How to Start a Cybersecurity Career with Dr. Heather Monthie - Podcast Ep. #39

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo zach fuller and

lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller joined

by mike rotondo and lauro chavez and today we also have a special guest dr heather monty heather hey

thank you for joining us today look forward to this conversation and chat in a bit about your

background and experience so looking forward to what we have to come here shortly and mike

hey hey it's our pleasure mike do you want to kick us off with the news before we

dive into it here hey zach welcome heather um real quick we have a ton of news this week but

i'm gonna hit four things real quick so check out the podcast site uh for some additional

stuff real quick microsoft exchange server scan for proxy shell vulnerability patch now

what's happening is basically there are three vulnerabilities that were patched previously

they did an exploit at black hat showed if you strung these three together

it actually created a new vulnerability so patch up your exchange servers asap check out microsoft

for that more more information ncsc has come out with a three random words strategy for passwords

uh they're saying enforcing complex passwords complex requirements for passwords is a poor

defense against guessing attacks this is because minds struggle to remember random

character strings and being human we use predictable patterns according to verizon

compromise passwords are responsible for 81 of hacking related data breaches so faced with

making another specific password requirement ncse recommends you string three random words together

throwing some characters and it's a better way of doing it so might want to give that

a try got 3k that's the market rate for stolen corporate credentials there's two articles on

this today i'm going to string them together the other one is hackers nanny average of nearly ten

thousand dollars for stolen network access stolen credentials are always in high demand from cyber

criminals to use for identity theft or slipping unseen in networks stolen corporate credentials

typically selling the dark web for 3k however stolen user account for high ranking employee

with large corporation has been reserves observed selling for and this is not a made up number 120 k

online a cyber security team has identified nearly 26 million stolen credentials affiliated with

the top 1 000 companies in america being shopped around online i verified none of them are silent

the hackers netting average of nearly ten thousand stolen network access this is a

dovetail on this it talks about it how they're available on russian and english language forums

so be really careful with your accounts change your passwords regularly and make sure you

implement 2mfa or something else real quickly just i'm going to hit two or three top headlines but

please check these out smb is increasingly vulnerable to ransomware despite the perception

they are too small to target there's a new ad load malware variant that's slipping through apple's x

protect defenses uh this is even after the most recent patch so be careful and lastly home and

small business routers are under attack and then there's a list out there of what's available

and what's being what's at risk and there's a bunch more microsoft uh prim nightmare ones but

other than that i'm going to stop there lauro any exploits yeah i got a few this week and you know

to your point about those uh home routers you know check if you haven't been familiar with showdown

check that site out they index all kinds of stuff that's connected to the internet of things

so you'll be surprised what you find there this weekend exploits we got a couple things i think

are interesting first there are two exploits for the police crime record management system 1.0 so

if you're a law enforcement organization out there and your administrative branch or administrative

operations are using this this pcr rm for crime management make sure you're checking that out

there's uh case details sql injection and there's multiple stored cross-site scripting all over the

all over the application now the most concerning though is the sql injections you can get case

details without being authenticated so check that out and of course back in the exploit news

today is the 80s bachelor dirty man wordpress two more plugins this week picture gallery 1.4.2

there's a stored cross-site scripting for that so make sure you patch that plug-in or remove it and

then if you're using lifter learning management system one of the new plug-in lms's that wordpress

is offering you can access other student grades and answers beating via directory um directory

structure so uh check those two plugins out that was picture gallery and lifter lms where was that

stuff that's it yeah seriously that's what i was thinking that's like i was like hey that's not

that's not such a bad who's using lifter lms let's check all those grades and answers from

the tests and we'll just cheat could have gone from c's get degrees to b minuses or b pluses

at least yeah easy easy well thank you birds for that a lot of interesting stuff happening

wordpress not so interesting that's pretty much daily occurrence but uh i left the microsoft ones

out for the most part on that list i'm gonna stop talking about wordpress to be honest it's just bad

every week maybe we just put a note on the podcast description like watch out for wordpress want even

more cyber ants be sure to subscribe to the cyber rants podcast get your copy of our best-selling

book cyber rants on amazon today this podcast is brought to you by silent sector the firm dedicated

to building world-class cyber security programs for mid-market and emerging companies across the

u.s silent sector also provides industry-leading penetration tests and cyber risk assessments

visit silentsector.com and contact us today well on the bigger and better things here we have a

special guest with us dr heather monty and heather you have a tremendous background i'm going to

attempt to touch on some key points and would love to hear hear more but heather is is really

