Episode Description
What We Discuss with Nicholas McLaren:
- What qualifications do you need to become a cloud security engineer? Degrees, certifications etc
- How to network effective to secure your 1st cloud security role?
- Network in the world of Covid-19.
- A day in the life of a Cloud Security Engineer
- Soft skills required by Cloud Security Engineers
- How to get recruiters and hiring managers to notice you?
- And much more…
THANKS, Nicholas McLaren
If you enjoyed this session with Nicholas McLaren, let him know by clicking on the link below and sending her a quick shout out at Linkedin:
Click here to thank Nicholas McLaren at Twitter!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- AWS Associate Certificate
- Cloud Security Academy by Cloud Security Podcast
Ashish Rajan: Hello, and welcome to another episode of cloud security podcast with virtual coffee with Ashish. Today, I have a few interesting topics to talk about. I’m not going to be talking too technical today, but I do want to share what’s it like to be. A cloud security engineer. What’s it like to be in a day’s life of a cloud secure engineer at the same time?
What does it take? Do you need to be a certificate holder or a masters holder to demystify all of this for me, I have Nicholas McClaren Nick McClaren. And before I go into this, I do want to give a shout out to our. This week’s sponsor, which is ByteChek.
Bytecheck: Hello, my name is Anthony Yawn with ByteChek. Thanks for watching. Thanks for listening to the cloud security podcast with the one and only are Ashish, real experience, knowledge and stories from the world’s elite cloud security folks. Subscribe on Apple podcasts, Stitcher. Spotify, Google podcasts, overcast, Amazon music box and [00:01:00] YouTube weekly live interviews with cloud security leaders and practitioners from around the globe available on all your favorite platforms.
Listen on cloud security podcast.tv.
This episode is sponsored by ByteChek.The days of manual audit requests. OVER Buried in compliance emails OVER build, manage, and assess your cybersecurity program as well as complete your SOC two audit faster all from a single platform. www.ByteChek.com. Let’s make compliance. Suck less. Now that’s a ByteChek.
Ashish Rajan: Awesome. Thank you so much for the sponsorship as well ByteChek. And without further ado, let me just bring the guests to the owner. Hey, Nick How are you?
Nicholas Barrington McLaren: Hey, I’m doing great. How are you doing today?
Ashish Rajan: Good man. Good. So so quick shoutout to folks who were already on the livestream and also shout out to the people who are on a clubhouse that we all appreciate, that you’re spending time on this and coming to share your journey.
So [00:02:00] it’d be great. All right. So this will be a fun one. We’ve got live streaming everywhere these days, so that’d be awesome. All right. For people who may not know you, right?
What’s your journey like, man? Where do you start? Where are you at? Let’s start with their first because I’m going to go you history bit by bit. So where are you at at the moment? What are you doing?
Nicholas Barrington McLaren: So right now I’m a class security engineer. As you all may know right now, ByteChek. Pretty Early on in my career, I would say.
So in my opinion, this is really the tip of the iceberg. Trying to take it to a higher level as far as possible being architect job or something like that. So really this is just a start.. As far as my background I went to Georgia state university. I actually graduated in December of 2019 with a CIS degree.
And that was pretty much what I took out into the job market, you know, got my start with that.
Ashish Rajan: I’m curious, so you obviously have a degree as well and certificates as well, or just degrees
Nicholas Barrington McLaren: actually. I have one degree and I have three certifications.
Ashish Rajan: Yeah, which ones
Nicholas Barrington McLaren: I have the CYC through a comp TNS, a cybersecurity [00:03:00] analyst and the solutions architect through Amazon web services.
And as well as the security specialty.
Ashish Rajan: Right. Cause tell me about this way. And I kind of asked this question on LinkedIn the other day, where the question was more around, does one need a degree? Does one need a, like a master’s degree or a certification? Which camp do you sit in?. Cause considering you have both, you have a master’s degree or so you’re pursuing a master’s degree.
Yeah. And you are obviously you had a bachelor, so I just take it from a bachelor’s perspective. You have a bachelor’s and you have a certification, like, do you sit on a particular camp? Would you have big one over the other for
Nicholas Barrington McLaren: I’m one of those people that I sit in, I sit in on both sides. The reason I do is because personally as a minority in order to get. In some cases, even a phone call, you have to check all boxes, especially if you’re a minority and you don’t have the experience that a lot of these jobs are asking for it.
So my goal coming out of out of undergrad was I need to find a way to check all the boxes outside of experience, [00:04:00] to even get a chance to show them that I had technical aptitude to do the job that’s that they’re advertising at that time. So to answer your question, I think you really need to be on both sides.
You need to have the education because it’s going to college. It’s something where you have an opportunity to learn how to be more of a professional. You’re also in an ecosystem where you’re around young professionals who are aspiring to do the same thing as you. And so it puts you in a place where.
You can learn how to be more professional and you can continue to persevere through a lot of dips and curves, really where school can be tough and you can be trying to establish yourself or establish a network. And it’ll be, it’ll be really difficult. So you’ll have people there that are going through the same thing that can continue to drive you to that goal.
So I think it’s important to go to school, to kind of back up that professional growth to add into the certifications that shows your technical attitude.
