Categories
About us Featured Podcast Interviews

Cybersecurity Career Tips From a Ballerina Turned Pentester

Lola Kureno is an Israeli-born cybersecurity engineer living in Tokyo and working for IT training and certifications provider INE. An expert pentester and ethical hacking advocate, Lola shares cybersecurity career tips and discusses how a single event changed her life forever and set her on an unexpected professional path.

🔊 Subscribe to our podcast


Interested in more cybersecurity career insights? Discover what makes a state-of-the-art SOC.

You have quite an amazing career story. You set out on a very different path, and then a major event changed everything. What happened?

It’s quite a long story. My background was not in tech at all. Since I was three years old, I was a classical ballerina. That’s what I was set to be my whole life, or so I thought. I was a professional. I was with dancing companies and had all my life centred around classical ballet. That’s all I knew how to do.

And then I had a very bad car accident. I spent six months in the hospital, plus two years of rehabilitation just to get back on my feet. It was really bad. I was a passenger in my coworker’s car. She broke a couple of bones but was okay. But it was a frontal impact for me, and it was not only the physical side of things. It is not good for your mental health to think that all that your life is about can end in a second.

After I was kind of physically recovered, I really didn’t know what to do. That’s why I left the US, where I was living, and went to Europe. I spent about a year not doing anything. I didn’t know what to do with my life.

Later I went to Lisbon and that’s where I met my husband and got married. We moved to Tokyo, and life here was very different from anything that I was used to. And eventually, I had to get a job, but I didn’t know how to do anything else besides ballet.

So, I got a normal job in a company, like 8 to 5, but I wasn’t happy. It paid, but it wasn’t anything that let me be ambitious, be competitive, learn and study. It was boring. Get back from work and watch TV, go to sleep and repeat. The same routine. It didn’t make me happy.

And then you found tech. Why did you go into IT and pursue a career in cybersecurity?

Computers were always a hobby for me. My father was an engineer, and I got my first computer when I was really young. But it was just something I did when I had time.

And I shared with my husband that I was feeling like I was a waste, that I wasn’t doing anything. And he said “well, you shouldn’t. You’re smart just do something with the computer. You like computers.”

But, you know, I had that image, that thought that if I didn’t have a degree in engineering or computer science or something related, I couldn’t do anything. And I was in my early 30s, I was not a kid anymore.

I didn’t know what to do, so I started researching about maybe getting a first degree, something like that that I could do. And I came across something along the lines that you could actually hack for a living. And I was like really, hack for a living? That was very intriguing to me. I was very curious about it. So, I started researching and that’s when I learned about cybersecurity and something got into me. I started researching more career options and that’s how it started.

So, how did you actually get started in your cybersecurity career?

After discovering all of this, I couldn’t think of anything else but that. I still had my full-time job, but I would come back from work and be back on the computer. I did that on the weekends.

And, talking to people, I met someone who was studying for the eLearnSecurity Junior Penetration Tester (eJPT) certification. And he said, well, there is this platform where you study and, when you feel ready, you just buy the test, take it and can get certified. I had read about some other certifications, but I didn’t feel qualified to take any of them. I was just starting, you know.

So, I would study every day using materials from the cyber mentor Heath Adams. He was my first big source of information. And then I started looking at cyber security content from Neal Bridges. That was another community that really gave me lots of information. From there, I met many amazing professionals like Phillip Wylie, an amazing pentester who now is a personal friend of mine besides being a colleague in the industry.

And yeah, that’s how it started. I eventually took the eJPT test and passed it. Later, I got an internship, being an intern for Neal Bridges’ personal consulting company. I spent some months being his intern and learned a lot of things.

I was learning continuously. It was an everyday thing. I didn’t do anything else, just study. And then the opportunity to work at INE was presented to me, and I took it.

What does your current position as a cybersecurity engineer involve?

Actually, penetration testing is just a small portion of my current job tasks. I do much more than that. I would say that penetration test is maybe like 15% of it all, 20% perhaps.

Lots of what I do involves talking not only to coworkers but talking to clients. If you don’t know how to talk to people, you’re behind. So, you need to have those soft skills.

Connect with Mindquest Newsletter

Are programming skills a must for a successful cybersecurity career?

You don’t need to be a developer, you don’t need to be a coder. But it helps to at least to understand what’s going on in a piece of code. You use Bash, PowerShell, Python, Go, Ruby. Those are some of the languages that we are always using.

You don’t need to know how to use these languages at a development level, but knowing what’s going on helps. If you come from a development background, it helps. Absolutely, very helpful.

What skills would you recommend others to focus on to advance their cybersecurity career? 

would say that it’s wonderful that you’re focusing on all your hacking and pentesting skills, but know that you need some other skills to go with that.

Right now, a big part of my routine is learning cloud. My job is a lot in the cloud. Of course, I’m still studying pentesting, but I am studying cloud because I need it for my job. I know the fundamentals, but I still feel that’s not enough, and cloud it’s now a crucial skill for the whole cybersecurity world. It doesn’t matter what your job is in cyber: you need to know some cloud.

What other advice would you give to people pursuing a cybersecurity career?

There is always room for improvement. It doesn’t matter if you are someone who’s one year into the industry or 10 or 20. There is always something new to learn. It doesn’t stop.

Talk to people. Don’t hide behind your computer screen. Network.

Also, make sure to have an active LinkedIn profile. Many people think that LinkedIn is only for job hunting, so after they finally find a job, they let their LinkedIn profile die, and that’s a big mistake.

The fact that you already have a job doesn’t mean you shouldn’t be open to opportunities. There are always things to do, not only your full-time job. So, keep networking, keep talking to people.

Go to conferences. If you can’t go to a conference, volunteer for them. Volunteering for conferences gives you the opportunity to be in contact with wonderful people. Brush your soft skills.

And if you’re not in the industry yet, if you’re still hoping to get your first cyber job, finding a mentor is a good idea. Plenty of people would be very happy to help you out. Don’t be afraid of connecting to people.

Lastly, don’t give up. Many times, when I was job hunting, I came very close to giving up. But, since I had networked so much, I had so many people who knew that I was job hunting. And they didn’t let me give up. That’s another benefit of networking. These people have your got back, they keep you accountable, they keep you on track. So, don’t give up.

It’s hard. You will get many noes for silly reasons. You will get 10, maybe 15 or 100 noes. But you will get that yes.


For more tips about pentesting and cybersecurity careers, make sure to follow Lola on Twitter and LinkedIn.


Check out more of our interviews in our podcast episodes.

Categories
About us Podcast Interviews

From the US Marines to AWS: A DevOps Career

From US Marines to AWS, a DevOps Career. Jake Furlong is a Technical Lab Developer at Amazon Web Services (AWS) and a self-taught DevOps expert, Site Reliability Engineer and cloud architect. He tells us how he went from being in the US Marine Corps to DevOps Career and to becoming an all-around DevOps specialist. And shares DevOps career tips and insights.

🔊 Subscribe to the podcast


Interested in DataOps? Learn more about a career in data science.

You spent several years with the US Marines and your educational background is in business. How did you transition into tech and devops career?

I got out of the US Marine Corps and, honestly, I just took the first job that I could find. I started training new employees on how to use an Avaya telecom system; which I myself had no idea what that was. I did that for a few months and then they moved me into another role; as director of admissions systems and analytics. I had access to some free courses. So I took calculus and some computer architecture classes because that was kind of was interested in.

Then I stumbled across a CompTIA certification road map online and picked up an A+ book. I started reading through that and I stumbled across a book called Automate The Boring Stuff and started learning some Python. And most of my job was done through CRM and a lot of Excel, a lot of functions. I just started converting it to Python to automate my job and then I automated my friends’ jobs. And before you know it, it was all just running Python.

And I was talking about it while playing World of Warcraft, of all things. I had a friend in my WoW guild who worked for an SAP company and said “hey, we’re hiring if you want to switch into tech”. I talked to my family about doing a complete and total career switch.

The interview went horrible, but they were very very nice. I was willing to learn and they had seen how much I had learned in such a short time at my previous job and gave me a chance. I got an offer and that was the beginning.

You have quite a portfolio of certifications. Is that how you learned the most?