passionate about cyber security and technology education and also aviation and she's been able

to kind of blend these passions um throughout her career which is which is a really cool

thing to be able to do to be able to make you know make your passion your career so she's uh

been a professor of i.t and information security as well as associate dean of technology at grand

canyon university she's even developed programs for not only universities but also k through 12

education around stem and cyber security and i.t so a lot of experience in the education world

and also tremendous education yourself a bachelor's in computer science master's in

teaching with computer science emphasis phd and information technology um commercial pilot license

with instrument rating faa certified flight instructor um heather forgive me i probably

have missed a bunch of things but i know now your principal cyber security architect for fortune 500

um working in the aerospace which got us must be seeing some interesting things there

board of directors for the arizona cyber initiative which is a non-profit for high school

cyber security education um a founder you founded educators drone which apparently is just exploding

but a global community of teachers and parents and pilots basically using using drones to

encourage and support stem education initiative and and that's sounds like a lot more interesting

you know stuff than a lot of the things that i did in in school so that's the students these days

have some pretty cool opportunities we also have cybercoffeetalk.com um check out podcasts there

and she's got a lot of great information about cyber security awareness and education

um as well as cyber security for business and i i t and cyber security careers as well

and then also as um heathermonty.com and we'll put those links on our podcast page as well but

heather thank you again for joining us what did i what did i miss what else can you tell us about

your career and and how you got started how that legend where you where you went today yeah i just

you know i just don't like to be bored i don't like to sit around and you know just do nothing

don't mind you know i do take time and you know sit down and watch tv here and there but

you know i just i i just don't like being bored i think that you know a young age i was exposed

to um aviation uh i took a field trip to the airport um in kindergarten and just got exposed

to aviation there and it's really sort of been a a lifelong passion of mine and um you know over

over the years i was trying to i was trying to figure out how to make it my career

and i was fully on the uh airline pilot track and i was taking all my uh flying lessons getting all

my flight ratings but i was also working on a backup degree in computer science um because uh

you know if if something happens health-wise you know you can no longer be an airline pilot so i

was working on sort of this back-up degree right and then uh 9 11 happened and the airline industry

just completely completely tanked for obvious reasons and there just were no jobs and so i kind

of had to okay take a take a step back and say all right you know i've got this flight instructor

license i've got this degree in computer science which way am i going to go and i i kind of went

you know obviously i went the computer science route and i've kept aviation a hobby of mine my

whole life and it's really cool because now here we are 20 20 years later and i've been able to

you know bring bring the two passions you know back together um i think that you know as as

technology has advanced so has um air travel space travel um and and the use of drones and businesses

that technology is is quickly advancing and as those uh aircraft i call them flying data centers

now or flying computers they're they're connected um there's there's threats when you have you know

connected devices and um it's it's a it's an exciting time it's a scary time but it's also

a very exciting time for you know people that are that are interested in this kind of stuff

that's uh it's a good path and i think the two you know the the disciplines go very very well

hand in hand i mean obviously cyber security's critical in the you know in the aircraft

industry uh the aerospace industry in general um pretty amazing stuff with starting off with your

you know your realm in the in the world or your your experience in the realm of education

um what uh you know i'd love to hear because we have a lot of listeners that are

looking to get into the cyber security field or technology fields or really have a passion

and interest in this but may not you know may not be doing it for a living yet um you know what is

the state of cyber security and i.t education in schools i mean i know it's come a long way

you know when i was a kid we just had very basic computer classes on apple two e's and stuff and

that's kind of where it stopped but there's a lot out there today what what is going on in

that world and where do you see it headed yeah i think that their cyber security education has

come a long way in the last even just 10 years you know i mean i don't even know when the first cyber

security degree was offered but you know 15 20 years ago like you know people that are a little

bit older don't necessarily have degrees in um in cyber security i think that for people that are

interested in starting a career in cyber security and and maybe you're a little bit older you

don't necessarily have to have a degree in cyber security so say you've got a degree in business or

you know history or you know english something like that those are all valuable skills that

that you can bring to the cyber security discipline you don't necessarily need to

go back to school to get a full bachelor's degree there's a lot of you know certification trainings

that are available out there there's you know shorter programs boot camps micro credentials

even getting you can even consider getting a master's degree that you don't necessarily need to

have a bachelor's degree in cyber security there um but just know that that just because you don't

necessarily have sort of what you might think is the traditional training or the traditional

tech background i guess that that should not stop you from pursuing a career in cyber security um

there's there's a lot of writing that goes in with cyber security so people that have

