Alexia Crumpton, Lead Cybersecurity Engineer at MITRE, joins the pod this week to cover leaving the old ways of cybersecurity behind to embrace the new generation. As both an engineer with MITRE and an educator for future cybersecurity practitioners, Alexia understands the complexity of new and emerging concepts in modern day cybersecurity— and she sees the confusion our current training methods are creating. Alexia helps us answer: How can we teach the purple team perspective to the next generation?

Timecoded Guide:

[00:00] Gaming MMOs & becoming a cybersecurity engineer for MITRE

[08:36] Knowing defensive & offensive cyber to sharpen any practitioner’s skills

[23:04] Teaching the new generation of cybersecurity & changing the old ways

[32:13] Using Fortnite gaming to accessibly teach cyber skills

[42:09] Learning cyber skills & being patient with the cybersecurity salary

Sponsor Links:

Thank you to our friends at Axonius and PlexTrac for sponsoring this episode!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley

Do you think knowing both the red and blue sides sharpens whatever side you're working on?

Alexia describes defensive and offensive knowledge like a marriage— both have to not only coexist, but also work together. Having both defensive and offensive skills under your belt gives you, as a cyber practitioner, an overwhelming advantage in your ability to work efficiently. Instead of having to wait for someone to explain or struggle through systems you don’t understand, you can rest assured nothing is missed and everything is understood.

“When I first got into the defensive side, the way the SOC was moving, the way the blue team analysts were moving, I was like, ‘You guys are missing a lot of things that I had to develop to bypass all of the things that you're looking for.’”

What would you say is the biggest challenge with trying to build that cohesive purple team mentality? 

In Alexia’s opinion, two challenges hold back companies from being able to build a cohesive purple team: communication and training. Without proper communication protocols between team members, everyone fends for themselves and neither red nor blue team practitioners can fully understand each other. Without proper training and knowledge, teams are stuck arguing between the old ways of past technology and the new ways of present day programs.

“If I know what you know and you know what I know, we can work together as two brains to create something that is innovative and better for the cybersecurity community as a whole. Us working as a team is better in the fight against adversaries than me working by myself.”

How do we get corporations to embrace creating content developed around bringing people in, teaching them, and most importantly, investing in their talent? 28:51

Unfortunately for many new practitioners entering the industry, a large majority of cybersecurity companies still rely on the “old” way of doing many tasks and working with a lot of modern day tools. In Alexia’s perspective, this “old” way of thinking creates a massive gap between new employees and experienced professionals where confusion and dissatisfaction thrive. If they embraced the new way and asked new professionals how they learn best, many companies would find talent more willing to learn and stay in cyber roles at their organization. 

“I think it’s about working with a new generation, just asking them: How do you learn? How do you retain information? What do you want to know? What are you interested in? So that we're giving information that helps people, that tells them the resources that are out there.”

What is a piece of advice that you wish you would have known early on in your career? 

As an educator herself, Alexia understands the money-driven, certificate-driven mindset of newer cybersecurity practitioners. However, for the next generation of cyber professionals, Alexia recommends not chasing a salary. Instead, be willing to learn different skills, roles, and teams within cybersecurity. When you have the information you need to be a well-rounded practitioner, the salary will follow and you will avoid burnout or dissatisfaction with your role.

“Don't worry about chasing a salary, because when you find the field that you want to be in, that you love to be in, the money will follow. The money is definitely going to follow. Learn about the different career fields, because having that information is going to help you.”

---------------

Links:

Keep up with our guest Alexia Crumpton on LinkedIn

Learn more about MITRE on LinkedIn and the MITRE website

Connect with Davin Jackson on LinkedIn and Twitter

Watch the live recording of this show on our YouTube

Continue the conversation by joining our Discord

Hear more from Hacker Valley Media and Hacker Valley Blue