Dinis Cruz
Chen Gour-ArieSession Video
About this session
This topic examines the widening cybersecurity talent gap and its impact on organizations. Panelists will discuss strategies to address the shortage, including upskilling existing employees, partnering with educational institutions, and fostering diversity and inclusion in the cybersecurity workforce.
Outline:
- Overview of the cybersecurity talent gap and its implications
- Challenges organizations face in filling cybersecurity positions
- Upskilling and reskilling strategies to bridge the skills gap
- Partnerships with educational institutions and cybersecurity training programs
- Promoting diversity and inclusion to attract a wider talent pool
Transcript:
Dinis Cruz - 00:00 Yeah. Hi. Welcome to this open security summit session in October 2023. And I’m here with Chen, and we’re going to be talking about, I think, a massive topic in our industry, which is basically how you address cybersecurity talent gap and fundamentally the growing skill shortages that we I think we all feel. Anybody who’s hiring and is building teams experience this. So you want to just kick us off, Chen, and give introduction about you and then your views on this topic?
Chen Gour-Arie - 00:33 Yeah. So. Hello, everybody. I’m Chen. Coming from many years in hands on application security, I’ve been consultant through, say, the first half of my career. A lot of pen testing, been around many places and so I kind of struggle with the problem. I must say that by the time I was a consultant, not many companies were directly employing cybersecurity professionals. It just started, it was mostly consultants at the beginning and then slowly but surely, companies realized that they need to build their own internal task force. And it was fascinating to see how the industry responded to the cybersecurity threat by building internal capabilities and internal teams and developing methodologies. The second half of my career I was still in cybersecurity, but more on the Venzo side. So building products, including my startup, was recently acquired by Sneak and Enzo Security.
Chen Gour-Arie - 01:43 This was the first ASPM solution on the planet and just a few months back we got acquired by Sneak. And there I was, responsible for many different things, but essentially building up a platform that will help companies manage and run their application security gig, which I think is one of the areas where the expertise needed are so delicate and the frameworks and methodologies and structure around the problem space are so proliferated, where this actually become a very big issue. So, yeah, I think maybe this group is small enough that we can open up everybody’s access to microphone and then we can have it as a discussion because otherwise it would be just the two of us.
Dinis Cruz - 02:41 Yeah, absolutely. I’m making everybody a co host. Right. So if you guys feel free to chip in with your views and talk about this.
Chen Gour-Arie - 02:52 Right.
Dinis Cruz - 02:52 I think this is a really key thing. One topic maybe first to explore, maybe a little bit not controversial, but I would say I don’t think we have in a total a skill shortage. I think we have a skills transfer problem. I think what we’re not very good at is creating opportunities and creating recruitment workflows that allows individuals and talent from other industries outside cybersecurity, from either technology or engineering or even left fields, from medicine, from poetry, from all sorts of different ways of life, right. And professionals to bring them into the cybersecurity field, because I actually feel that will increase the diversity of what we have, but I think it will bring a lot of experienced professionals in our field that also really needs them. So it’s not necessarily that our pool is quite small.
Dinis Cruz - 03:51 It’s like maybe we should have a bigger pool of talent to draw from.
Chen Gour-Arie - 03:57 For me, when I think about this subject, I think that there are a few things to recognize. First is that the entire information technology industry is quite new. When you compare it to other industries, then even when you think about other industries that are similar in nature to what we are doing, which is actually building things and you look at other industries that are about creating products and building products, you’d see that there is always different levels of professionality. You’d look at one shop and they’ll be building in a very chaotic way. And then you look at another shop and they will be building very accurately with planning and designs. So the industry by itself is young. Building software, building applications, building digital systems is very difficult. There isn’t yet a perfect way to do this.
Chen Gour-Arie - 04:59 Everybody struggles with leading an effective operation of building software. It includes a lot of talent, a lot of different aspects that you need to consider when you’re working on this. And then in this industry, this kind of bad boy, which is cybersecurity, is even younger than the industry itself. And he’s trying to deliver something that requires first understanding all lot of information about building information technologies and then understanding where it can go wrong and also providing a practical solution for securing it. It’s a lot to know, it’s a lot of knowledge, it’s a lot to take in and it’s a lot to deliver to. And in this, we still haven’t figured out what would be the right way, what is the right methodology, what are the actual things that we need to worry about.