As I said, I read through that A+ book, but mostly for the knowledge. Based on what I wanted to do in IT, I didn’t really want a hardware-related certification. Because I think that, for hiring managers, sometimes it’s easy to misconstrue a person’s skills based on what certifications they have. So I wanted to make sure I was marketing myself in a way I thought was relevant for the things that I wanted to do.

That’s when I found AWS and I kind of looked at the state of IT at the time and figured that cloud was really the way forward. I got AWS certified and then my company was getting really hands-on with GCP. So I got GCP certified and all of that was through free online courses and a paid Linux Academy subscription. I thought about getting an IT degree but it was just too expensive and there wasn’t enough hands-on. It was mostly theory. So I kind of took the theory from the books that I had, and then once I found Linux Academy, I just did every course.

Anything operating systems, Windows, Linux, database programming, web stuff, web development, cloud — whatever I could find. Then I found a site called Open Source Society University, and they have a GitHub page that basically gives you a list of courses from edX, Coursera or other free online tools that teach you the equivalent of a computer science degree.

That was very, very helpful. Then I just took that information and volunteered for every project at work. I took any ticket and tried to automate it, stuff like that. And the whole time, I was told that certs aren’t important to all the people that I worked with. But I think that hiring managers and HR might disagree. And let’s be honest, it’s kind of hard to get jobs without proving you have the knowledge and.

Since I don’t have a degree in anything technology related, I felt I needed to kind of differentiate myself a little bit. So I got those to kind of compensate for not having a degree.

What’s your opinion on free courses vs bootcamps or official certifications?

I always go with free stuff or at least like the inexpensive Udemy sales. I think bootcamps are great for entry-level, but they don’t really allow you to work past that and most of the content online will get you through the basics. Try to solve a problem or find a problem to solve and really get your hands dirty with development or cloud engineering.

Certs are fine if you need them for a specific position or career goal. But I wouldn’t do one to learn. I might take the study guide and use that, but I think certs are a huge market and there’s a lot of money to be made from people that are looking to get certified.

I honestly just went to a lot of meetups. And I pretty much changed my podcasts to tech podcasts and just listened to those all the time.

I also focused on vendor documentation as opposed to online learning. Whether that’s the Kubernetes administrator guides or AWS or GCP documentation. Because you’re getting it straight from the horse’s mouth, and, as a musician (I studied jazz) we always go back to who was the original musician and study their technique and their ideas. So I kind of took the same approach to tech. Where did JavaScript come from? Where did Python come from? And try to study the root of where that came from.

How was the experience of being with the Marines. What’s your biggest takeaway from your time with them?

I had a great time in the Marine corps. Believe it or not, I thought it was a lot of fun.

My biggest takeaway was really about how to work on a team. As much as there’s a lot of technical things I learned and things like that.

There’s just something about being humble and being a life-long learner and always striving to be better. About knowing your weaknesses and seeking self-improvement and being self-reliant and self-disciplined.

In tech, you have to because nobody is going to force you to hone your skills or learn a new programming language or how to administer Docker containers. You know, just that whole self-reliant aspect of being a continuous learner.

You design and implement technical labs, which are training programs for AWS customers. What does that involve?

I work on the training and curriculum team, and we deliver content to our AWS customers. We have an awesome team.

I work with them to help build and design labs and lab instructions. So, if you were to go to AWS, and want to take a course to learn how to be an architect, for example, we have designers and curriculum developers, architects, managers and product managers that we worked together with to formulate a plan to build a course.

Connect with Mindquest Newsletter

And my job day-to-day is to go through and support them so that, when they get to the hands-on portion, that a student can click start lab and that everything underneath the hood is provisioned and ready, works every time, and is repeatable across multiple devices or operating systems. I also ensure that the lab instructions are clear and easy to understand, from people who may have a lot of experience to people for whom this is their first time working with the cloud.

So it’s a technical role, but there’s a lot of human aspect to it. Understanding how people learn and how people learn technology – as a person who is basically self-taught, I use that a lot in this role.

First in DevOps career, now DataOps. The DevOps philosophy seems to be permeating all areas of IT. What do you think is the success behind this way of thinking? What will be the next “Ops”?

I will start by saying that I don’t think DevOps is a real thing. As a community, we can’t even agree on what it is. We’ve been doing this since the 70s, the 80s? Really since the 60s. With Deming, and all of the work he did toward continuous improvement, total quality management, things like that.

And I think what we’re going to see is that we’ll revisit value stream mapping. How can we best automate and streamline value stream maps. Right now, we’re automating everything, and it’s all about pipelines and getting the developers close.

I think that’ll be short lived. We should have always been doing that, and I think connecting development to automation and ops problems is good. I think DevOps, the core of it, we want the developer problems and ops problems to kind of be the same problems, right? Where ops informs development workflows.

Developers use that workflow to produce either new tools or better tools, or even more consistent infrastructure. But sometimes ops doesn’t want things to change. And, as somebody who’s worked in the ops world, I totally respect that and I completely understand. As somebody who’s worked on the devish side of DevOps, I understand needing to get new versions of things out and upgrading things and patching things so that there’s a balance between it.

But I think what we’re really going to see is that, as you get to DataOps and really anything that needs to inform ops, is that everything is going to be data-driven. But it’s going to have to be value streamed.

So, what is the most important? What do you get the most benefit from as far as value? How much money are we really making or saving by approving X project or making Y operations a department priority?

I think, eventually, and once you start finding an efficient way and accurate way to attach dollars or time to these things, you may have some time and value attached to them as it pertains to the business and not just how many commits you made last month or something

DevOps career: What’s the day-to-day of a DevOps team like

A lot of it is requests for automation, declarative infrastructure, tons of monitoring, moving into containerization or modernizing orchestration tools, stuff like that.

I think a lot of it is also developer advocacy and just DevOps evangelism. Because it’s been around for a while, but it’s still relatively new. It hasn’t really permeated all the cultures yet. So, while a lot of people have a DevOps team, the cultural side I think needs a lot of work. So a lot of time is spent explaining why we’re doing this.

It sounds like the value is obvious, but it still takes up a lot of time to describe why we need resources, why we need time, why we should be doing certain projects.

A lot of the time is spent researching new tech, building up labs on your workstation or in the cloud somewhere, and testing a deployment meeting with ops teams to discuss their pain points.

And then, of course, all the pipeline things, so it’s a very collaborative job. You’re not going to see a DevOps person in a silo.

On a given day, you never know what you’re going to do. But it’s always going to be automating something or fixing something or updating something or monitoring something, justifying what it is that you’re doing.

What’s the best career advice you have ever been given?

Ironically, it actually came from a conductor of a music organization. He said “find something you love and do that because, no matter what you do or where you go, you’ll always be doing something that you enjoy.

Just do what you know is right and provide value to everyone around you and don’t worry too much about certifications. If you have the knowledge, it will all come together.

Just always be learning.


For more tips about DevOps career, make sure to follow Jake on LinkedIn.


Check out more of our interviews in our podcast episodes.

Categories
About us Featured Podcast Interviews

How To Learn Python With Rune

Rune holds a PhD in Computer Science and works as a freelance Python consultant specialising in big data and back-end development. When the pandemic hit, he kickstarted the learning platform Learn Python With Rune to teach others how to learn Python and apply it. He tells us about his career story & how to learn Python, how one should go about mastering this powerful programming language.

🔊 Subscribe to the podcast


You might also enjoy this interview on how to code well.

How did you go from doing a PhD to working in tech?

Back in the days when I started university, I actually didn’t think of doing a PhD in the first place. I was just starting but I thought learning is awesome, so I immediately decided I wanted to get a PhD.

But while I was studying for my PhD, I realised it wasn’t really for me because it wasn’t really deeply about science. It’s more about publishing papers and getting funding to continue your career. 

So after I finished my PhD, I started as a developer mainly in the security area (I’ve been working a lot in the security business.) I realised that the one thing that I liked was getting things done, getting projects done. So, I slowly became also a manager type person and worked a few years as a manager. Then I continued working in a SaaS company as an engineering manager for architecture and back-end teams and stuff like that. 

But then you went back to development. How is that? When did you decide to kickstart Learn Python With Rune?

