out there, which is what keeps me going day to day.
Chris 19:37
One thing that's really difficult to do from our perspective, and we're a little biased, but is to start a podcast. Starting a podcast is no easy endeavor, and it's harder than a lot of people actually think. You've been in the trenches doing podcasting for a while now. Have there been some unintended benefits to being a podcast host that either helps you as an instructor, or even someone that does consulting in the SOC space?
John 20:05
Yeah, definitely. So, it's not an easy thing. People just think, "Oh, you just kind of record yourself and that's it, then you just put it online," right? Well, you can, I guess, but usually, it's a little bit more complex than that, right? For me, there's a lot of things that have come out of podcasting. One, just learning the technology and the stuff that goes behind it. I'm a huge nerd for just getting distracted into various hobbies. One of the things I learned over the pandemic was just like, audio and video editing, and all that stuff. I picked up on some of that just as a direct result of getting involved in the podcast, even though I don't even do that for my own podcast, I was just interested in it. But there's that, then there's the further extending your network of people that you just know and can talk to, and content that's out there that helps people with a specific problem. I love having more of that stuff out there. And then, probably one of the biggest things is just further causing you to flex that muscle of doing things that are slightly uncomfortable and scary. I find that that's one of the things that really moves the needle more than anything else, is anytime you think like, "Oh, I don't know if I can pull this off. Should I do it?" Like, the answer should always be yes, because usually, it'll be no problem at all. And then, you're going to be in a much better position by the end of it, even though it's going to be terrifying the entire time. Stephen Hart, you guys know him, he came to me and was like, "John, you should do a podcast." And of course, at first I was like, "I don't know if I'm up for that." He's like, "Oh, come on, you teach on stage and all sorts of other stuff, you can totally do it." I was like, "Alright, let's give it a shot." And here we are, we just finished season three of that. So, there's nothing but upside from having a podcast in my book, for sure.
Ron 21:34
It's all about that. I mean, I would imagine that someone that is doing podcasting, teaching courses, and also, still being a practitioner, you have to constantly inspire yourself to keep going. I read this great book by Kendra Hall, it's called Stories that Stick, and part of the premise of it is being able to tell the same story over and over and over again. I think to do that, you need a little inspiration, you need your own set of motivations. What inspires you and motivates you to tell the same stories? How do you reinvent the story, or you reinvent yourself?
John 22:08
So, reinventing myself as an interesting question, given that being home so much in the last couple of years, I had to come up with: How do I fill my time and the extra bits where I would normally have been going out and traveling and doing whatever else? One of the things I did throughout that time was, as I kind of mentioned, learning video editing and some photography and some graphic design. You know, watching a bunch of movies, I also actually kind of taught myself in music production along the way. I've got a copy of Ableton now and NPCs and all sorts of crazy stuff, but like, it's been super fun learning something that's completely not information security, and then, using the concepts that I'll see, and now kind of recognize in some of these other disciplines, as something that can inspire me back in
information security. Anytime I can borrow a principle that works really well from another industry, whether it's engineering, which I borrow from all the time, because I know that really well, but from anywhere. I constantly get inspired by that.
John 23:01
Actually, two nights ago, I was just watching this movie. I decided it's officially fall season now, so, I started watching scary movies, and I was flipping through movies, and I just Googled like, "Oh, what's a good scary movie?" On Reddit, someone said, "There's this movie called Leaving DC and it's super low budget, but check it out. It's good." So, I watch it, and it's this guy that created a movie, like, literally by himself. It's a Blair Witch style, found footage whatever movie, but it was really, really good and it was entirely made by one person with a camera. I look at that and I'm like, "If you had asked me earlier today, could one person make a movie worthwhile? I would have said, No, I doubt it." But I finished that movie. I was like, "That was a great movie, considering it was one person with a camera." It was scary, but there was probably zero budget, right? So, that kind of stuff, I see it and I'm like, texting my friends. I'm like, "Should I make a movie now?" I just realized I can do this, right? Like, I got a camera. I got a microphone. What's stopping me now? So, just like, being inspired by random stuff like that, just kind of looking out into the world and taking in whatever you can from anywhere you can get it and trying to reapply it to what you do. That's what I'm always looking to do.
Chris 24:04
There's a double-edged sword to being interested in a bunch of different things. I tend to be a
generalist, I like to do a little bit of everything. I wouldn't say I'm the master of any one particular thing, but I do find that there's like, an opportunity cost when it comes to learning something new. Because look at cybersecurity in general, there are folks that live and breathe cybersecurity and that's it. That's all they want to do, maybe they do some content creation, but really they're focused in the realm of cybersecurity, and they're just brilliant. But then, you have folks that do a lot of little things, they do filmmaking or they do music or they play a sport, which is their downtime. What do you think about weighing the options of doing something new, versus going deeper into the thing that either brings you money or brings you joy? How do you weigh against those different options?
John 24:55