Ashish Rajan: Thats very interesting. So considering you already had a degree, what made you go for a master’s?
Nicholas Barrington McLaren: Well, again, it was more so about ticking all the boxes cause I came out of school.
Actually the first job that I had, I was an internal [00:05:00] auditor. And I thought to myself, okay, Hey, let me go get a certification and not, and go be a security engineer. And I quickly realized that was not the case. I had to find a way to continue again, like I said, check the boxes. So I said, Hey, let me join a master’s program so that I can continue to build my professional side and also learn things that I can learn things in a quicker pace and in an environment where I can learn from experts.
So that was something that I told myself I needed because. Again, it was all about getting better visibility coming from that resume because you’re not able to, especially with COVID now, but many things extremely difficult. Something that I really pride myself on is actually going in and speaking well to somebody and showing them my personal side.
And that’s something that I didn’t have the chance to do. Once Covid came around. So you really had to make sure your resume was strong because a lot of jobs went remote and now everyone’s looking for a superstar and they actually have access to it now because they have, they have access now because you can hire someone from the other side of the world that has all the certs has all the experience.
So it leaves a person that [00:06:00] doesn’t have that experience kind of, you know, you’re really stuck. So you have to find a way to, again, check all the boxes. So that was really my motivation behind going to get a master’s degree.
Ashish Rajan: Oh, dude, the whole COVID thing is really interesting. Right. And I’m pretty sure a lot of people were the questions as well.
The whole covid thing right, right?
Definitely want to say, I commend you for taking the masters path while a lot of other people were like, Oh my God, doubling down in the fact that I just want to do like I just want to get a job. I don’t really care how they don’t have a plan, but it seems like you kind of have had like a good plan.
So was there like some guidance that he got from it and mentorship, or were you just like some online forum? How’d you get to it? Because I think I’m pretty sure a lot of people like, yeah, I get, I do these, but I don’t land anywhere. Or, you know, like, I’m trying to get into the mindset of space where I get a lot of questions on clubhouse and I’m trying to help people get into cloud security.
The question is more what a certificate. But I can’t get a job. I’ve got this, but I can’t get it. So was there anything extra that you had to do beyond the certificate or just like you did the certificate? [00:07:00] Like they say, like, what is this Nick guy? I need to find him on LinkedIn.
Nicholas Barrington McLaren: Right. So one of the biggest realizations that I came to, and this was around July of last year, I realized that my degree in the certifications would not be enough.
And that was a tough realization that I had to really swallow that and say, okay, well, I have to find a way to now network, I’m going to have to reach out. I’m gonna have to talk to people on LinkedIn that I’ve never met before and essentially say, Hey, I’m really passionate about cloud security. I’m really passionate about my career.
Is there any way that you can help me by giving me any tips? Can you link me with someone that can potentially tell me where a potential opening is? Is there anything you could possibly do for me? That was probably the best thing that I could have did starting the network.
I actually spoke to someone in my network that had told me that for a person with no experience that just has the certifications. He said that, and this is no knock on recruiters. He said that speaking to recruiters and trying to just apply, apply, apply. You will never get anywhere with that. With no experience, once you build your resume and you finally have five to seven years of experience, you’ve maybe worked at a [00:08:00] fortune 500 company, you’ve done some really impressive things at that point.
Yeah, absolutely. You can just apply, apply, apply, because now you’re one of those unicorns or one of those people that have that experience. But if you don’t have that, don’t even waste your time with that. Cause that that’s not going to get you anywhere. The only thing that’s truly going to separate you as a person with no experience and just a ton of passion and a couple of different certifications and maybe a college degree, the only thing that will separate you from the.
Millions of people that are trying to pop these jobs is establishing a network. You’re trying to be a security professional. So one of the most important things is, and security is trust. So if you could find a way to reach out to a CiSO or reach out to a potential manager or director of information security this will put you in an environment where you can speak to that person, get to know them.
And they’re more inclined to, you know, look past the fact that you don’t have experience because experience matters in this field. Absolutely. That’s going to make you a lot better once you start the job, but. Luckily today with Amazon, you have the ability to do a lot of different labs and you have a lot of different how to guides, so that will allow [00:09:00] you as a person with no experience to speed up and, you know, catch up.
So a good enough level of aptitude to where you can actually manage someone’s infrastructure. So again, the main point is networking. That is the only way a person with no experience is going to get one of these jobs. Because again, the company that you’re being hired to, they’re more than likely trusting you to handle, who knows maybe over a thousand different instances, like a hundred different users, and you’re going to be the one that they’re going to call them.
So it’s going to be important that you have a good connection with the people that you’re associated with to do well at that job.
Ashish Rajan: That’s really interesting. And I do commend you for this. I’m going to definitely dig into a bit more of your networking approach. Cause I thought that was really unique as well.
I’m pretty sure people who are listening in can definitely learn from it. I did want to tell you, and as is my personal experience as a CISO I almost try and tell people that whether it’s a challenge of immigration that you run the appropriate visa or whatever it may be. I think those are. Not big problems.
If you had the right people around you, what does make a problem is like [00:10:00] for, especially for a cybersecurity kind of role, right? You’re you’re going to be someone who’s probably going to be responsible for. How do I secure these assets that a company has? that could be the main software that for they’re making money with and.