I realised I missed programming a lot, and that’s actually where my journey with Learn Python With Rune started. 

I wanted to learn programming again. As a manager, you slowly lose touch with programming because you’re not really doing any professional code anymore. And I kind of missed that. 

So, a bit more than a year ago, I got the idea. It was actually when the coronavirus pandemic started. I had more time and was working from home, and I was like “I want to program again.” So, I started this small project.  I started producing small projects, publishing them on a web page, and one thing led to another. And it just escalated. 

Now, I work as a freelance consultant and they hire me and I do programming again in a freelance manner. And the reason I like that is because you kind of get more freedom. So, if you want to have some vacation, you just do it. It’s more freedom. 

Why Python? What makes Python so great?

I had to start somewhere, right? I hadn’t been programming that much in Python professionally, but I’ had been programming in C a lot. C is a really low-level programming language and it’s very effective, but you can make so many errors, pointers and stuff like that. It’s just a pain when you don’t know much because you can just do what a processor can do.

But Python is abstracted away. And what happened with Python over the last maybe 10 years is that it has so many libraries. So you can do everything efficiently. It has been developed a lot, for instance, in data science and big data and stuff like that (I myself work with Python in the big data and back-end side of things.) And you can do all this processing now because you have the libraries that can do all the heavy work, but you just manage it in Python code so it can get beautiful. 

It’s easy to understand, It’s readable. It’s almost super code. That’s the main reason I love Python. But there are also some things that I’m not so fond of. 

Like what? What is Python not so great at?

It does hide some of the things away, some of the objects and how they are represented. When you are programming in C you know everything exactly on a byte level. In Python, it’s kind of hidden away.

And I see a lot of beginners having a hard time and struggling with what an object is and what object-oriented programming is, for instance. Because we say that, in Python, everything is an object, but really, is it?. I don’t know. It depends on the implementation. And then they confuse object-oriented programming on top of that.

So, I think it does a really good job, but there are some areas that are not easy to understand in Python. But the pain you get from that is way less than the efficiency and productivity you can get from writing code in Python. 

How should one learn Python? What are your main pieces of advice?

Nowadays it’s difficult to start actually, in some sense, because there’s so much information out there. So my first advice is to ask yourself: what is it that you want to achieve with Python? What is it that you want to learn? What is it you want to code? 

If you just start thinking “I want to program in Python,” then you start a little bit here, a little bit there. All the information is available. The problem is that it’s unstructured. So you get excited about this little bit here, and then you do that, but they are different types of using Python. 

If you want to program back-end like I’m doing, then that is one kind of doing. If you just want to do data science, that’s a different way. You don’t really need to master programming that well, you just need to use some libraries and understand a little about math and so on. 

So it really depends on what you want to achieve. I think people often go around too much. So, advice number one is figure out what it is that you want with it. 

Connect by Mindquest Newsletter

Then find one teacher, one style. It’s just easier. If you take a little bit of this tutorial on the Internet, then a different tutorial, people can do things very differently and it can be difficult to have a cohesive approach. 

The third issue is about managing your expectations about how fast it is to learn. When you learn a new language, you can listen to it and understand it. But when you have to express yourself, it’s different. It’s difficult. You don’t know how to say things, but you understand it. And it’s the same with programming. 

Suddenly, when you see the solution, how people solved it, you go “yeah, I understand it all and that makes total sense.” But when you have to write it, you might have no idea how to solve problems. And that’s kind of the same problem you have right when you start. You understand Python, but you cannot express yourself in it. 

So, I think that would be my three main pieces of advice for beginners. 

One: figure out what you want to do. Two: find one tutor or one style of programming, one book. Three: manage your expectations. It takes a bit more time to learn to write Python than to read it. 

What’s the difference between a senior Python developer and a junior one?

There are actually some aspects I think people overlook. 

One of them is that, when you have a junior in a work environment, you need to help them. If you take somebody straight out of college, for instance, there are a lot of things they don’t teach in college. You know, how to do metrics, monitoring, how to ensure everything is healthy in your system. They don’t teach them that, so that’s one thing they’re lacking. It’s the experience.

Another thing that juniors tend to do is focus on building small systems. Most college-educated and self-taught people tend to do small projects because they’re easier and you have greater chances of success.

But there is an enormous difference between having one tiny system with one tiny server and a distributed system with tens and sometimes hundreds of systems that need to interact with each other and you need to figure out what to do. 

What happens when you make changes to this small thing here? How do you rebuild it when it breaks? How do you build systems that scales in features and amount of users and volume of data? 

Juniors usually can solve small-scale problems, whereas a senior developer can handle bigger scale problems. 

Another aspect I noticed over the years is that juniors are often a bit afraid. When starting in a team, when starting to develop, a junior will not be so quick to contribute to it and will want people to check the code more often and to help them more, because they are a bit afraid. 

So, when things go wrong, they don’t really have the confidence to just do stuff. and break stuff and put it back up again. They like that kind of experience and confidence. 

My advice for new people is to build something bigger. Build something with somebody else. 

You might have done tiny projects in college, or you may have worked together with other people for a bit. But try to make something bigger because you need to be able to build interfaces that interact with each other., where somebody builds one piece and somebody else builds another piece. That will teach you the kind of architecture design principles behind all of it.

I still think that’s a less important part today because there’s a tendency to go to all these microservices or services that are small in framework. And that makes them easier to understand, easier to debug, easier to maintain by other people. 

So it’s not as difficult as back in the day when you had this one big monolith that was running everything. Right now, you have small services that are easier to understand, but it also moves the problem somewhere else. How do you find where the problem is when the system goes down? You need to have really really good monitoring to find things nowadays. 

So you actually move some of the complexity over to the infrastructure guys or the SREs (Site Reliability Engineers). That’s why they are paid a higher rate now than they used to be. A good SRE is so valuable when you need to find problems in big systems. 


For more tips on how to master Python, make sure to follow Rune on Twitter, YouTube and Facebook.

He’s working on a new course portfolio focusing on how to use Python for financial analysis, so stay tuned!


Check out more of our interviews from our podcast episodes.

Categories
About us Featured Podcast Interviews

A Data Centre Migration Is About Technology and People

Sarah Lean, aka Techielass, is a Scotland-based IT infrastructure, ops, and sys admin expert and Azure community evangelist. The founder of the Glasgow Azure User Group, Sarah works as a Senior Cloud Advocate at Microsoft and blogs, tweets and has her own YouTube channel. She discusses, cloud careers, how you can get into community relations. What makes a successful data centre migration, and how Data Centre Migration is about technology and people.

🔊 Subscribe to the podcast


Interested in cloud careers? You might also enjoy our interview about how to become an Azure MVP.

How did you get started in tech?

I started off in a Sys Admin role, so I was a helpdesk engineer doing morning password resets for everybody, fishing out bits of broken paper from their printers, and stuff like that. I worked my career through those various different roles. In the UK, we call helpdesk roles first-level roles and then second-level is the support engineers that go out to people’s desks. Third-level is when you get to design systems for customers.

So, I basically went through those support levels within my career and just built up lots of experience both internally and externally. I was in companies where they just had a small IT department and they didn’t understand what IT departments did and how crucial they were. And then I also worked for managed service providers, dedicating myself to various different customers, etc.

How did you eventually become a Microsoft cloud advocate and a prominent figure in the Azure community?

I kind of fell into the community role because I wanted to learn Azure and there were no user groups in Scotland. I think the closest user group to me at the time was in London. Which is obviously not something you want to do it you finish working on Wednesday night; go down to London to user group and then come back up to your work the next day. It’s obviously not logistically feasible, so I basically started the Glasgow Azure user group to fulfil my need. Basically, to learn Azure and find out where everybody else was fitting this into the on-prem and cloud worlds.

And yeah, I kind of fell into running the user group and then started speaking at events. People were like “you need to speak at events and share your story and journey”. Which I didn’t want to do. But then I fell into it and; before I knew it; I was getting headhunted to become a cloud advocate at Microsoft.

It definitely hasn’t been a planned evolution in my career, if I’m going to be brutally honest about it. But one that I’m really enjoying and has given me some excellent experiences of travelling to different parts of the world and doing some amazing stuff and meeting some amazing people in the community as well.