Chen Gour-Arie - 06:02 So, for example, one of the things we’ve been focusing when we build Enzo security was the specific topic of how do we build up a very professional approach to the problem space? How do we try to eliminate the cry wolf situation where many cybersecurity professionals think that it’s their job to just raise the alarm, but it isn’t really? It’s also to build up into the culture of the organization, the sense of right prioritization and right investment in security. So it’s a lot. And because this is a lot I get back to what you just said. Because this is so much. There are many ways in which we can open up and bring in more talent and more approaches to the problem and try to enable more people in assisting in making companies more resilient to cyber threats.
Dinis Cruz - 07:03 Yeah, if you look at, I would say, the qualities that you want in your professionals is curiosity, ability to learn, ability to handle pressure, ability to be a good team player, have a great cultural fit, ability to process lots of complex information, be able to get things done and understand complexity so you can get on right. And a lot of those are I would say human and professional skills that have nothing to do with cybersecurity, right? And yes, it’s a lot in our field, but you could argue that it’s also a lot in the medical field, it’s also a lot in other industries, right? Almost every industry has a lot going on, right, in a lot of the stuff they do. So the challenge there is, how do we give them those skills, right?
Dinis Cruz - 07:52 How do we give skills to that individual that is joining an industry that doesn’t have a huge background? And I think there’s different paths. I think there’s a path where you’re very technological and I think there’s a connection there, but there’s also, I think, a path where you might not be very technological, but you have a lot of engineering in a wider sense of engineering sense, or a lot of structure or ability to consume a lot of information sense. And I think each of those pillars require different attitudes or different approaches for how you expose that individual to an industry, which, like you said, there’s a lot of stuff going on. But we also invent the wheel a lot, right? We also sometimes overdramatize a lot of these things in our industry because it’s about the fundamentals, right?
Dinis Cruz - 08:39 It’s about figuring out what you want to do, how you want to do it, how you get it done, and enabling others. Because a lot of times in security, we are a property of a system, right? We need to get the dev team or we need to work with the dev team to implement certain things. We need to work with engineering team to implement certain things. A lot of times we shouldn’t be doing it, we should be empowering, enabling, providing guidance, providing information, or managing risk, et cetera, for other teams to be productive. So a lot of those skills you can learn. So a lot of those specific technicalities things you can learn.
Dinis Cruz - 09:15 I think my hypothesis is the other skill set is much harder to learn and the talent pool that we go for these days is much smaller, which a lot of times doesn’t have those skills of. Basically. For example, I was talking to a friend of mine and his wife, he’s a teacher, right? And I think teachers are amazing, right? I think teachers anybody who can teach a bunch of kids, right, fucking it’s a hell of a skill, right? And if you talk about managing and keeping that in control and dealing with all the stuff and now there’s a lot of complexities in UK about it, but those individuals are amazing, right? But they’re actually not very well paid in a weird way.
Dinis Cruz - 09:56 We have a premium in cybersecurity that we should be leveraging because it’s almost like we need people to do transfer from one industry and actually we can pay them more even to where they are, even if they don’t have domain expertise. Because at the moment, the premium is actually really high. And you can argue that for the skill that the new generation has, that premium is out of whack. It just happens to be a lot of demand. Like you said when you started, when I was around initially there was no cybersecurity teams, right. The market for cybersecurity professionals was much lower to be hired as a threat modeler. What the hell? That wasn’t the thing. Right? And now a full blown career path, right?
Chen Gour-Arie - 10:40 Yeah, I think they’ve been trying to build in some universities, they’re already trying to build. They’ve been existing also for a while, full training programs and full education programs around the subject. But I think one of the challenging things here is that this subject is so much about other topics. It’s not so much a thing by itself is just to properly understand information technologies and then try to find ways to inject some security in them. If it’s in the understanding the infrastructure and then from understanding the infrastructure you can understand potential threats and risks and then you need to understand how to deliver solutions to this. So you have a long way to go. But I think that similar to how I spend a lot of my time in a lot of my career in companies that build information technology project.
Chen Gour-Arie - 11:45 So I live and breathe the DNA of companies that are building software. And as you spend more and more time there at the beginning, you think it’s just a bunch of developers behind the keyboard. At some point you start to realize that there are also product people and operation people. Why would you need an operation person in a company that all they do is build up software but you actually really need those operation people because coordinating between the different efforts of the company is super critical. Why do we need so much investment in product definition? Because if you don’t invest properly in product definition, you will have your developers running about trying to build stuff that won’t connect and won’t deliver to the actual needs of the user eventually. So you need to actually invest more in product.