I kind of struggled with that myself because there were certain parts of my life where I was that person, and with every single moment of my being, I was diving into InfoSec and that was probably when I was starting to try to get my first job and going through that and kind of earlier on. And then, as I progressed, I was like, "I think I need to be a little bit more well-rounded than that," and kind of picked up some of these other hobbies and other stuff along the way. I think there's merits to both of them, right? I mean, if your head down in one topic, like nothing beats that, for being an expert in that topic, and knowing one thing really, really well. We're gonna get absolute amazing insights and exploits and all sorts of crazy stuff from those kinds of people, but I think there's other things that are also very valuable that are going to be discovered by the generalists, because they're gonna have all this knowledge in different domains, and they're gonna see patterns and be able to bring things in from other industries that a specialist might not. So, I think, from the whole industry perspective, we really need both. As a person, if you're trying to decide between one or the other, I guess maybe you can ask yourself: What seems better to you? That's not really a solid answer for one of the other, but that's kind of how I'm starting to look at it now. Both are valid. The risk in being a specialist, I think, is burning yourself out, not going out, and taking some other time to do relaxing things on the side. That's kind of the caveat, I guess, I would put on that.
Ron 26:12
That definitely could burn you out. What other things are you focused on? You mentioned music creation, movie creation. I'm sure that you have a bunch of ideas, but what's at the forefront right now?
John 26:23
So, right now, I guess, with my weekends, and just kind of fun time at night, playing around with music, and that kind of stuff has been maybe the primary thing, but I also got a little bit into photography. You know, I was always kind of scared to learn about shutter speed and apertures and cameras and all that, but sat down one day and watched this couple hour video on YouTube and I was like, "Oh, that's not that hard," right? Like, I can kind of figure this out. In October 2020, I ended up getting a nutrition coaching certificate, so I'm a certified nutrition coach on top of all of that stuff.
Chris 26:51
You got too much time on your hands.
John 26:55
But that one wasn't probably as time consuming, it was reading three decently sized books. But I go to the gym here in Philly, and I had a nutrition coach for a while because that's part of the gym, like, "Hey, you want to eat well, as well as workout." "Well, yeah, of course," right? You might as well do one, if I'm gonna do the other, and the guy was great. Once the pandemic hit, I'm like, "Maybe I should just learn this stuff for myself, so I can continue coaching myself." So, I just ended up picking that up along the way, but just kind of those sorts of things. I do some coffee roasting, and just try to like, chase the perfect cup of coffee with my espresso machine and my home roasting kind of project, and really anything. I'm constantly learning new hobbies, I picked up a Skillshare subscription, because that's one of those things where I'm like, "Hey, I wonder if I can do that." And I just like, dive in and pick up like the first 10% of any given topic in a couple hours. I love diving in there and being like, "Oh, that's how I use Adobe Illustrator, I'll make myself a logo, or at least an amateur version of one." I'm constantly just all over the place trying to pick up at least a little knowledge on really anything, I'm very interested in a lot of things, for better for worse.
Chris 27:57
Well, I can't wait when you announced that you're gonna go for the world record in free diving. Let us know, I'm sure it'll be sponsored by Red Bull and we'll be there to support you, but throughout this entire conversation, whether you're talking about doing more in the security operations space, or doing more with your life and doing these additional hobbies, gaining these additional skills, there are people out there that really get caught up in their day to day, "Oh, this is my life, I wake up, I go to work, I do the thing, I get off, I eat dinner, and then I go to bed." But there can be so much more to life, and some people just need to be told that there is more out there for them to enjoy. What is that one piece of advice or philosophy that you adhere to that really enables you to do more and squeeze as much as you can out of life?
John 28:46
So, for me, I think it's contemplating exactly what's important to me and where I'm trying to go, and not just kind of waking up aimlessly every day. I mentioned that Eisenhower Matrix kind of thing earlier, urgent and important stuff. I try to keep, in my own kind of personal to do list, like: What am I really trying to accomplish? I make sure every day when I wake up, I have like, a moment of space. I try to get up as early as I can manage to get up every day, well before I start getting emails and meeting requests and all sorts of stuff like that, and try to plan out my day and say like, "How am I going to actually approach doing the things that matter the most to me?" And fit it all in on any given day, and try to just map out: How is today going to work? So that I don't get caught up in the firefight of just doing a bunch of meaningless stuff. That's probably the main tactic that has brought me, really throughout my
entire career, just to the places that I've been trying to go.
Ron 29:37
Valuable wisdom, and you're the scholar that's teaching other scholars. It's amazing to hear all the things that you're doing. John, thank you so much for jumping on the mics with us. It was a great conversation. I feel inspired to pick up a new skill, hopefully everyone else does. If anyone is interested in connecting with John, learning more about him, even checking out his YouTube channel, check out the show notes below. John, thank you again, and with that, we'll see everyone next time.
John 30:07
Thank you so much.
Hacker Valley Studio 30:07
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.

Keeping Cyber Course Prices Equitable with Kenneth Ellington

November 29, 2022 Hacker Valley Studio

00:00:00