What does the cloud advocate position entail?

My role can be quite varied. A summary of my job is to help others find out how to use Microsoft Technologies. Whether that be by telling the story in a simplified manner, maybe in a blog post or a video that kind of connects the dots between. For example, what your on-prem system looks like and what your cloud system would look like.

I’m sure we’ve all read some official documentation on various different products. Not just Microsoft products, and not understood what they were talking about. Being able to digest that into a way that makes sense for everybody. Whether that be someone who’s a project manager or someone who has 100 years of experience in IT, and being able to get that story across to them is something that I do. So, my day can be quite varied.

It can be creating videos, creating blogs, doing podcasts… Or it can be just playing with technology, or creating new Microsoft Learn content as well. There are lots of different facets, and there are lots of different things I can do throughout the day. So it can be quite fun. And obviously, Covid has stopped me from travelling, so that would have been a big part of my job had we not had a pandemic. But we’re making it work.

Besides being a cloud advocate for Microsoft, you also have a personal blog and do a weekly update on YouTube as Techielass. How do the two intertwine? Do you usually post work-related stuff, separate both worlds, or a mix of both?

I think it’s a bit of both to be honest. Because a lot of people know me as Techielass and from before I was a cloud advocate, through my blog. Some things like my weekly update on YouTube was something that I actually started in anticipation for this job. Because I knew I would have to be on camera or I knew I’d have to do some presentations for this job.

I started that weekly update nearly two years ago now, to basically get more familiar with looking at the camera and being able to connect to it and doing all the things that go around video production and so that that’s kind of interlinked. Although it’s become a kind of side project because I just enjoy doing that kind of medium as well.

Connect with Mindquest Newsletter

My blog is sometimes intertwined with my job. You’ll find me, you know, blogging about random things that I find. I’ve been supporting my husband and working from home lately. So there’s some random support ticket type questions he’s asked me that I’ve blogged about, because I know he’s going to ask me in about 6 weeks’ time. And I’m not going to remember how I did it, so yeah, there’s various different things on my blog.

So yeah, my blog kind of intertwines with my job, but it’s not necessarily always about my job.

Is there anything in particular that you like to blog about within the world of Azure?

I think I’ve tried to specialise in data centre migrations. I think we’ve probably all been involved in an on-prem data centre migration. And I’ve tried to take some of that experience and that knowledge and transfer it into how you would actually migrate to the cloud.

So, you’ll find me talking a lot about migrating. I tend to talk more about the processes around that nowadays rather than the technology because I think that’s a part of the journey that a lot of people struggle with. We can understand the technology quite easily, I think. But trying to put that into practice; how you think about things like training your staff; and how you change that culture within your organization; how do start the project for your migration…

So, I talk a lot about data centre migrations and, although I talk a lot about the culture and the process around it. You’ll find me talking about Azure migrate quite a bit and intertwining that into how you actually do your data centre migration. So that’s kind of my specialty, what a lot of people reach out to me and ask about.

What are the biggest mistakes being made in this data centre migration to the cloud, especially now that some companies might be rushing their transition because of the pandemic?

I think lots of people forget to actually assess what they have inside their on-prem data centre right now. They want to get to the actual delivery part. They want to get to put some resources in Azure, and they want to prove the value and say “we’ve completed that project”. And, like you say, some have been rushing because of Covid and the challenges that it’s thrown up.

I always try and say: take a step back, have a look at what’s in your environment. Try and understand not only the technology in your environment, but also what your staff needs are. So, your technology is going to have a bunch of needs when you move it to the cloud. Things are maybe not even going to be able to be moved to the cloud because they’re legacy. Or they’re far too complex, etc.

But what about the the staff within your environment as well? Do people know how to use Azure once you’ve moved into that? I think it that can often be a stumbling block as well. I’ve seen some customers who bring in third-party companies to do the migration. They move all the technology and then that third-party company leaves. The staff don’t have any clue on how to support the things that are now in Azure.

And before you know it, they’ve got into this situation where they think that the cloud is rubbish. Because the staff haven’t been able to support it because they themselves haven’t been supported in learning it. That’s why I always say that a data centre migration is about technology and people, so make sure you’re investing in the staff within your IT department.

Also, make sure you’re looking towards the end users, the people that use these applications that are in your data centre. Do you know how they use them? Is this an opportunity to ditch some of the ones that they hate? Is it that time to look at new solutions?

So, technology and people are the things you should be thinking about in your data centre migration.

Join our community and find your next job in IT

What advice would you give to other IT specialists who might want to get into community relations and advocacy?

If you want to get into the community space, try and do it in your spare time. I know that’s a big ask, because we probably don’t have a lot of spare time, (I definitely don’t have a lot of spare time myself), but it’s definitely a job you have to have a passion for because it’s very different from the technology world, from being a consultant, from being an engineer.

There are so many facets to it. I do things in marketing, I do video editing, I do image creation. I’m a bit of a designer occasionally. I’m also a technical writer. I have to be a presenter.

There’s a ton if things before I even get to the technology. Sme days might I don’t even touch any of the technology because I’m in things like Adobe Creative Cloud, so that’s a big change.

If you’re not ready to give up the toolbox, if you’re not ready to give up playing with the technology. Then it’s not something for you right now, and that’s why I say do it in your spare time, because, if you find that and you enjoy doing these things, if you enjoy doing podcasts, if you enjoy doing videos you enjoy doing the blogging, you’ll naturally find that you’ll progress more and more to that and away from being hands on the tools as such.

I see a lot of people wanting the glamour, but they don’t realise that there’s a lot of time where you’re actually not touching technology. But it is a great job. It has offered me fantastic opportunities , but I think a lot of people need to be aware of the fact that there’s so much to it and it’s not just talking about tech all the time.

And your advice for the larger IT community?

Besides that, just support people who are creating content, whether that be people like myself that do it as a job or whether it be people doing it as a hobby. It definitely means a lot, even if it’s just a small like on a YouTube video or a retweet on Twitter. That means a whole load to us as content creators.

So, definitely support people when they do that, because it can make a massive difference. That 10-minute video could have taken me like 3 days to create so that small little like on a YouTube video means the world to me and it means that I actually spend my time valuably.

Support the content creators out there.


Check out more of our interviews from our podcast episodes.


For more cloud careers and Azure tips, make sure to follow Sarah on Twitter, YouTube, LinkedIn or through the Techielass blog.

Categories
About us Podcast Interviews

Leadership Failure: The Real Human Element Behind Cyber Attacks

Dr. ir Johannes Drooghaag; CEO of Spearhead Management and founder of Internet Safety for Kids; recently sat down with us to talk about the real human element behind cyber attacks. His work helping educate children and parents about cybersecurity.


🔊 Subscribe to the podcast


You might also enjoy our interview: A Career in Data Science: Unlocking The Power of Data with AI

How did your career in tech start? What do you do these days?

My career started in applied information technology and I my interest was first in the technical part of that. But I lost interest when I noticed that technology keeps rotating and innovating and reinventing itself so fast that it’s very difficult to keep up. And I started to get very interested in how can we build bridges; with the people using the technology and how they can they keep up with this enormous pace of technology.

That was more than 30 years ago and, since then, the pace has only increased. But we have not really done a lot to improve how we educate people with technology. So that became my mission. I focus mainly on the human element of technology, and I do that in the field of cybersecurity, of agile management, for digital transformation. We say it is all customer-focused, which in most cases is true. But, in many cases, we forget the people within the organisation who have to work with all that technology.

How do you advocate for this human-centred approach to technology?

I founded a company called Spearhead Management, in which we literally take, first of all, the people. We start with education and coaching, and we do that based on an approach that we could call a gap analysis. Where are we today? Where do we want to be tomorrow? And yes, there will be technology involved. But how can we enable and empower the people in the organisation to make that happen and to become part of that innovation and that digital transformation. And we do that through training. We do that through consulting, through coaching.

I also use my voice on social media. I started to actively use social media three years ago. I’ve been growing fortunately very fast in the last three years. I use that a lot to point out what the human element behind cyber attacks is. What has gone very well? What has gone not so well? And what has gone really, really bad?