You can’t expect someone with no experiences, jump in and Hey man, can you secure this? Like, Oh, Hey girl, can you this? And they’re like, yeah, yeah, no problem. Two minutes later, you’re like, Oh my God, man. I’m I got my foot stuck into and I feel like that’s kind of conversation has not had enough times in this industry.
So to your point about recruiters,N dig at ecruiters, but if you simply apply with no experience, your chances are automatically quite low because a you’re trying to get into an environment which you need to secure, but you have no idea about, and as an employer, sometimes they may not even have the budget to go for a new person, but I love the networking angle because I think that’s when you kind of increase your chances of getting a job.
So tell me how did you approach networking? Cause you know, it’s like obviously now with the COVID world, it’s even more I guess, how do you do networking in a COVID world when there’s no [00:11:00] conferences or no meetups? So what were you doing before COVID and what are you doing now?
Nicholas Barrington McLaren: Before COVID the main thing that I tried to focus on was I searched on LinkedIn and I searched for managers.
I searched for CISOs. I searched for directors and the main thing I try to focus on was, are, do they have active accounts? If they have active accounts, I can focus on the type of things that they post on. So that when I finally do reach out, I have something to where I can. Kind of get you to nibble on a little bit.
So we have a better conversation so that it’s not me simply coming to you. Hey, I need a job. Can you help me out? You know what I’m saying? Like a lot of people aren’t going to respond to that. And a lot of people that are in these executive positions, but emails are flooded with InMail and people doing exactly what I’m trying to do.
So I had to find a way to stand out. So that was the main thing, finding a way to look at what they post and apply it in that message. And. See if they’ll possibly contact me back. And luckily I was successful with that. And someone was able to find me, someone that was advertising a job at a time.
So that worked out really well as far as networking now since, since [00:12:00] I’ve started this job, I just try to, again, do things like this to help other people get into the position that I’m in because it’s a, it’s a great field to be in. We all know about it. And ultimately. It’s about spreading the wealth continuing to help the next generation of security professionals get into this environment because it’s, it’s tough.
But if we continue to try to have a all hands on deck approach think that we can really turn things around and close that gap because the talent is here. It’s absolutely here. They just need, they need visibility. That’s really all it comes down to. I need a shot. That’s really it.
Ashish Rajan: And to your point visibility of talent comes from networking.
That’s kind of where we were kind of a bridging towards. So I’m going to come to the present a bit. So now you are, a cloud security engineer and I’m sure I’ll get a lot of questions about this. And I’m sure a lot of people in clubhouse would tap hand icon for this, but, or even a follow-up.
But what, what does a day in a cloud security engineer look like for people who don’t know about this, just like this the job, which is at a distance, someone else is doing it. So one of the questions I was getting, what do you do in a day to day? Scenario.
Nicholas Barrington McLaren: So on a day [00:13:00] to day scenario, luckily I’m at a SAAS company.
So a lot of the main threat surface comes from the application itself. So really the making sure the application is secure within our containers, making sure our elastic Beanstalk setup is good as well as maintaining the patching on our instances. That’s something that I keep my eye on every single day to try to knock down as many vulnerabilities as I can.
As well as our our guard duty and vaff so a lot of different AWS services and in config as well and Lambda function. So in essence, you build a wall and you’re kind of building the castle and the ideas I’m sitting here and waiting to see if someone’s going to attack. I have to make sure everything is set up so that I can possibly, if you are able to get through my gate, I can remediate.
Whatever possibly you, you were able to make happen. So that’s really, the idea continued to just monitor things on a day to day basis. Because as a security professional, you understand that you never truly a hundred percent secure. So you have to always find ways to innovate the different guard rails that you set up.
So that’s really what I sit and focus on, on, on a [00:14:00] day-to-day basis. If we actually do have any sort of security incidents, obviously you are going ahead and remediating those on as soon as possible. And if not, Well, again, like I said, just continuing to just modify my guard rails and making them stronger and stronger and stronger because once the system gets compromised, you can never really get it back to the original state.
So.
Ashish Rajan: And do you reckon the certification that you did or the bachelors that you did, was that in any way helpful or was that more mentorship, more helpful what’s the pocket to point when you do an AWS certification? Get to know about all these hundred certificates and by the way, I’m sure this is applicable for Azure and Google cloud as well.
So I don’t think it’s just AWS. Do you find that was helpful in setting you in the right direction or it was more like once you’re in the job and some guidance was required and that kind of really helps you kind of shaped how should the cost will be built, I guess, for lack of a better example?
Nicholas Barrington McLaren: I would definitely say that the certifications help. A thousand percent over just trying to get one of these jobs. Again, it’s about visibility. So with having the certification, they’re more than likely going to. Believe more in your [00:15:00] expertise and that’s really going to matter a lot, as far as when you come on the job, their certifications, not going to help you at that point.
What will help you at that point? Well, is the labs that AWS provides and I’m sure Azure and Google cloud on platform, Provide them as well. Those will help you prepare to be better on a day-to-day basis with your job. So if you’re a person and as well as reading white papers as a using these services on AWS, it’s really important to understand that insight now, not only because you’re going to be using them on a day to day basis.