degrees in english and people that maybe you know political science stuff like that where they're

they're very good writers they're very good communicators um there's a lot of opportunities

a lot of opportunities there so um what i you know my my little nugget of advice would be is don't

think that you need to go back to school to get a four-year degree in cybersecurity especially if

you already have a bachelor's degree there's there's a place for you in cyber security

in fact one of us on this call has a bachelor's in history so i'm glad you brought that up

good good yes yeah you know there's there's a lot to be said for people that have you know liberal

arts degrees you bring it you bring a different uh perspective um you know sometimes you get

people like myself i'm very technical you know math is my favorite you know classes in school

very analytical person is very black and white um sometimes people with you know with the liberal

arts background they can they can they can they bring a different perspective they can

look at things a little bit differently they can see gray areas a little bit better it's a

it's something that you should definitely market about yourself and uh that you bring

that to the table for potential employers honestly i just wanted out of college no

well it worked out didn't it mike of course well that's i mean i know mike you talk a lot

too about um the importance of writing right and it's like it's a critical skill set that so many

people miss they're they're so focused on being in the technology itself uh they forget about that

somebody has to communicate this stuff to the outside world yeah that's the one thing where

i just end up telling what you're saying about liberal arts because you do have the ability

to communicate and cross that bridge and writing documentation as boring and drudgery as it can be

i don't know if that's a word but anyway having that background and doing all the writing i did

for my for my liberal arts degree it did help yeah it's amazing the opportunities you know to

to get started i mean lauro started it you know you started your career in the army

um well even before that but um i guess job-wise started in the army and then um you know for for

me to get in this field was through certifications sounds like there's there's no right answer

uh across the board it's just what what are your interests and and where your skill sets gonna take

you where do you wanna involve right and you don't and and you don't necessarily always have to start

with the security plus certification like yeah i see that a lot you know i'm in a lot of online

forums trying to help answer questions and that and usually it's always i want to get started in

cyber security where should i get started and the answer always seems to be get the security plus

certification that's a fantastic certification but there's so many different career paths

um i sort of liken it to the medical profession now where you don't say you know i'm going to go

into the medical field well what specifically in the medical field are you going to be a

phlebotomist are you going to you know be an rn are you going to be a neurosurgeon

are you going to work in insurance um there's there's there's so many different options and

and a one one step career path is not necessarily it it's you've really got to

identify what it is that you want to do and then and to develop a career path and a plan from there

yeah i'm glad you brought that up i mean i i wouldn't even my advice to people i haven't

been through some various certs i wouldn't even bother with the security plus certification unless

you've done the network plus certification um you know a lot of people do jump in that and they

struggle because they don't understand how the infrastructure works um but um yeah a lot so many

so many things out there what about so there's there's all this opportunity and i mean it's

and you don't have to pay a bunch of money you don't have to go into a bunch of um get a bunch

of student loans or go into debt or anything which is which is outstanding because there's

so much free stuff online as well to be able to study for these certifications and all that but

but with despite the fact that you know all these things are available do you think there's enough

people going in to cyber security or rit education in general you know regardless of its whether it's

through university system or certifications i mean it seems like demands keep increasing but

i'm curious to see what your what you've seen on the kind of the top of funnel so to speak people

going into the business right yeah i don't think that there's enough people going in if you look at

there's a website called cyberseek.org and it's a it's a collaboration between comptia and they use

bls data to show where there's jobs there's open jobs in cyber security in the united states and

they're showing right around 300 350 000 open jobs just in the us alone there's over 3 million open

in throughout the world there's there's not enough people going into this as a profession i think

for a couple different reasons i think for some people it's scary they don't understand it they

they you know hollywood makes this into like this you got your hoodie on you're sitting in a dark

room although i am sitting in a dark room right now but um you know they make it like this this

this elusive thing right right and it's it's to some people that's really cool to put to

a lot of people that's just they don't understand it they don't get it um and so i think that that's

one thing i think if if hollywood would have you know sort of a csi show but you know uh

cyber security edition um you know that that would help help drive interest in the field the other

thing is that you know i if you look at the open jobs that are out there they're all in you know

mid to senior management positions so you know as we're getting people coming into the profession

you know you're starting out as an entry-level employee in cyber security generally um but the

openings are in you know the mid to senior level uh management and that's why i'm saying that

these these professional skills are sometimes called your soft skills are

so very important being able to communicate and being able to to write well and communicate well

because in those types of positions you're going to be working with senior leadership

and you're going to be um you know trying to get buy-in on things and influence and