And one of the things I do with my team is that, once a year, we publish a report called The Human Element in Cyber Security, and I do podcasts and keynotes around it under the title “The Human Elements in Cyber Security: And It’s Not What You Think.”

Why is it not what we think?

Because when we look at the IT community, there’s a lot of focus on the user error. So you might get the impression that the user is responsible for all cyber incidents. And when we look at the media, we get all the information about the bad fenders, about the vulnerabilities, about how somebody was hacked and everything went wrong.

But when we look at the technical information about these cyber breaches, we see that more than the human element caused 80% of them in the configuration and the management of technology, so the technical responsibility behind that technology. Now we should not take that and do the same thing by saying, the IT experts are to blame because that’s not fair nor correct.

A lot of that is leadership decisions. We know in a corporation nothing happens without approval and budget. So, the IT guy can sit there and say “I have to update those machines, I have to replace that software because it’s EOL”. But when that person doesn’t get approval and doesn’t get the budget. I assume they’re not going to pay that out of their own pocket, right?

So the human element is a lot more than just the actual making failures. The majority of that is leadership. The majority of that is completely failed risk management. If we don’t change the way we manage and lead, we will continue to have these issues.

Join our community and find your next job in IT

What would be a textbook example of leadership failure impacting cybersecurity?

There is this beautiful case of the colonial pipeline, a very high-profile case that was recently all over the media. It started with all kinds of theories about what would have been the case. And this theory immediately emerged that people were claiming that a user had opened an attachment. Other people claimed that there had been a case of social engineering through which all kinds of other theories popped up. Things popped up and they were all over the media and social media.

But then the actual experts analysed it. They found that a VPN account, which lacked basic security measures and was not in use for a very long time got compromised. Some one shared that compromised account, including the ID and password, on dark web forums. And used that account for the initial breach of the network and through that they were able to escalate.

Now there’s one thing that we have to keep in mind. There’s an FBI director who made a very interesting statement. There are two types of companies. The companies who have had their network breached by malicious actors. And the companies who do not know that their network has been breached by malicious actors. And that’s the reality that we have to assume at the moment. That we are compromised and that we must implement all potential and available countermeasures based on that assumption.

Connect with Mindquest Newsletter

The colonial pipeline case shows us two things we should focus on. Firstly, abandoned technology. That VPN connection that we are not monitoring, not taking care of and that hasn’t been used for a long, long time: it is still open and available. Secondly, the almost mandatory segregation of network access and segmentation of the network itself to make sure that you cannot simply hop from one privilege to the next one. All that was not available. Your active monitoring, through which you keep an eye on what happens in your network. If, after five years, you suddenly see a VPN connection pop up, you should react to that. Never happened.

For me, that is a schoolbook example of knowing what should be done and not doing that. An example of having all kinds of interpretations that are not factual at the beginning of the incident and, as soon as the actual analysis is publicly known, is once again the basic step.

And that is what we see in the majority of our research as the real human element behind cyber attacks. When we follow the three basic elements of cybersecurity (patch management, access management, segmentation and segregation), we can prevent more than 90% of all cyber incidents.

You are the founder of Internet Safety for Kids. Can you tell us a bit about this initiative?

We create videos and content to enable parents and children to use the Internet in a secure and responsible manner. We do that with videos and cartoons. The kids love it. We get wonderful feedback, and the most interesting part is that parents write us to tell us that they’re learning from the videos, which they thought were intended for the kids, but we make them on purpose for the kids and the parents. It’s a beautiful project. I love it. It’s a lot of work, but it’s worth every hour that we invest in it.

What sort of cybersecurity advice do you provide in these videos?

Well, there was one episode for which the kids made the entire script from beginning to end.

They said “We have some wonderful advice: we need to inform our parents about what we do, and we should never hide what we do, and we should always explain why we want to do it. But can you please be so kind as to tell the parents that they should listen when we want to tell them something? And if we want to show them something, that they should actually take a couple of minutes?”

So we did this episode created by the kids alone and we didn’t allow the parents to criticise any of it, just focused on saying “Hey parents: yes, we can tell you what the kids should do, but you should have time for them when they want to do what we tell them to do.”

I love that so much. We had so much fun creating that. We encourage parents and kids to learn this together. It’s not that parents give these videos to the kids and say “well, be busy and learn this.” Sit down together, learn this together and use it as an input for discussions with each other. What we’ve learned with the kids is that they’re really actively involved, so they come back to the parents and they say, “hey, I watched this video and look, I’ve done this and it looks good.” And that’s the coolest thing.


Check out more of our interviews from our podcast episodes.


For more on the human element behind cyber attacks and IT in general, make sure to follow Dr. Drooghaag on Twitter, LinkedIn or through his website.

Categories
About us Podcast Interviews

On Learning Azure IoT and Being an Active Member of the Community

John Lunn, also known as Jonnychipz, is a Welsh Azure MVP and MCT working as a technical architect at BT Enterprise. An organiser of the Welsh Azure User Group and an avid vlogger, John discusses the benefits of being an active member of the Azure community and how he learned Azure IoT. 

Interested in cloud careers? Learn more about How to Become an Azure MVP.

🔊 Subscribe to the podcast


What made you go into Microsoft Technologies and cloud architecture?

think when you go into business you predominantly work with Microsoft Technologies, more often than not. I kind of cut my teeth in IT on that side of the fence, which was very much Microsoft focused. So, I guess that, when I took that additional career step into the world of consultancy and kind of specialized in a particular area; in my case it was unified comms when I first started in that world; Microsoft was a natural steppingstone.

I’ve dealt with it for a number of years now. I knew my way around it. I was comfortable with it. So developing those softer skills like peaking to customers and other clients and helping other people understand the technology, or yeah, or being parachuted into a completely burning disaster of a problem. You soon learn the technologies at quite a deep level. You learn quite quickly what you can and can’t do.

So, yeah. I suppose I kind of edged myself gently into the world of consultancy and architecture. Now I find myself as a technical architect working on predominantly Azure and Microsoft focused solutions for customers. It’s been quite a long career and I’ve delved into a number of different areas. But I wouldn’t change it for the world. I’ve learned so much throughout that time.

Cloud careers are evolving very rapidly. What’s your approach to keeping up with emerging trends?

As an individual, I’m constantly thinking: where are we going with technology? What’s next? Not just for my own interests and keep the passion and the interest in my career. But also: where can I add the most value? The company that I work for — how can I help them see and visualise those innovative ideas, projects and solutions?

For a number of years, I’ve been speaking internally with my management team, talking about where we’re going as an industry, and, clearly, for some time now, it’s been around IoT, edge data, machine learning, AI… All of those kinds of technologies that are going to drive innovative solution design.

So, I’ve been on a personal quest. I’ve dabbled in areas over the years. I’ve done bits and pieces and I keep telling people I know enough to be dangerous. That’s my stock answer. I know enough to dig in and make a little bit of noise. But I take it at my own personal development journey to try and dig into that in a bit more detail. IoT was one of those areas that I jumped into.

Join our community and find your next job in IT

Why Azure IoT in particular? How did you go about diving into the area?

I guess I wanted to understand right the way from that physical thing. That physical device and object, the microcontroller that is inside that device, to the LEDs and resistors and buttons. How do those things get made and then what is the code that sits on that microprocessor? How do I develop that code to then enable me to take that sensor information?

Maybe there’s, you know, some optical, temperature or humidity sensor. The common things that you find in IoT projects. How do I take that, read it with some code and send that up to this thing called the cloud? And then what do I do with that?

So, I took it upon myself to try and look at some pet projects to build this, to start looking at microcontrollers, put them in, etc. I literally got myself a 3D printer and started printing off all these random designs I made myself.

There’s the engineering mentality if you’re really starting off at the maker side of things. So, I went on this journey of learning all of these kinds of disciplines. It’s really about understanding all of these little components that go into what makes an IoT solution. And I’m really trying to understand how you join the dots between these various features and components within Azure to make those solutions.

And it’s been, more of a labour of love than anything for work. I’ve met some fantastic people out in the community that have helped me understand things, that I’ve learned from, that I’ve taken ideas from.