And this brings up the second part of your question where. Well, college help me with this. You may have to face customers. You may be on the process team that actually talks to customers and helps them onboard their account onto your own platform or your application.
So it’s going to be important for you to be able to speak well. Know how to have rapport with customers. And that’s something that I feel that I got really strong with in college doing a ton of different presentations. That’s something that Georgia state hammer home within their business program was doing presentations.
I feel like I did maybe 30 different presentations within the class [00:16:00] semester of school, but it made me a lot more comfortable with speaking about topics that I study about or that I’m passionate about. So. That’s where school helps a lot. And it’s, it’s more of the soft side. And again, being more professional, it gives you more of an opportunity just to have more like-minded people around and mentorships associations, places where you can make the process easier to find a job.
If you’re around more people that are trying to do the same thing.
Ashish Rajan: So what kind of soft skills are the cloud security engineer require like you would find a lot of online information about do the certification, do that certification, do this degree.
Not many people talk about soft skills. So what kind of soft skills. Do you reckon, like you mentioned presentation already, but are there other soft skills that you reckon that people should be working on as well when preparing for this? Cause I feel like. Soft skill will have some component in networking as well, which you mentioned that don’t just email someone your resume and say, Hey, get me a job.
Like, yeah. Right. So any of this, do your mind when which help your job, which people can be working on which they may have in other jobs that they’re doing already, but they can use again, I guess, over here, like customer [00:17:00] service or something.
Nicholas Barrington McLaren: Right. One of the main things, as far as soft skills within your job, as a security professional, you may be one of the only people there that has to kind of make the information that you deal with every day.
That’s really sophisticated. You have to find a way to make that really easily digestible to someone that isn’t technical technically savvy. So again, it goes back to having a way to build rapport with people and also finding a way to make things easily relatable to other people. So that that’s really a good skill.
That’s going to help you a lot. Once you get on the job, because you’re going to deal with maybe a CFO that needs to understand. How, how much are these services costing us on a monthly basis? And you need to find a way to tell them how it’s happening without making it super technical. So they can go and continue to understand what you’re talking about.
As far as for networking, be authentic, have to be authentic. Everybody has a story. You have to tell them what your story is and be passionate about it. And if you’re not. Why would they message back? Why would they want to invest in you if you’re not passionate about yourself? You know? So, [00:18:00] that’s just how I look at it.
You gotta be authentic. You gotta try to show. Some type of charisma and that’s another thing that I try to bring into my role is having charisma I’m behind the computer every day, but still try to have a smile, try to be excited about what you’re doing. Cause it’s cool. If we do a really cool a job, if you’re in a cloud security role and you have a really big responsibility and to try to ease the pain of that.
Keep a smile, you know, have some charisma be, be loose and enjoy what you’re doing. So,
Ashish Rajan: yeah, that’s pretty awesome. And I love what you mentioned as well. The charisma part is interesting and it made me remember another question that I was asked in clubhouse the other day, where someone mentioned they’re shy and once they’re comfortable, they can probably start talking as well.
So it’s really interesting to your point, you can be. Charismatic something as simple as smiling doesn’t require talking.
So if those soft skills, so I’m hearing this, that, okay, you need soft skills are certifications important. Mentorship is important as well from a networking perspective, you mentioned that’s important, but another layer I feel, which is kind of [00:19:00] not spoken about, is there like a preference to cloud that you kind of have people should look for AWS Azure or Google cloud.
Like, I dunno if you’re within your peers or something. If you’re seeing almost like a pattern. That people should focus more on because it seems like everyone has an AWS certificate these days. Like if you open LinkedIn, a lot of people get overwhelmed by the number of certificates you see, people have like every day someone’s posting about GCP certificates or GC certificate for the cool kids or Azure certificates or AWS certificate.
So it feels like there’s a lot of people doing that viewing that, that many opportunities and all these we can jobs. That’s why people are happy or what, what’s your take on this? Which car provider.
Nicholas Barrington McLaren: Personally, my main reason on choosing AWS was that it was the biggest cloud provider. So I figured, Hey, if I get a certification for the biggest cloud provider, I’m giving myself the best chance or I’m putting myself in the pool of the most jobs out there.
So. I don’t necessarily have a preference on AWS over Google cloud. I’ve come to realize, as I’ve gotten deeper into AWS, [00:20:00] it takes a lot of services to do one task. So I was actually talking to AJ the other day and he was telling me about Azure it’s a lot more consolidated. And I was like, man, I might have to dive into Azure because man, one task on AWS, I may have to have four or five different tabs open
and that that can definitely be troublesome if you’re not paying attention or you lose track of what exactly you was going over. So to have a more consolidated approach, that would be great. So if Azure is truly like that, I may be an Azure guy at some point, who knows?
Ashish Rajan: I was in it, switched around a bit.
I’ve got a question coming in from Kevin, . Kevin J Forster, senior. Hey Kevin, you’re on the stage. If you have a question for Nick over here man introduce yourself as well,
Kevin J Foster Sr: ask you then a question. I have a comment, thanks for bringing me on stage and thanks for every hello and everybody in the audience.