Chen Gour-Arie - 12:33 And then you even have things like marketing and people that are just explaining what this should be explaining to the outside world, what this should be to building up brand and marketing around it. And as you spend more and more time in high tech and you realize how many different professions are there in high tech, you can open up to the notion that it’s not necessarily about the technicality of things like you said before. It’s more about and especially in cybersecurity, it’s more about mindshare, mind, share of the organization. The successful cybersecurity professional is the one that managed to convince as many different people in the organization that this is important. They don’t even need to understand the single expert.
Chen Gour-Arie - 13:24 They just need to understand that eventually bringing security to a company is just changing the mindset of the people and making them aware of the problem eventually. Doesn’t matter how good of a pen tester you are. If the developers don’t think so, it doesn’t matter. You have to convince them eventually. You have to convince their managers.
Dinis Cruz - 13:49 To.
Chen Gour-Arie - 13:50 Give you the budget and to put efforts into securing. And when you think about this, like you said before, it opens up a lot of opportunities to loop in more people, loop in operation people, loop in product people, loop in marketing people. Marketing is super important for cybersecurity, intelligent marketing, promoting the notion that we need to be more careful with how we do things. You can just put a marketing person on that job, just feed to them professionally with the right messaging, the messaging that will be useful for developers and then they will be probably more impactful than the best pen tester on the long term.
Dinis Cruz - 14:35 No, I agree. And I think the interesting challenge now is how can we create jobs and help people in those transitions? Because the ones who are hiring have in a way of responsibility to create jobs that allow those individuals to make the jump. One of the things I try to do these days a lot is to do internal seconds. So try to find other individuals in the company that want to join a cybersecurity team, even just for a little bit, and then that allows that transition to be smoother and that allows us to say, hey, we got this project here that would be great if you can help. So that makes a big difference. So Anthony has a good question here, which is what are the good instructional schools and education we can obtain?
Dinis Cruz - 15:20 My main thing on this is like a I think in security you need to learn how to hack. I think it’s very important. I think there’s something when you exploit that, you understand a lot better what happens in here. And I think a lot of the it’s all about hands on experience, it’s about having practical understanding and doing some of these things for real. And for example, open source communities are great because they need a lot of help and they’re always quite friendly. And I have to say, these days I would say start with Chat GBT, start with Bard. But I think Chat GBT is still probably the best one on this level and the next generation of education bots are going to make a massive difference.
Dinis Cruz - 15:57 And I’m going to talk a little bit in the session, I’m going to work in a bit, but I think that is going to be a massive change because Anthony, for example, you will be able to create personalized training for you or for whoever you know, that needs this, right? And that is super powerful because you can say, here’s the objectives, here’s the topics, here’s the concepts, here’s the things we want to cover, and now here’s your experience, here’s what you know, this is the areas you’re good at, the areas you have good references. How do we now create a learning path, a set of explanations, a set of knowledge that is completely customized to the individual.
Dinis Cruz - 16:37 And I think that’s a game changer because it allows somebody who already has a lot of domain expertise to realize that those acquired skills are actually not that far off from the more advanced cybersecurity skills which might look very Chinese in the beginning, but actually they’re just variations of things that you probably already know. You just call them different things.
Chen Gour-Arie - 17:00 I think that one thing that is kind of shared between all cybersecurity professionals is that they promote thinking out of the box and trying to think outside of the box. And then when you think about the title of this session, how do we address the gap in cybersecurity? It could be immediately our first response to think out of the box and the out of the box here would be to try and find different ways of reaping value from people that are interested in people are interested in. And if Anthony, if you’re interested, like exactly like Denny said, go about the thing that you know, what brings you into the It industry? Obviously not the all of cybersecurity is about the It industry. There are big parts of any industry because every industry have it today.
Chen Gour-Arie - 17:52 But I would speak from it industry perspective because this is what I know best. Think about all the profession that exists there in the It industry and then if you’re focusing, if you’re already in this industry, you already have a profession in this industry. Maybe you’re a product manager, maybe you’re a developer, maybe you are in marketing, maybe you are in sales. If you’re already in this industry, try to find what would be the closest angle. Of course you can go about formal training, like the list that you shared in Chat. What kind of training and certifications? Recommended ones. I personally, I admit I have none of these. I don’t have CISSP, I have none of these and I’ve been delivering security in many different organizations for a very long time now. I don’t have any formal education.