And going down on that journey, you learn so much about those areas of Azure that maybe you’re not using on a frequent basis. You know, you start with this high-level view of the world. I try and dig down deep as much as I can in as many different areas so that hopefully I get a little bit more of a clearer picture as to how and why you can use these things.

Do you think a hands-on approach to learning new technologies is better than a theoretical or certifications-based one?

I mean everybody is different. I think for me hands-on works well. Certification is a great way to go, especially if it’s something relatively new and unknown.

So, for example, the AZ 220 exam is the Azure IoT developer speciality exam from Microsoft. And that’s what I was going for at the time.

There are certain ways people can study for exams as Azure IoT exam AZ 220. It’s very much theory-based where you read the Microsoft docs and understand things. And you know, if you do enough Microsoft exams, you can kind of work out which questions they are going to ask you. You get to learn in an almost parrot-like fashion the areas that particular exam is going to cover. And that’s great, there have been exams where I’ve kind of just done in that way. You go in and you’ve learned something over a crammed week or two.

But the problem is that, later down the road, if you’ve not actually done anything physical or hands-on or done it yourself, I found that I forgot it.

For the Azure IoT exam, I took it relatively slowly because I wanted to absorb it and be part of it for a while. Basically, because it was so much fun. I was just having so much fun doing this tinkering and making and, like I say, it hasn’t stopped.

So yeah, I think certification; as Azure IoT exam; is definitely a great way of identifying the areas that you need to learn. But how you learn those is up to you. Everybody’s got their own style and, for me, slow and steady and hands-on sinks in more and I’m able to retain that information for longer and apply it to other things.

Connect with Mindquest Newsletter

You are an active member of the online Azure community. You go by the nickname of Jonnychipz, and you blog and host a weekly vlog covering Azure-related news and topics. How did you become such an active part of the community? What were the beginnings like?

I had always been on the periphery, the edges of the community. And I guess I never really understood what community meant. Over the years, I’ve been fortunate enough to go to some great Microsoft events globally, and I’ve met some brilliant people. But I had never really been actively involved in the community.

But then COVID hit, and we were all locked up in our houses. I got the time to actually focus and build myself a little bit of an office space. Before, I was always out on the road, driving up and down motorways in the UK or running the kids around.

So, as we all had this additional time, I thought, OK, this is an opportunity for me to try and focus on public learning and the community a bit more. In hindsight, I didn’t really know what I was doing when I first started. I set a blog up and it was jonnychips.com, you know? And I started putting out some blogs. I started doing the 100 days of cloud, just trying to show my public learnings and hopefully give a bit back.

What does your new role in the community bring into your life? What have been the best moments so far?

Well, it sounds a bit cliched, but there have been so many different situations that were super fun and where I thought I would have never been I had not turned to the community. Things like joining and setting up and helping organise a user group – part of what I do is helping organise the Welsh Azure User Group, and we run that as a monthly virtual session.

We’ve had so many fun moments over that, just from the guys and gals that help organise the weekly or biweekly calls that we have, through to the events themselves and just the fun engagement from other people in the community. There’s been so many comedy moments and just good general laughs over things.

IoT has been one of the standout things for me. The people I’ve met in in the world of IoT, from members of the community through to the advocacy team at Microsoft themselves, I’ve managed to speak to one or two of those over the last few months. They’re all super people. Really clever, intelligent, passionate people just putting stuff out.

You forge these new friendships without you realising it. You’re virtually speaking to people across Twitter and you’re having that banter, you jump on a live Twitch stream and have a little bit of fun.

So, it’s probably safe to say that there’s not really been one best moment so far. I think the best is yet to come. I’m really looking forward to getting back to the face-to-face meetups, getting back out there to two events where I get to meet some of these great people and hopefully have a coffee or a beer and a bit of lunch or something with them. I see that being a super fun time.


Check out more of our interviews from our podcast episodes.


For more cloud careers, Azure and Azure IoT tips, make sure to follow John on Twitter, LinkedIn and YouTube or through Jonnychipz.com.

Categories
About us Featured Podcast Interviews

The State-Of-The-Art SOC

Chris Crowley is a US-based veteran cyber security expert specialising in security operations centers (SOCs). He works as an independent consultant through his company Montance, has a SOC-Class and is a SANS Institute senior instructor. He discusses how he carved his path in cybersec and shares some insights into what makes a state-of-the-art SOC.

🔊 Subscribe to the podcast

Check out more of our interviews and podcast episodes.


How did you get started in cyber security? 

It’s kind of interesting. I started working in technology when I was 15 years old, back in 1988. That was my first job where I actually went into an office, as until then I had done a bunch of stuff off of my computer, independently, like doing mail merges for one of my mom’s friends in order to send out letters advertising her business.

They hired me to basically come in and do reel-to-reel backups. Literally, they needed somebody to put the tapes on and spin them up and get going. So that’s the kind of stuff that I started doing in technology.

I actually graduated in molecular biology because I thought I would go into medicine and scientific research. After I did basically a full undergraduate degree, I decided I didn’t really want to do that for work anymore. I had worked in labs, etc., but I didn’t want to do that for the rest of my life.

I had always worked with computers. So it was sort of an easy switch for me to do another undergraduate in computer information systems in order to have the credentials. So I did that, and I started working in IT operations.

In the 2000 time frame, there wasn’t a lot of cybersecurity focus. And then things started going wrong. I was working at Tulane University at the time. And the FBI showed up and they are like “you have to take all these computers offline”. We had problems with spam when literally, prior to that, there wasn’t really a problem with spam on email. I’ve dealt with compromised computer systems. I’ve had to deal with Blaster and Nachi, SQL Slammer, so all these early worms that we weren’t ready for and that destroyed networks.

So, that’s kind of how I got started on cyber. I was the IT operations person, and we had cyber problems. And it was a huge struggle initially because there wasn’t a lot of information. Now you can go Google cyber security but, in 2000-2003, you went like what on Earth is going on? You know you’d just have to try to figure it out.

And how did you eventually become the independent cyber security expert that you are today?

So, a major change happened for me personally in 2005. In 2005, Hurricane Katrina hit New Orleans. I was living in New Orleans at the time. My house flooded. Tulane University was dramatically impacted, so I went through this big disaster recovery experience.

And I had been doing a bunch of cyber stuff at that point, and I knew that that was the direction that I was going. I moved to Washington DC, and that kind of changed things. I started working at U.S. government agencies and working in cyber programs. Also around the same time I started teaching for SANS Institute.

At this point, I was like, “OK, if I want to continue along this path, it would probably be better for me to exit employment.” And this was not really something that I had planned to do. I had not planned to go into business, to go out on my own, but that’s what ended up happening. Mostly because I couldn’t balance the full-time job plus the training stuff and the opportunities that I had for some other things.

I kind of joke about it, but I had three part-time jobs that were about 50% of what a normal workday would be. I didn’t know how to do it and I ended up like this for the first three years. Just feeling completely overwhelmed and hustling and doing all the things that were necessary. And I wasn’t even really chasing customers. It’s just that I had like 3 contracts that I was working on.

Since then, I’ve continued to do that and I think I’ve gotten better. I still work about 60-70 hours a week, but it’s just kind of spread out and it’s a little bit more comfortable for me.

That’s my career in a nutshell. I have my company Montance that I do consulting through, I have my SOC class in which I do training for security operations, and I still teach through SANS Institute. I have the opportunity to do a lot of things.

What are you working on these days?

Right now, I’m working with a managed security services provider out of the Middle East. I’m also working with two large financial services companies doing maturity assessments or tabletops for their capabilities. It’s really interesting for me, and it has become phenomenal. Of course, it continues to be a little bit uncertain, always wondering where the next gig is

You mentioned juggling all these part-time gigs as you exited permanent employment. What key learnings about yourself and the way you work have you gotten out of your transition into independent work?

I want to say yes to everything. I really do. People ask for help or want me to do engagements and so on, and I want to say yes all the time. And the problem is that I can’t do that. I have to pick which things I will actually engage in that will allow me to do a good job.