I started out my journey in cyber security around 2000 and worked Up until 2010, it was all tech help, desk stuff, system administration, stuff, stuff like that. Got into security at around 2010. I did not go to college throughout. I went [00:21:00] to trade school route This was during a time when there was not a lot of, there was not a heavy emphasis on security.
I worked for a major hospital and Delaware, and that hospital only had one person as a security person. So, you know, my approach was, I just, did a lot of informing other people. About security in general and everyone there and knew that if there was a security team that I want to be on it.
And I think that going forward, that’s actually what happened. So I made my progression from system administration to security. And I think now looking at the field now, especially in cloud, because I’ve been contemplating between Azure and AWS right before COVID, that’s what I was starting AWS. And I think part of the issue here is the job market itself and you’ll see Hiring managers or companies hiring for people.
And they’re asking for maybe a degree or several certifications and five to seven years [00:22:00] experience and cloud security and they want this for a junior role or an entry level role. And they’re asking for like CIS SP and things.
Yeah. HR has kind of hyped up the certifications. Not necessarily the education because the education is what it is. But the certification route and the need to have those things as filters. And, you know, you have people who, who are switching careers, they’re going for getting security plus, which I advocate for.
And then. They were talking about getting
CISSP.
I’m like, well, you don’t even have enough, you know, the other requirements to meet the goal for CISSP. So, you know, I always equate that to like, it’s like saying, if you could just get out the Academy, fresh out the Academy. And you say you wouldn’t be the police chief.
Yeah. You haven’t been detective a Sergeant, a captain now you will go right to police chief. So I think that cloud security is ever an evolving field. I think that’s
the next previous [00:23:00] field.
I think identity and access management will be super important because a lot of the end point security will shift.
To identity and access management, because that’s going to be the number one way that you manage your cloud instances. So I think if a person wants to get started in that field, the key thing they’re focused on in my opinion, would be identity and access management. And one more thing
We’re talking about , the different soft skills you have soft skills are super important. I think the, the one skill that you should also have is the skill of writing. I don’t know how many times I’ve had to write emails or proposals to a CISO or a member of the board may ask a question and you may get that, you know, Hey Kevin, can you answer this question?
Those kinds of things. So writing is important. Speaking is important, knowing how to communicate. With management C-levels levels or people who are not technical, I think that’s really important.
Ashish Rajan: Awesome. Thanks for coming in. Kevin.
Nicholas Barrington McLaren: Man, [00:24:00] he hit the nail on the head, but I think it’s, it’s truly a disconnection between from the highest level up all the way down to the recruiter because in my days of networking and hunting down a job, I actually met a high level manager and he didn’t have a job for me, but I continued to talk to him just to learn, you know, more about the industry.
I think that’s also an important thing as well, know your industry, but What I learned from him was as a manager, they don’t have time to truly tell recruiters, Hey, if they have a certified ethical hacker, that’s fine. But they can also have a CYC because in essence, they’re kind of the same test.
One just has a more simulations on there. Right? But they’re the same test, but if a manager only goes to them and says, Hey, I’m looking for a C EH that’s it nothing else and needed to have five years experience and they need to have a master’s degree.
Well, you just shut out so many different people that actually have the skills to do what you’re looking for, but they may not have that certification. Or they may have learned through a tryhackme.com or [00:25:00] something like that. They may have went on a cloud guru.com and took a course that same person.
Can have the same skill level as a person that has the certified ethical hacker degree and stuff like that. They can have that. And that’s true. , the disconnection that’s going on prior to even getting on a phone call with a prospective person, trying to get a job. There’s not enough information given to that recruiter so that they know how to truly vet that person that’s trying to get the job.
I had so many calls. Where I may have told them I had to CYSA and then weren’t impressed by that. And I said to myself, well, it’s the network plus and security plus added together. Then I went through simulations and also have a solutions architect. And I’m like,
and I went to school, I did everything. Right. And they’re like, Oh yeah, well, you don’t have this. And I’m like, okay, that, that doesn’t make a lot of sense to me. And I, I actually remember there was one time maybe two months later, I said, man, I’m getting the slightest feeling. Some of these recruiters don’t know what the CYSA [00:26:00] is. When I finally got a call again from a recruiter, this was a, for like an information specialist job. One of those jobs you have maybe one or two years of experience for. So I felt pretty good about that. Yeah, I was on the call and, you know, I’ve told her about my experience. I’ve told her, told her about the certifications that I had.
And again, wasn’t really impressed. I can, I can sense that. So then I asked, I said, Hey do you know what the CYSA is? And she said, no, I’m not familiar with it. So then I had, it’s like, I finally woke up and I said, wow, I’ve been talking to people for almost three months now. And they probably had no idea what my certification truly meant.
So that’s what it really comes down to. There’s a huge disconnection between CISO down to manager or CISOs or director too. Hey, this is what I need. This is what I need to tell the recruiter. This is what I’m looking for. And finally, when it gets down to that person that doesn’t match that particular profile, they can’t get the job, even though they may have the skills to do the job, they can’t get it because you didn’t match that perfect unicorn that they were looking for.