and help make decisions and that kind of thing and so you need to be able to do that so in order to

you know increase that you know availability of people that want to get into middle and senior

management positions we need to have those people coming in on the on the on the on the front end

on the entry-level side but then there also needs to be people that are willing to mentor

and um train people on becoming you know a manager like just because you're good at

something just because you're good at something technology wise doesn't necessarily make you a

good manager a good leader so there needs to be that you know that mentorship or that those

training programs out there as well um and so i think that you know if we can just do a better

job i guess showing people what careers in cyber security really look like and that what what are

those career paths and then the different routes that you can take and that you're not necessarily

just going to be sitting in a dark basement somewhere you know with your hoodie on and

you know writing code all day that i think that that that that would change things i just you know

there's there's definitely not enough people going into this profession we're we're we're at war

right now and uh we need all the help we can get i always wanted to be hugh jackman and swordfish

yeah that that was pretty headed hydra that you stashed on the yeah with my six monitors yeah

yep you gotta okay so question i have a question for you guys then so how many monitors do you have

in your setup i have three okay i have three i have i'm boring i have i have one plus the

laptop next to it one another one real one one small one i have well i'm in the airstream so i

have five three they descend from the ceiling and they're the gaming style 13-inch high resolution

so they're a little smaller and then i have the two laptops that's right if you weren't

in the airstream how many would you have so at the house of the stand-up desk i had 227s and i

thought that with a laptop with it with a 16-inch mac and i i thought that was fantastic there you

go so the stereotype is there for a reason right but you know uh it's not it's not it's not every

it's not everybody in cyber security yeah it just depends on how much multitasking space you need

really and so i think that's really what it is is i like to have one screen that's just my email so

the other screen's really like the workspace you know and so i don't yes i really don't need six

but you wouldn't mind having six i would know what to do with six i mean i just have to put i'd have

to put command terminals up there running like like p minus l or something you know just to keep

it or ping minus t rather just to keep it going so i have something on the screen now now i could i

find it very useful when i'm doing sat2 audits because i can have multiple large spreadsheets

up at the same time so you have the ability to read multiple documents at the same time right

so if you have one up on each screen you can just read them both you got two eyes for a reason man

yeah that's that they do that their skill set they don't teach enough in schools you know

well you know there's a lot of interesting uh stuff out there now i think i think one other

problem is there's almost if you start to look about at information advice and how to get into

cyber security and cyber security courses it's almost i don't want to say there's too

much i think there's i think there's a an excellent amount and there there should

always be more available but i think it might be information overload for people looking to get in

to this business right off the bat there's sometimes too many choices is not a good thing

so what what would you give what would you tell somebody going in to it a student or somebody

looking to change careers how can they define what's right for them and what what the right

approach is for them yeah there's a uh nist has created the cybersecurity workforce framework

that really helps to define some of the work roles within cyber security uh it's it it

doesn't i don't think it covers every career available in cyber security but it covers a

a big portion of them and so for example say you're uh say you're a software developer

you you know you know how to write code and you've designed your applications and that kind

of thing and you want to make the switch to cyber security there's there's a huge need for people

that understand the secure software development life cycle so what you can do is you can go

to uh if you just type in the google the nist cybersecurity workforce framework it comes

right up and there's a tool that that you put in that sort of the work role and it will give you

the um the competencies that you need to be able to do that that work role

um so then from there then you can go and figure out what what kind of training you might you might

need i do agree that there's there's there's a lot of there's a lot of really good information out

there and there's a lot of really bad information out there too um and so it it can be daunting for

people especially if you don't know like if i were trying to go into you know something that i knew

absolutely nothing about and i didn't know what kind of what kinds of questions to ask

that would be you know very intimidating so i think that that's where you know schools come

into place where it's a place that you can go to or training companies you know obviously

they're gonna want you to purchase their product and enroll in their programs right

but they'll have people there that you know can help you figure out what is okay what is it that

you're really interested in about cyber security and then let's let's let's figure out a pathway

for you that's excellent i i did not know um about that i haven't haven't researched that that kind

of thing lately so i appreciate you sharing that um and i think for a lot of listeners it'll be

some really valuable um information to look into so and before we wrap up tell us a little bit

about your your interest and kind of what you're doing with drones um that's just an interesting

and interesting topic and i'd be curious to see kind of what the what the crossover is when it

comes to um cyber security technology and and drones and and uh how you see that industry

evolving yeah i think that in 2017 i think it was i was kind of just paying attention to