Chen Gour-Arie - 18:58 This is definitely a route that you can take to try and onboard one program. I’d say go start with Udemy, start with acquiring knowledge before trying to go for a certification. Maybe try and play around with bug bounty programs. They’re open. You can maybe try and bank over a specific issue like corset scripting for example. Try to learn it, go to Udemy, go to YouTube, learn about corset scripting and then go to bug bounty programs and try to find one. And try to find corset scripting by yourself. This will really create some appetite for more because if you find one, you could actually get paid for it. And I’ve seen people start their career this way.
Chen Gour-Arie - 19:45 I’ve seen people very successful today start and accelerated their career this way by just learning about few classes of inabilities one by one and then trying to find themselves. There are a lot of available resources to try yourself, like look for vulnerable web applications. In Google, there are a bunch of applications that can be used to try out, right? Yeah. Juice shop, for example. Use juice shop and similar applications to try out and experience yourself what it is to exploit applications. And then from there take it to bug bounty programs and try in the real world, if your vector is technical, if you’re interested in trying out exploits, trying out, finding vulnerabilities, this is definitely a way to go.
Dinis Cruz - 20:44 In the past, I was a lot more dismissive of certifications. I think it depends where you are, and I think it depends on the path that you have available to you. There’s definitely places in the world that certification is a big deal. I don’t think I’m on that world. I don’t think when we hire, that’s definitely not what we look for. We would never say, if you don’t have the certifications, you’re not applicable for the job, right? Actually, I would even argue that whoever does that, you don’t want to work for them because they’re already looking at the wrong thing. That said, there is value. If you like to study, if you’re good at exams, that’s a way to learn, go for it, right? But I don’t think you should view it as the primary, most important thing.
Dinis Cruz - 21:29 If you get those compton ISC square, et cetera, it’s not how you get those. You get a job. Right. That’s not how it works. And I don’t think that’s the best way to learn. I think, again, some individuals care about it. I actually really like the idea of starting to create customized, again, versions of that based on what matters. Because the problem with a lot of those certifications is that only 10% of it is interesting, right. The other is just fluff, or the other is not relevant, or basically it’s, okay, well, persuade 10% could be relevant to some things, right? But where you want to go or what your skill set is not that good. Now, you mentioned also boot camps. Now, these are interesting, and I’ve seen some really good ones. I’m sure there’s really bad ones.
Dinis Cruz - 22:14 But the boot camps have an interesting concept, at least the ones I’ve seen, which is they take cohorts of individuals who have a lot of experience, but for example, don’t have security experience, or don’t have technology experience, or don’t have development experience. And like, for example, I would absolutely hire somebody who did a developer boot camp, right? I think that’s a great thing because I think development is a really hard skill and somebody who’s gone through it and understood and knows version control and knows a lot of those things, that’s actually quite a really great skill. That is highly applicable. Yes, there’s probably a money grab there situation that you’re talking about. I think you need to be careful. Again, there’s probably a lot of lemons in the market these days.
Dinis Cruz - 22:59 I would look at what’s the output, what did the people that took the course, the boot camp did but some of them are quite good because it’s a three months intensive thing or six months or whatever it is and it’s almost driven by the market. So a lot of those actually give very highly employable skills and it’s all about the attitude, it’s all about how you approach it. So I think you be careful and again you could spend a lot of money right and not advance a lot, right? I think there’s lots of ways you can start straight away to learn that doesn’t require to spend a lot of money on courses.
Chen Gour-Arie - 23:39 Yeah, I think that if you think about the subject of this talk I think maybe I recognize now that the content for an individual is trying to enter the cybersecurity market and try to become to work there is different than if you talk to a company who’s trying to bridge their gap in recruiting people is completely different. And I think that if we have captured here something in it together and I think that for the latter, for the companies that are trying to find out how they can onboard more professionals open up, think out of the box and try to find ways to enable people contribute to cybersecurity from different angles. Because actually there are many angles that have been neglected. There marketing I think is one of them. Internal marketing, promoting the message.
Chen Gour-Arie - 24:32 If you look at even security frameworks, they would deduct a very big part of the framework would be about publishing the data and the knowledge inside of an organization. And this doesn’t have to do anything with knowing, with actually understanding cybersecurity, it’s just understanding messaging and how to talk about it. If you are an individual, I think that a good thing to do would be to look at yourself and how you’re usually interested in learning things and acquiring new skills and new knowledge and apply the same thing to this process. There is no right or wrong way to do this, there is just opportunities all over the place. Many of them are free. I don’t think you should start with something that you pay for and then just embark on a journey. But please understand it will be a journey.