So it’s just troublesome and [00:27:00] it has to change, but it takes an effort again, from, like I said, all the way from the top up all the way down to the recruiters, because I think recruiters would benefit from being more technical. And having an understanding of , a bit of cloud, a bit of a house system to set up and servers and stuff so that when you have that conversation with someone that’s getting the job, you have a way better conversation and you have a way better ability to vet that person, see if they can actually do the job.
That’s an
Ashish Rajan: Thanks so much for this as well. And then I think Kevin laid a very interesting part about soft skills, but also mentioned the fact about that Some hiring managers can also probably help in this as well. Like expecting someone to just have a CSSP straight out of uni and putting that pressure on people like, Oh my God, CISSP five years experience.
And by the way, it’s not really a practical exam. It’s like a theoretical exam. So in theory, you should know. I mean, I haven’t done it. I don’t believe in it, but that’s me. I’m sure. No, no hate against people who were done it. I think it’s a great course. It’s wide enough that covers a lot of areas, but expecting someone who’s a junior to do that is putting [00:28:00] on a great thing.
Another question coming in, actually from the seat, as you seem to get a lot of agreeance on our live stream on issue as well.
Can you choose yourself and ask a question or I share a few?
Asif : So my name is Asif, if I’m actually. A cybersecurity specialist.
So just a quick thing that I wanted to sort of ask in terms of recruiting one of the key things that we’re going through right now is. Our recruiters,
are not putting good candidates in front of us what they’re doing is they’re, they’re looking for certifications, and then we’re getting candidates to have hundreds of certifications from 20 certifications. However all their knowledge is steeped in theory. So lots of certifications they have, or just like a theoretical exams that they’ll take.
So my question is that in your experiences, , especially now, since we’re also moving into the cloud, what strategies have you seen in terms of going
about recruiting the right way,
is this something that the us as the hiring managers should be more involved with?
Should we train the recruiters or like,
Johny: what have you seen work and what are your thoughts on that?
Nicholas Barrington McLaren: So [00:29:00] the first thing is I’m not necessarily in an agreement with. The candidates that are strong in theory, that they aren’t actually good candidates. For instance, I was one of those people and I felt that if I was strong, in theory, all I needed was opportunity to gain that experience.
What a lot of these jobs, for instance, incident response, you can only really, truly get good at that from enterprise experience where you can actually deal with customer data and you can’t get that anywhere unless you actually get the job. So if that person doesn’t have the job, they’re never going to actually be good with experience or be, or can tell you about a couple of different incidents that they were able to remediate.
They have to be given that chance. So that’s the first thing as far as recruiters. Yeah, absolutely. Hiring managers have to work with recruiters to make it more easy for them to digest what you’re looking for. Because if you just put out certifications, that’s what they’re going to bring you back.
They’re going to bring you back people that have the certifications, but if you tell them, Hey, bring me back. People that have particular certifications, I believe there’s one called a [00:30:00] blue team. One where you actually do a, a incident response over in 24 hours period. That’s actually a really good certification.
And if you were to get a potential person that had that. That person would show you the experience by having that particular cert. So certs are good. And for people that don’t have the experience, that’s all they have to lean on. So if we spend our time to go get the certifications and study, study, study, and show the passion and get really strong at theory.
All we need is the opportunity to finally apply that theory to the actual real customer data. And what will you be? A hundred percent perfect that first time? Probably not, but there was once a point that when you, as a hiring manager where maybe you did a technical job at one point. You weren’t really strong with something when you first started the job.
So it takes giving. It takes an opportunity for someone to get there and be really strong and have 10 different incidents that they could have told you about and stuff like that. It has to start from somewhere. So again, it has to be an approach from hiring managers, going to recruiters and [00:31:00] telling them, Hey, I’m a bit flexible with this.
If they have a practical cert where they actually had to apply that knowledge. Yeah. Bring that person in front of me. Let me see if I can vet that person a bit more. I think that would be a bit more helpful. Rather than you know, again, just ask them for a particular cert and again, you will just see people that have really strong theory.
So maybe more of asking for search that have practical skills. You talked about incident response. So there’s a lot of different certifications that actually dive into actually doing something practical. I think that would help a lot as hiring managers. If you’re looking for someone that can literally just hit the ground running and they don’t need any help. .
Ashish Rajan: I think a really interesting point that you mentioned about the incident response kind of conversations as well. So thanks for sharing.
So I’ve got someone over here on my livestream, as we need is, has got a phone saying one time a recruiter asked me, how do you do you know about SIEM? I said, yes, I know what Splunk, ES and Phantom the recruiters said, no, we don’t. We need someone. So it’s hard to I don’t know what to say to that, but yeah, [00:32:00] we’re totally with you on that one, man.
Do you have any thoughts on that? Nick,
Nicholas Barrington McLaren: again, it’s the disconnection and it has to stop it. That will always allow the gap to be present. I think the guy that just called in. He had actually had a really good example of someone to hire without experience. Is that person with a, I believe a CCNA. What did the Cisco cert if I’m not mistaken,
Ashish Rajan: yes.
He’s going to the Cisco side.
Nicholas Barrington McLaren: Yeah, yeah. Really technical exam. So if you’re able to pass that then yeah, absolutely. You’re going to pretty much be able to hit the ground running because that’s a very extensive exam to take, but Yeah. As far as dealing with stuff like that, recruiters, it really just comes down to, again, like I said, I think recruiters have to find a way to be more technical and having a better understanding of what these tools are, what they do.