where drone technology was going and i was looking at prices of things and i'm looking at them saying

it's not going to be long before these some of these drones are going to be under a hundred

dollars um which means a couple things that that more and more people buy them um and also it makes

them makes them much more affordable to bring into a classroom and you know i'm thinking like

k-12 like trying to get kids you know interested in you know stem and i with my aviation background

my technology background i'm looking at this going you can teach just about anything related to stem

so science technology engineering and math you can teach just about anything using a drone you can

teach weather you can teach aerodynamics you can teach engineering design you can you know there's

there's so much stuff that you can teach with them and then as i was watching i thought well

what wouldn't it be cool if somebody developed a drone that was under 100 but also came with

a software development kit so that you could you you could write code that you could execute on the

drone and so um there's a couple out there that are available now they starting in like 2018 2019

you know the technology became more affordable so they're available now and so what you can do is

you can work with block programming languages so scratch is one that mit has developed but then

there's you know some other block programming languages so anybody that's written code before

knows that you can be missing a semicolon and it can drive you nuts for an entire weekend

and so the idea with block coding is that it takes away that initial frustration of learning syntax

and you're just you're clicking and dragging and you're putting together a computer program

and then when you execute that program the drone goes and does whatever it is

that you told it to do so it's sort of your introduction to autonomous flight so you've

created this program where you tell the drone to um to climb to 10 feet and then you tell it to

roll to the left or roll to the right 90 degrees or you know descend another five feet and move

forward 50 feet you know things like that and what happens then is kids can see when they're when

they're writing a program and then they execute it on a drone and the drone goes and does what

they they told it to do they can very easily see where they made mistakes where like no i really

i wanted it to turn right here not left okay and then they can go back through and they can find

their errors where when you are you know writing a program on a computer and then you're executing

and things are running in the background you can't necessarily see it um kids you know that that's

very abstract and kids don't necessarily have that um that that abstract thinking just yet so

this is a much more concrete way of them of to see what it is that they're coding me being a pilot i

asked a couple of my friends i was like wouldn't would anybody be interested in like helping out

if i started this like group for teachers who wanted to use drones in their classroom

and we can answer questions for them and so a couple people are like yeah it's a fantastic

idea so i started a facebook group started as a facebook group and um it's just it's blown up

over the last three years or so since i started it and we've got people in seven different countries

and they're all people that they're either they're either like homeschool parents um they're they're

school teachers they're community college teachers we've got some university professors in there

um but anybody that's really interested in drones and stem education everybody's sharing ideas and

and sharing you know things that they're doing it gets real busy during the summer for summer camps

um in the group and it's just i don't know it's exploding i have to do something more formal

with it um just because i you know i'm getting companies drone manufacturing companies coming

to me saying like they want to you know they want to be able to provide you know resources and stuff

to the to the group and stuff and they have to you know there's certain things need to be in place

that kind of thing but i don't know it's just it's one of those things like it was an idea and it

i don't know it took off that's really they're really awesome i look forward to seeing how it

progresses and and to all our the listeners out there um check out more information from

heatherheathermonty.com um also uh check out the cyber coffee talk podcast on your on your favorite

podcast platform or go to cybercoffeetalk.com and there's a lot more information available

heather how else can can people get a hold of you or there are other resources that you that

you would point them to that you have yeah if you go to heathermonthy.com right in the middle

of the page there's a link to all my like linkedin facebook pinterest youtube all that kind of stuff

i'm pretty much everywhere on the internet i love it i think it's fantastic so um i'm very active on

linkedin if you find me there you can shoot me a message great and monty is spelled m-o-n-t-h-i-e

uh for those listening and we'll put a link in the show notes as well well heather thank you so

much for joining us this has been outstanding and i just appreciate all your work in these different

areas uh we need more we i mean we know we need more cyber security professionals and

um creating those different avenues and giving them advice to get into the field and really help

to help us protect our country is is so critical right now and we'll i think we'll continue to

be for the rest of our lives so i appreciate all you do and thanks again for joining us thank you

for having me does anybody else have any anybody else have any final final thoughts or ideas they'd

like to share before we wrap up i just want to thank heather again you're such a beacon of light

so thank you for all you do thanks thanks and stay in school and don't do drugs

yes excellent excellent advice excellent advice well thank you everybody for listening

to the cyber ants podcast if you uh like the show subscribe go to cyberrantspodcast.com and there's

a form there if you have any questions ideas topics you'd like us to cover in future episodes

we'd love to hear from you love your feedback and thank you again have a great rest of your day