Chen Gour-Arie - 25:28 It will take years until you’d get to a level of people that have been doing this for a long time. But you could acquire a lot of knowledge quite quickly if you use what’s out there.
Dinis Cruz - 25:41 But here’s the thing, right, and I’ve been trying to do this for a little while. The fundamental requirement is you need to start to have an interest passion, because some people show passion different ways but you need to be maybe fascinated is a more better word. You need to fall in love with cybersecurity, right? Because I think the nice thing of our industry is most of the professionals, they absolutely love it. There’s a passion about it, there’s a genuine sparkle in the eyes that you see in our profession, which is great, by the way. I think it’s one of the great things of our industry. And I also feel that there is an interesting situation because cybersecurity is quite a glamorous in one way career path. A lot of people talk about it. There’s good media promotion and then there’s good salaries.
Dinis Cruz - 26:30 I do see people trying to cross that for the wrong reasons. And although I do believe that if you do the right path, you will earn more, your career is probably better path to have a higher income. And not that should be the goal, but again, there’s a path there. Doing that for those reasons is wrong. I do feel that it’s a great career, probably not for everybody, but it’s a really cool thing. And that’s the feel that it’s almost like individuals, I want to get into cybersecurity. They need to find the sweet spot, they need to find the area. And cybersecurity is massive. It’s fucking huge in terms of areas that they can really relate to. And more important, they can go, oh, I could do that better. Marketing is a good example.
Dinis Cruz - 27:13 A marketing executive can look at how we communicate and go, and you guys have no freaking idea, right? This is a shit show, right? I can do better. I might not understand cybersecurity, but I know how to communicate, right? He says Response somebody might go, this is a shit show. The way you handle incidents. If we did that in a hospital, half our patients would die, right? So I think there’s also areas engineering. Give me an area. I can find an example in cybersecurity that you can probably add value. And the good news is that we’re not a mature industry. The good news is because the market keeps evolving, because the threats keep evolving, because technology keeps evolving, and now we got the whole GPT and AI world, which is another massive area.
Dinis Cruz - 27:55 The good news is you can still hack your way into the industry, like you could still do what we did. I would argue that we hacked our way into the industry. We didn’t had a lot of formal stuff. We just stumbled across, became good, gained reputation, got hired and it went from there. So it’s still a good moment to join the industry and I think we need a lot of new blood and new ideas and new experiences. And it could be a work from home mom, right? It could be somebody who’s joined a bunch of other stuff who wants to join. Or it could be somebody who wants to go the next level of their career. I think there’s a lot of really cool opportunities.
Chen Gour-Arie - 28:28 Agreed. I think that it’s actually a very good timing because the evolution of this is due. It’s really required now that I think the same as information technology is now maturing to a level where people have been shouting, agile, do this, do that. But now it’s already been through, I’d say, second phase of evolution where people realize that even agile is not just a magic solution and you need to have more. And the different professions inside information technologies industry are evolving to become something much more professional. Like, if you compare agriculture or other industries that have been there for a very long time, you see the level of knowledge and professionality that the humankind have around these is much more mature than what we have information technology.
Dinis Cruz - 29:29 Put us to shame every day.
Chen Gour-Arie - 29:31 Yeah, it’s amazing to see and it’s amazing to realize this. And then if you think about cybersecurity, it’s even behind it’s playing catch. And this is a really good timing because as we can all see, it’s really, truly necessary that people will get.
Dinis Cruz - 29:47 The stuff figured out and the exacts pay attention. Right. Like, cybersecurity is a top level risk for a company. It’s not a low risk. And to be honest, we get this wrong, our customers suffer. Right. Our financing company suffers. Right. Or whatever you’re trying to protect. So it’s a real thing. Right. I like the fact that I make my customers safe. We make a difference by keeping their data, their assets, their experience, the trust. We protect it. So I think it’s a really cool career, right. And it’s always learning. There’s always new stuff, there’s always new things to learn. And the thing that Anthony, you just said I think is interesting is to say the path is hard to figure out where you can land. I would challenge that a little bit.
Dinis Cruz - 30:35 I think you need to find a path that you are already going and then do a Tweak on it, on security.
Chen Gour-Arie - 30:43 Right.