I’m the sort of person who wants to do all the different things. I’m not a specialist, I’m very much of a generalist. So, in addition to the saying yes to everything, it has been hard for me to allow delegation to other people. It’s strange because, when I work in teams where I’m the team lead, I tend to be really good at delegating. But when it comes to my own work, when it’s more, when it’s more of a reflection on me, it’s harder for me to delegate.

So those have been the specific things that I’ve adjusted in my approach.

Where do you draw the line between a junior cyber security professional and a senior one?

That’s a great question. I like the terminology of junior/senior much better than the tier 1, tier 2, tier three kind of stuff.

A senior-level person is able to make an informed, coherent decision, weighing all of the appropriate information that might be available. A senior-level person should know that they need to get more business context. They need to be aware of other people in the organisation who might be affected by a cyber-based decision and get their buy-in or get them to weigh in.

I don’t think that I can expect a junior level person to have the appropriate level of awareness, skills and social interaction and acumen on all the details to be able to come up with that same complicated synthesis and then provide a defendable opinion. I mean, junior-level staff will try to do something like that, but they simply lack the experience and the capability and the technical acumen to come up with the best opinion.

What makes a state-of-the-art SOC?

Anytime I start talking about security operations centers, I fall back on to five things.

We’ve got inputs, people, procedures to work through, technology to work with, and then there are outputs, the sort of things that come out of the SOC that are work products.

From an input perspective, if you had to focus on one thing to have a state-of-the-art SOC, that would be the ability to absorb a tremendous amount of data at speed and have that be something that is constantly changing the instrumentation across every different type of system. Effective ingestion is a hallmark of the state-of-the-art SOC.

In older SOCs, what you would get was “Well, we need to write the connector for that, and we need to hire professional services to do that, and I can’t take the data in from that system.” State-of-the-art is “Give us the data, we’ll figure it out, and we’ll consistently be able to absorb it.” 

Connect with MIndquest Newsletter

Also, you need to have a way to absorb historically, so even after things have happened. If you can go back in time for absorption, and this is relevant both to threat intelligence as well as to logging or other artifacts, then everything gets synthesized into the picture of what you’re doing.

For the people, the human aspect, you need people with skills and capabilities. The modern SOC is a learning SOC. The modern SOC is not a helpdesk. I don’t want to disparage the help desk, but the idea of a help desk is basically: we tend to have a given set of things that are within our scope; here’s what we do, here’s what we work on. If you’re part of this or meet the criteria, we run it through things and we assign it to the right people.

The state-of-the-art SOC handles uncertainty on behalf of the organisation. It handles the unprecedented. I can’t write a routine for something that we haven’t anticipated. We can say we’ll handle it. But then we’re going to figure out on the fly what to do. We’ll deal with it, and we will do it with a degree of grace. It’s not going to be highly polished the first time through. But it’s also not going to come crashing down with people quitting in the midst of it. Because that happens sometimes.

From a procedural aspect, a state-of-the-art SOC has a flexible deployment of its staff.

We have the ability to do a lot of things quickly and efficiently, but we also have adaptability, thinking and business relevance.

In terms of technology, I’ll name a couple of technologies, but I don’t want to limit it to these. As an example, if you don’t have a SOAR and you aren’t implementing SOAR, you are behind the curve. Right now, that is a technology that a lot of people are embracing. And, if you don’t have a SOAR technology, but you’ve written all of your own custom PowerShell or Python or whatever in order to do stuff, I still think that counts for SOAR. But that notion of effective automation is really important for current state-of-the-art capability.

I gave a talk at RSA earlier this year where I went through and listed out my technology taxonomy. It is basically is every single thing that I could think of that a state-of-the-art SOC needs. You can find it in PDF here.

Finally, the fifth thing that makes a state-of-the-art SOC is the artifacts that come out of it. The modern SOC is more about portals, automatic notifications directly notifying the constituents as well as the affected system owners and responsible parties with minimal human interaction.

The SOC analyst is interacting with some form of a system that’s collecting that information, and the system is notifying people rather than the analyst copy-pasting everything into a Word document, printing it to a PDF, and sending that out. I have no problem with collecting reporting into a document, but we already have that data in our various systems. Why aren’t we just programming them to do what computers do well? You know, hit the bits that need to be hit and distribute that information appropriately so that it’s much more portal-driven and constituent-focused than “Here. Encrypt this report.” It’s hard to get there, but I think that that’s a hallmark of the current state of the art.


Join our community and find your next job or expert in IT


For more cyber security and SOC-related tips, make sure to follow Chris on Twitter and LinkedIn or through Montance.

Join his SOC-Class for a deeper dive into security operations centers. August and November sessions are now available.

Categories
About us Featured Podcast Interviews

The Career Path of a SAP Consultant

German ABAP expert Martin Fischer is a Business and SAP Portfolio Manager at BridgingIT, SAP Mentor and a host of the SAP Coffee Corner Radio podcast. He recently sat down with us to talk about how he got started with SAP and discuss the career path of an SAP consultant.


🔊 Subscribe to the podcast

Check out more of our interviews from our podcast episodes.


What is the SAP consultant career path: How did you get started in the SAP ecosystem?

I started to become interested in computers and technology when I was 16 or 17. At that time, I was about to start an apprenticeship in business administration at a wholesaler for tires and other technical products. I had had some Visual Basic for applications lessons in school before, so I started supporting the financial department by writing a macro in Excel or Access, I don’t remember for sure.

The head of the department got interested in my skills at that time, and they were about to start an SAP project to implement SAP FI in SAP 4.6c. That was the coincidence that got me started in the whole SAP ecosystem, and it’s been 20 years since.

Of all the career paths available within SAP, why did you choose ABAP?

I worked on that project for one and a half years and took over the responsibility for running that system. A year after, I decided to study computer sciences and business and, during my studies, I became more interested in software development. So, I thought, OK, I have a background in SAP, and there is a need for ABAP developers: why not look for a job in that area? And so, I did.

And what has been your career path as an SAP consultant since then?

I joined a consultancy in Zurich after my studies and was there for about a year. Then I moved over to Capgemini and was there for three years. Now I have been with BridgingIT for almost 10 years. I left the development space and moved over to more architectural stuff, as well as team leading responsibilities. I am not programming for the whole day anymore. Actually, I seldom program now. But it’s still in my roots, and I like to dig into the technological details.

Join our community and find your next job in IT

What were the biggest challenges you faced when transitioning into a more managerial role?

Becoming the team lead of my former colleagues. There are a few of them who have much more experience than I do, so it was a bit of a challenge for me. I guess it wasn’t that much of an issue with them, pr at least I had that feeling. But for me, it was different.

The second one was having to care about more people and things in many aspects. So, consulting, finding the right project assignments for my team, etc. It was a bit hard because the role involves some pre-sales and that part was hard in the beginning to learn. Also having to accept that I don’t have that much time anymore to focus on my technology topics. Now I have multiple other topics to devote time to during the day, and I had to accept that I will, over time, lose the deep knowledge of the latest technologies.

But now, after more than four years, I have accepted it and I’m fine with it.

What do you enjoy the most about your new role?

The possibility to drive things in the direction I want to, or which I think is the correct one. Of course, I don’t decide that all by myself, but I have a bit more influence than I did before.

I also enjoy very much the interaction with customers, so the pre-sales part that was so challenging in the beginning turned out to be something I really like. I’m much more confident in these discussions now. The first times, you are very nervous. At least I was. Nowadays it has become more of a routine, and I really like it.

What do you value more, certifications or experience?

There are many things you have to learn for the certification exam that you don’t ever use again. That’s actually one reason why I’m not really convinced that getting many certifications is real proof of qualification or knowledge. I’m quite sure you can get the certifications if you do a proper preparation for them and learn the stuff they will ask you for. But you will not really be able to work with the technology you are certified for. I rate experience higher than certifications.

Connect by Mindquest - newsletter

When does pursuing certifications make sense?

I would say at the point in time I did my certification, as a junior, it was a good thing to have it because, especially if you work for a consultancy, it helps you to get better project assignments. Some customers are still looking for it. But, in the development area, I don’t see the need to do all the certifications that come with the technology. I don’t see the value in that.

Sometimes you have to do it as a partner to maintain your partner status. That’s another reason why sometimes you have to get certified.