And I know that kind of turns in, well, Hey, am I turning into a security professional? No, it just makes you better at your job so that you put better security professionals into those jobs. It really just comes down to that. We got to find a way to fix it, has to happen and it takes work for [00:33:00] everybody.
Ashish Rajan: Yeah. A hundred percent. I’ve got my final question. But before we jump into the final question, I’ve got one more person coming on stage. I think it was journey bringing him on stage as well, quickly for this question. And he said, I think.
Hey, Johnny. Welcome, man. Feel free to ask you a question and choose yourself as well.
Johny: Oh, thank you very much for bringing me up on the stage and thank you guys, Ashish and Nick for putting this room together. So my name is Johnny. I, for the last six years I’ve been working in the cleared cyber security space.
Essentially I do, you know, network data analysis threat hunting and cyber threat intelligence sorta on a daily basis. Write up reports for our customers. And then I deliver those reports orally to the CISO or the director of threat management or whomever. The customer point of contact is You know, got a few certs CISSP CASP and securityplus, and some others, but recently I’ve been wanting to move towards the cloud.
We don’t use the cloud at my current workplace. So I think I may have to spread my wings a bit. If I want to [00:34:00] gain some more experience becoming a cloud security engineer is something that’s on my radar. So recently I took the the AC 900 was kind of a free service that Microsoft was giving away.
If you attend a couple of attend a couple of courses. So I took that and passed it. Yesterday I passed the AWS solutions architect, associate exam. And so I’m just kind of wondering. Will I also need to obtain a security specialization for one of the clouds. So, you know, since I’ve already got one AWS cert I’m thinking about doing AC104 next.
And so I’m kind of trying to figure out, do I need to do as security specialization if I want to apply to be a cloud security engineer I get somewhat dismayed because I don’t have a lot of cloud experience. However, I got a ton of cyber security experience. Plus some of the cloud certs backing me.
So I’m just, just kind of wondering, should I be worried about that? Is it, should I just go ahead and apply if I see a cloud security engineer job, [00:35:00] regardless if it says that they want you to have X number of years and a particular cloud environment, and I don’t have that, should I just apply anyway and just Wow.
We’ll have to interview or be able to speak technically while also being able to kind of break it down into layman’s terms.
Ashish Rajan: What do you think?
Nicholas Barrington McLaren: I can already say you already got a solutions architect and you have a ton of experience. So you would actually be one of those people that would be a unicorn in the cloud space. So in my opinion, do you need a security specialty certification? Absolutely not. Do you need a security specialty course?
Absolutely. To give them more familiar with the services, when it all boils down to what you’ll still be doing the same things you were doing in an off premise environment. It’s just going to be a lot of different names and a lot of different services at the end of the day, but the actual work itself will be really similar.
So for someone like you with an extensive background, extensive experience, I don’t think you would necessarily need to go and take the security specifi, to validate [00:36:00] that, you know, security. Cause you, you clearly know that with the experience that you have and the certifications that you already hold.
So to get another one to show that, you know what, in cloud. I don’t know if it really would outweigh your experience because in reality, in cybersecurity experience is really what outweighs everything. And you have all of that. So to show that you have some aptitude by having this a solutions architect, I think that be enough.
And by taking of course for maybe a cloud guru.com or I’m not sure if there’s any I’m not sure if Wiz labs does courses as well. I know they have tests, packets and stuff like that, but if you could take a course to where you can digest a lot of Sure. Eight to 10 minute videos on the services, go through a couple labs to be more familiar with how the actual service works.
Then I think you’d be fine, but the test, not so much, because there’s going to the test is going to test you on a lot of that incident response and stuff that you already have went through. So you don’t need to validate that you’d need to validate that you understand services that AWS, or A zure Well, Google cloud platform use.
So that would be my
advice.
Ashish Rajan: I want to add something else to this, Johny as well. I think it’s a great answer from Nick. I [00:37:00] was gonna ask because I was in a similar state to what you seven, eight years ago. I didn’t want to go down the engineer part. I wanted to go down the architect, but, and it hundred percent your experience with like Nick just nailed it there that you you’ll be surprised that.
All the experience that you’ve had in cybersecurity would be definitely beneficial because then you’re walking into an interview. You already had the technical background. People may ask you questions about how do I do encryption, or how do I do backups? You just need to know the services that need to kind of how you would use it as kind of where you’re coming from.
I’ll say this as well though. And this is kind of like a, almost like caveat and , I’m keen to hear Nick’s opinion on this as well. When You do a certificate from AWS, Azure or Google cloud. What you’re really talking about is how do I use an AWS service for an ideal scenario? it works with by check, you may vote for somebody else, but everyone’s a bit of a snowflake, right?
Not also, this is an applicable there having that ability to use or tap into that experience of yours and say, if I’m trying to solve an encryption problem, I might look at the cloud native [00:38:00] path where, Oh, does AWS already have a service in this? If or Azure already has service in this?
I want to use, it sounds like a great idea, cause I’ll be able to manage it. But if it’s not there, then you use your own experience from previous life. What product can I use for that? Would you agree to that, Nick?