Dinis Cruz - 30:44 Like, whatever career you’re in, you’re already in a career path, even if you’re learning it, if you’re a student, doesn’t matter. There’s already things that you love to do or you think you have a certain seller skill set. That’s where you want to align yourself. Right. You want to align yourself with that. So I think sometimes it’s easy to overbake this, easy to say, well, I should go there. No, a lot of this is just try to do it, try to protect yourself, try to protect your family, try to look wherever you are. It doesn’t matter if you’re a student or a professional work for a company. There will be a cybersecurity team that you can touch, that you can go in there and say, hey, I want to be a security champion. I want to help out, I want to be involved.
Dinis Cruz - 31:23 What can I do? Right? And open. Source projects. Like just volunteer, right? Hack your way into the project.
Chen Gour-Arie - 31:30 Yeah, exactly.
Dinis Cruz - 31:31 That’s the best way to do it.
Chen Gour-Arie - 31:33 Yeah. One of the key tenants here is think out of the box. Hack your way. Hack your way into it. I think this would be the best if we’re talking about people trying to get in. Hack your way in. No rules. The only rule about it, there is no rules.
Dinis Cruz - 31:48 Yeah. That’s how most of us do it, right? Always be on the good side of the force, by the way. Always be at the coach. Never do anything for personal gain at that level. But apart from that, right? It’s like, be out there and find that path. And the gen AI stuff is massive because for the first time, you can create a prompt that says, I do this to my friends. I write prompts where I say, I’m this person. I have this experience. I have this and this. What should I do? Actually, let me literally read you this, right? A friend of mine is a PE teacher. Literally I literally wrote this. Let me just find it. Which I think was a really good way to what’s it called? Yeah. There you go. Look. See, I literally wrote this, right? I’m X name.
Dinis Cruz - 32:47 I’m a teacher. I’m just reading, really, the prompt I created right when I was with him, right in the car. I’m a teacher in London, has ten years experience. I’m good with managing people. He wrote this. He wrote the first part of it. He says, I’m a teacher in London, has ten years of experience. I’m good with managing people, and I’m good at listening, problem solving and resolving conflict. I love football. I’m a really good team player, have strong ethics and values. I believe in happy and productive teams. I had enough of my job. I’m frustrated with my current career.
Chen Gour-Arie - 33:16 Send over the CV, please.
Dinis Cruz - 33:18 And I’m frustrated with my current job. I am looking for a career change. And what are good options for me, right? I literally typed it. And then again, what are good jobs for me in cybersecurity, right? And then Chat GPT answered, hey, with your background in teaching, manage complex people in conflict resolution, coupled with a strong ethics and team play attitude, you are positioned to transition to cybersecurity. Here’s a step for you. Education and certification. Leverage your skills. Cybersecurity Awareness and Training incident Response Team. Do some networking, get some soft skills, blah, blah. Start small, stay updated, tell your CV and that’s it. So, literally, at this level. And then Chat GPT is cool because you can go, okay, can you zoom in on this? Can you give me a five action plan? Can you give me a three week schedule?
Dinis Cruz - 34:04 Just learn how to use it. In fact, Chat GPT at the moment, llams is a great way to enter the industry. Because I’m telling you, half our industry doesn’t have a freaking clue. That’s what I’m going to speak next, right? Literally, they don’t have a clue and they totally deers in headlights. So if you even become half proficient in Chat GBT, you can use Chat GPT to get you the job. And you should be hired just because of those skills. The same way that people ten years ago were hired because they knew the internet, like, hey, they want to hire a designer. We have ten designers. They’re all pretty good. You know the internet, there you go, we hire you. That was it, right? And so those are the opportunities.
Chen Gour-Arie - 34:44 I think that Denzel and I were roughly the same age from that. I know that we got our way into this industry, like you said before, by hacking our way through. So I think this would be our most Jupiter recommendation. Hack your way through what was just suggested here. Use Jet GPT to help you find your personal ending point. I think it’s fascinating. It’s really cool.
Dinis Cruz - 35:13 And look, by the way, hack just from a historical point of view is actually a good thing, right? Like hacking, you know, was taken by the media. But hack is finding a problem. Hacking is MacGyver, right? For the ones it’s basically when you have a problem and you find a solution and you put it together and you find a way to get it done. That was actually what’s called a hack in the early days. And that’s what we would do in websites. Somebody would put a website, put an application for a network, and we will find ways to do things that were not supposed to be used like that. But we’re like, hey, guess what, it’s possible. And here’s the problem, here’s the implication. You just immediate that make it bad.
Dinis Cruz - 35:50 So when we say hack your way into it is finding that it’s problem solving, is figuring out how to go to the next step.
Chen Gour-Arie - 35:58 I think that it is worth mentioning that in order to be really proficient, and especially if you want to choose the engineering journey, the technical journey, you need to learn a lot and you need to learn a lot about information technologies, about computers, about how software works. I’d say it’s not so easy, but you have to start somewhere. So I’d recommend, if you’re inclined to do the engineering path, the technical path I’d recommend, learn about communication, computer communication. Learn a little bit of coding with publicly available resources. Try to create your own first web application using React. Maybe go and try to follow step by step creating a React app today, it’s quite easy. Setting up dependencies is quite easy. You’d start with something like a vite application. Vite. Try to go over the first step instructions on how to do this.
Chen Gour-Arie - 37:08 Get yourself familiar with how technology work, how computer communication work. You won’t figure out everything in the first week or even months, but the more you learn about it will create an appetite for learning more. And then if you go with things like juice shop or other training applications, we combine these two, the growing knowledge around information technologies and software development, with the appetite to try and break them and try to find loopholes and hack them. I think this would set you up on a path, if technical path is what you are looking for. But like you said, there are many other ways to get there.
Dinis Cruz - 37:50 But the key I think you touch is you need to learn, right? And let’s be clear, right? If you’re trying to get an industry, you have a handicap. Let’s just be very transparent. You are competing with individuals that industry have more experience. I would argue that if you come with a whole bag of other experiences, you have a competitive advantage against those individuals because you have a wider pool of talent and pool experiences, again, to bring not cybersecurity, but others. But you need to learn, right? There is no shortcut here. In a way, the learning, if you don’t like to learn, then that’s a problem. But if you love to learn or if you enjoy learning, then it’s a good thing, right? I think that makes a big difference.
Dinis Cruz - 38:28 And also in terms of where to start, look, the Open Security Summit, in a way, if you think about it, with the speakers that you have here, with the community, with the people involved, there’s enough employers, right, to hire a lot of people. But what I sometimes find fascinating is that why aren’t a new generation a lot more involved? Like the Open Security Summit needs a lot more volunteers, needs a lot of people to help. There’s a lot of stuff to do. There’s a lot of things that don’t happen because there’s not enough time, because it’s all like volunteer driven, right? Including my time. Right? So open source is a great way to be involved. Communities like this, communities like Oasp, right? They’re amazing communities. And guess what? You can be hired through you.
Dinis Cruz - 39:08 If you involve and you help somebody, they’re going to go, oh, I have an opportunity for you. And then it’s a personal recommendation. And that makes the whole difference because it’s suddenly like there’s somebody who’s more emotional connected to helping you, and they might give you good guidance, good mentoring, and a lot of those individuals are there. But you guys need to do the first job jump, which is be involved, help figure out where you can add value and try it out. The worst thing that can happen, you ignored that’s. All right? At least you learn something. So that’s the thing, right? And we failed a lot. We always try these things. And as long as you try and you learn and you recent repeat, eventually you find your sweet spot and also work with people that you have the same values, right?
Dinis Cruz - 39:53 There’s lots of good people in cybersecurity. There’s lots of bad people in cybersecurity. There’s lots of people doing cybersecurity for the wrong reasons. There’s a lot of people on areas of cybersecurity that have questionable ethics don’t need to go to those. Right. There’s others who are doing great stuff, work for great companies, or doing some great things. Right. So it’s quite big. Right. So align with your ethics, with what you want to do, how you want to learn, and then take you from there.
Chen Gour-Arie - 40:16 Absolutely. Everywhere.
Dinis Cruz - 40:19 Cool. All right, man. I think we’re just wrapping up. Any final words from you?
Chen Gour-Arie - 40:26 No, I think we’ve said it all. Especially I think I agreed a lot with what Denise said. Get connected with your own, with what you’re good at. Try to use this as your penetration vector. To get in it. You have to learn. You’ll have to learn some things. I personally recommend try to take in a lot of information about information technology. Or you could also think of it as a completely different thing. If you’re not taking the technical and engineering journey, there are many options in I wouldn’t jump straight to pay for education. Education is available for free. For your first steps, you should definitely be able to do it for free. And then when you see that’s the right way for you, maybe you can also think of some paid education. But don’t start with this.
Dinis Cruz - 41:23 Dalio, you’re joining in. Come on. What’s your views on this?