Nicholas Barrington McLaren: Yeah, absolutely. And that’s why I said, I think that he would be really great.
And one of these, one of the cloud roles, because he has the knowledge of prior incidents. So once he learns the services, there’ll be able to say, okay, I know I want to use guard duty. I want to use Vaff and I need to also maybe use a goal bouncer in order to protect this because he has the prior experience to drive.
how to choose which particular services should be used and how to leverage them. So that’s, again, like I said, that’s really what it comes down to. A lot of the AWS certs are scenario based. So how do I use that particular service in order to solve this problem? And he’s already had a lot of scenarios.
So all he has to really learn is the services he’ll be great at it.
So that’s
Ashish Rajan: a Johnny you’re applying for those jobs. That’s, that’s the answer for you?
I was going to say Nick, this has been a really interesting conversation [00:39:00] for me personally as well. Cause I’ve had a lot of questions about this and I got a few people who’ve come in.
I’ve got my quickly cover the comments over here, Steve from is a Google evangelist very often certs from AWS GCP. Microsoft are really only important with. When you’re working for those companies, I’ll ask you that’s a good point or their partners, which requires those certs for employees. Oh my God.
He is so true. Now having worked in the consulting side before having a certificate. Yeah. So, w what’d you recommend, what do you think of this comment from Steve?
I think that’s a huge point because for instance right now dealing with the application security, I we’ll have to outsource we’ll use open source tools.
So you may deal with companies that service to protect their environment, even though they’re hosted on AWS. So like you said, the CERTs will benefit you extremely well. If you’re going to actually work for an Amazon and you do business support for people. AWS accounts, because then at that point, you’re going to pretty much really be talking about the services that AWS or Azure or Google cloud provides.
So, [00:40:00] absolutely, I think it really just helps you if you’re trying to be an employee for those companies and making them stronger, if you’re actually, , dealing with enterprise data, it makes you better with the services, but you still may have to branch out and use something that AWS didn’t create.
Or didn’t buy it. I’ll say that because it will be obviously buy up a lot of tools. So yeah.
that’s awesome. I’m going to shout out to Vineet, cause he’s the one of my cloud security courses, so shout out to him as well, man.
well, I’ve got a question here. I don’t know if you will be able to help with Good evening I work in the MSB on the service desk. I want to get into security where do I
I start some advice for that.
Nicholas Barrington McLaren: Yeah. I have plenty of advice for that. Well, here’s the good thing. They’re they won’t turn you around once you have the certifications, because one of the main things they’ll tell you is, Hey, go get a help desk job. The great thing is you already did that. So having your certifications will basically just validate, like I said, that technical aptitude.
So you have to find a way to take that theory that you’re going to get from that test and do labs, like I said, read a lot of white papers so that you can find ways to, like, one of the callers said put it in [00:41:00] layman’s terms. So that the non-technical person can understand it because that’s who you’re going to be speaking to.
When you talk to recruiters, they’re not going to be super technical. So you’re going to have to find a way to show that you’re really good at what you do without being overbearing with the technology aspect. And if you can do that with your certs and you’re already having service desk experience, I think you’ll be really good to go.
Ashish Rajan: Awesome. Awesome. Hopefully that helps as well. And by the way, so that was kind of like the end of what I wanted to kind of bring into the table. You’ve been really giving in terms of the information and I think we have a lot of audience members, both in the livestream platforms on YouTube, LinkedIn as an Twitch, as well as clubhouse as well.
So where can people find you if don’t ever get, reach out to you and get some more of this amazing information that you’ve been sharing with everyone?
Nicholas Barrington McLaren: Sure. So I’m on LinkedIn as Nicholas Barrington, McLaren. I believe if you just type in Nicholas McLaren, you might be able to find me on there. I’m also on Instagram as rude boy, Nick, that’s more of a personal thing.
So if you want to see me in the gym or seeing you talking a little bit about clouds, you can check me, check me out [00:42:00] on there, but that’s pretty much where I am. For the most part. I don’t have a human social media. A blueprint as of right now, but I’m looking to build on that. So hopefully YouTube channels, again talking more about cloud security and ofcourse getting more people of minority status into this field.
So definitely trying to, again, be on clubhouse and things like that in the future.
Ashish Rajan: Yeah, that’s awesome, man. I think I definitely want to do a room again with you on clubhouse cause that’s yeah, I’m pretty sure there’ll be benefited with that as well. And hopefully some cloud security conversations as well, but thanks so much for coming in, man.
For people who are tuning in live both in clubhouse and our live streams. We run these conversations every week or similar conversation every week just to talk about cloud security. And I would definitely encourage you to reach out to Nick who’s putting himself out there to help others.
So it’s always good to kind of reach out, especially now. So go out there and network. And hopefully people like Nick, myself and others, who’ve been here listening in would be able to kind of help you out. I’ll definitely encourage people to kind of reach out to me or. Just check out the podcast.
It’s on www.cloud security podcast. TV, which [00:43:00] is on the link on the profile and my clubhouse. Thank you so much for today and I’ll see you next week. On same time thank you so much again, Nick, and thank you for everyone who tuned in from our livestream.
Thank you so much, everyone. We’ll see you all next week. Peace.