Chen Gour-Arie - 41:29 We can’t hear you.
Dinis Cruz - 41:30 We can’t hear you.
Chen Gour-Arie - 41:42 Now. We can hear you now.
Dinis Cruz - 41:43 We can.
Speaker 3 - 41:47 Yeah. I just want to thank you for the session. It’s always nice to learn with you guys. I’m Deldio. I’m working now in It development. I’m working as a quality assurance analyst. And I relate a lot to what Dinesh said in the beginning. My background is in biochemistry. I was a teacher for roughly three years, and after a few years, I started working in It, first as a business analyst and later on as a tester. And, yeah, I continue the journey and try and hack my way into the field, but no rush. I want to be sure on what I’m doing. So I continue to be interested in the cybersecurity field or industry, as it’s becoming an industry.
Dinis Cruz - 42:33 Right.
Speaker 3 - 42:34 Or as you prefer to call it. The other day I attended Lisbon chapter session, so I think I’m still trying to find out if I’m in love, if I’m really in love with cybersecurity, and finding out if I’m up to the journey, basically. And today I was in the office and I managed to fit this session in my schedule. So I’ll continue my journey and probably I’ll try to hack my way into the field.
Dinis Cruz - 42:58 Brilliant. I think I’m presenting in the London Lisbon chapter next month. I think I’m just waiting for final confirmation. So might see you be could be, yeah. You are a great example of a lot of I would say, the talent that we need in our industry. One of the big elephants that always been I guess I come from a developer background, so I guess it was a bit rich of me to say this, but I always felt that if you understand development, you can’t really do AppSec, right? Like, literally. And a lot of the problems we have in our industry is caused by even us as an industry or parts of our industry, dictating AbSec stuff to engineers who know 100 times more on that on the other side. And it’s kind of like, dude, what the hell? Right?
Dinis Cruz - 43:46 You should understand how we operate, then give me guidance. And in a weird way, it’s not the cybersecurity professional fault, too, because it’s very skewed, right? Like, you’re telling you we’re asking for cybersecurity professionals to understand about frameworks and this and development and that workflow and this thing and that. The list is massive, which is why I also think that the Gen AI and the agents that are coming next will make a massive difference because it allows us to communicate in a much better language so we can start to talk about the intent that we want to do in security. But in your world, you understand about how to deliver code. You understand how to deliver effective solutions, right? Like, come on, man. Some of the cybersecurity teams, we’re the worst ones, right?
Dinis Cruz - 44:25 Like, if you look at some of our development practices, if you look at how even cybersecurity products, man, fucking out, like, some of the products, literally, you think they should know better, right? But again, it’s the same problem. They have a problem. They’re shipping to market. They go out there by the time they’re successful, it’s lots of legacy stuff, and then they become just like the other vendors that we sometimes have problem from a security point of view, but they just happen to do a security product. But I think that transition from QA to security, especially in development, should not be that hard because you have a level of maturity that is missing in lots of areas in the cybersecurity world.
Dinis Cruz - 45:07 And I would argue that even if you just do cybersecurity for a couple of years, when you go back to your maybe QA is your passion or development is your passion and you want to do maybe that path, you’ll better. I was a CTO for a while, and I can totally say that my definition of what’s possible was very different from the other engineers. In fact, I would have to argue with other engineers about what was possible, and I was like, Dude, this is your world. Why don’t you get it? Like, okay, it’s not how it’s supposed to be doing, but it works, right? So I found that even sometimes the development teams and QA teams and engineering teams get siloed, right? And insecure, you learn to question everything. You learn the power of well, I know it was not supposed to be possible.
Dinis Cruz - 45:52 I know it was not supposed to work, but I just made it work. Right. And then you understand how. So I think the curiosity is really cool in security, because we can go deep. Right.
Chen Gour-Arie - 46:04 That’s my experience as well. If you start from security, you open up a lot of possibilities in software development because you adapt this kind of no borders kind of thinking. You will always challenge the information around you to see to find loopholes, and it opened up a good position for continuing your career in engineering everywhere.
Dinis Cruz - 46:29 Exactly. Cool. All right, guys, thanks for participating. We’ll share the video, and I really want to figure out how to use Nargen AI to really augment some of these topics, because I think we have a lot of great content already on a particular summit, but it kind of gets lost. So I think another we move the needle a little bit further. So, again, thanks, Jan, for being part of it and helping with this session.
Chen Gour-Arie - 46:52 My pleasure. Thank you very much.