But, from a career perspective, I’m not a big fan of certifications. I think there are better ways of getting a deeper understanding of what you are doing. Get involved in small projects, do a POC, get your hands on the latest technology somehow.

You are an SAP Mentor. What is the Mentors program like?

The program has changed a lot over the last 3-4 years. I’m now almost at the end of my 4th year in the program.

There’s a new program called SAP Champions which took over the community focus and the focus on the outside community, which was also part of the Mentors program. The program now focuses more on providing feedback to SAP on certain topics.

It’s an honour to work with all other mentors in the team because they are all very experienced. The international aspect is also very valuable for me because you get to hear things going on in the United States, Australia, or Asia, and things are different in different countries, so it’s also something you have to learn.

What career advice would you give to other SAP and IT experts in general?

Stay curious and never stop learning. That is very important. And work in something that you like to do. I am lucky to have a job I really like. I cannot imagine investing so much time in something I don’t really want to do.

I think that’s very important. More important than more money, etc. If you have passion for your job, money, at least in technology, comes along.


For more tips on how to navigate the career path of an SAP consultant, make sure to follow Martin on Twitter and LinkedIn and through SAP Coffee Corner Radio.

Want to make the most of your career in SAP with S/4HANA? Check out our definitive S/4HANA Careers Guide.

Interested in DevOps too? Find out more about career opportunities in this promising field through this expert’s DevOps career story.


Need advice on how to start or develop your freelance consulting business in tech or IT? Need to start a new permanent or freelance assignment? Join Mindquest and get support from our team of experts.


Categories
About us Featured Podcast Interviews

How to Become an Azure MVP

Gregor Suttie is a Glasgow-based Microsoft Azure MVP and Microsoft Certified Trainer working as an Azure Architect at Dutch firm Intercept. He helps run the Glasgow Azure User Group and is a prominent Azure family and community member. He recently stopped by Mission Control Center to discuss cloud careers and how to become an Azure MVP.  


🔊 Subscribe to the podcast


How did you get started in IT and with Microsoft technologies?

I have been in IT for more than years, so it was quite a while ago. I was one of those people who don’t know what they’d like to do in life when they are at school. But a high school friend encouraged me to try doing some computer programming, and I really enjoyed it. After school, we went on to do some college-level computing and programming courses, and I got a part-time doing AS/400 at a bus company.

After that, I went to Paisley University just to the West of Glasgow to do a one year-degree in media technology, which is slightly computer and programming-related even though it sounds like media. When I finished there, I applied for a developer role and gained some Microsoft experience but nothing too deep. I started learning HTML from Notepad, believe it or not. That was back in the day when HTML was the first thing. Using notepad to code was interesting. I was even learning Java in Notepad as well. It wasn’t even an IDE. So that’s kind of how we got into baseline Microsoft technologies, just using basic programming.

I then got my very first junior role at a software company: Interactive Developments in Sterling. And I went in there as a junior with absolutely zero experience, so it was quite frightening but really exciting at the same time. I was really lucky there was a very senior lady who was the senior dev, and she took me under her wing and basically showed me how to write code properly and test it, how to deploy it and, more importantly, write good tests to the code that I was trying to write, which wasn’t very good at that point, but she kept me right. And that’s kind of how I started. I was basically doing VB 6 in that job for three years, learning VB 6 under the wing of a good teacher. Very lucky to have someone mentor me like that.

And then you became one of the first 50 Microsoft Certified Solutions Developers (MCSD) in the world. How did that happen, how did it feel?

Yeah. After about three years, we were moving away from VB 6 and towards Microsoft .NET, so I was learning that during the day at my job, and at night as well.

It was the first time that they had ever offered the MCSD exams. I think it was two exams, and I went for them and passed them on the first attempt, which was really cool. But mainly because I was doing a lot of studying and hands-on.

I got a letter signed by Bill Gates together with a copy of the software saying that was one of the first 50 people in the world to have passed that exam. I don’t actually still have it, as it got lost when I moved house, but I got the Visual Studio box with all the posters and all the CDs in there signed by Bill Gates, which was exciting.


Read a very exhaustive Azure developer job description.


You are also an Azure MVP. How can one become an Azure MVP?

Three or four years ago, you used to be able to nominate yourself for the distinction. But they got rid of self-nomination because so many people were nominating themselves, so they just couldn’t cope with the number of nominees. They changed it to make it that you had to be nominated by someone from Microsoft or an existing MVP. So, I asked someone to nominate me and eventually happened.

It’s all basically based on community contributions. How to become an Azure MVP? The main thing is that you shouldn’t try to become an MVP. You should just do what you do, and it will eventually come along. You have to do blog posts, talks, help out through user groups, all that kind of good stuff. If you’re doing that on a regular basis, then someone might nominate you.

Once you are nominated, you have a form to fill in with all the contributions that you’ve made over the last 12 months. You fill that out and send it off, and the person who deals with the form contacts you within three months just to let you know if everything is okay with your form.

And then it basically goes into the ether. You don’t hear anything until you get awarded. On the 1st of every month, they come out and communicate the seven or eight people in the UK who have now been awarded the MVP. That’s kind of the short version of how it works.

I couldn’t believe it when I got it. It’s probably my biggest achievement so far.

As someone who knows well how to become an Azure MVP, what’s your advice for those who are just starting out in their cloud careers? What certifications should they pursue?

I always ask people: what are you interested in? Sometimes it’s worth trying to write the Venn diagram and put in circles what you like. So, are you a developer or are you more of an ops person? Can you code? Would you like to code, or not? That’s kind of how you start.

What’s your background? Some people don’t have any background and they’re just learning from the very start. If you want to learn from the very start, it’s probably best to start off with the Azure Fundamentals exam. In fact, I always recommend that you start off with the Azure Fundamentals exam because it will give you a nice introduction to the Azure exams. It will also give you the confidence that you have managed to pass a fairly tricky exam.

If you’re new to the cloud, the Azure Fundamentals exam is actually a little tricky because it covers quite a lot of things. If you’ve got experience in Azure, fair enough, but, if you’re new to it, I would start with the fundamentals. And that goes for all of the courses.

These days, there’s quite a lot of demand for Azure administrators, people who can set up all the Azure resources. So, the Azure Administrator certification is quite a good one to go after. But other areas like Azure Power Apps are becoming very popular as well. Power Apps is a low-code platform, so it’s nice for people who aren’t massive programmers but are into coding.

Connect by Mindquest Newsletter

Go to Microsoft Learn and click on the certifications link on there. Have a look around and try and figure out what you are best at.

Also, the online Azure community online is amazing. If you go on Twitter for example, under the hashtag #AzureFamily, you will find lots of amazing Azure people. If you want to get started with Azure and got questions on how to get started or even about how to become an Azure MVP, then definitely please do reach out to me or reach out to anyone in the #AzureFamily and they will definitely help you. Don’t be shy if you’re stuck with anything. Reach out and someone will help.

Join our community and find your next job in IT

Your background is in development, and then you moved into DevOps. What was it like to be, all of a sudden, in the middle of development and operations teams?

It was interesting. I worked at a large bank two jobs ago, and the developers were on one side of the fence and the operation teams were on the other and they had nothing in between. And I couldn’t really understand this. So, what we would do is work on a two-week Sprint, and then we would build a code tester code and I would pass it over to the OPS team who would then deploy it, but we would never really speak to each other, and I thought this is really bizarre. “How does this work? This can’t be a good relationship.”

So, I got to know the operations team. They were in New York and we were in Glasgow. I got really friendly with them and kind of started to bridge the gap; and I created a role for myself where I sat in between the two teams. I made sure that the code was all built and tested. Then I could help pass it over to ops team and show them how to deploy it correctly because before that they would just deploy it. It would break because there was no real handover.

Anyone in the operations team could pick up and deploy the code, and the devs had an idea of what documentation to make. It was quite an interesting role. Before I did that, there were two separate teams who didn’t talk to each other. It was a good way to kind of bring the operations and dev people together.

Now you are an Azure Architect at Intercept. What are you working on as part of your role?

We are helping independent software vendors (ISVs) from all around Europe move from on-premise to Azure. The projects that we’re working on these days are basic setup designs for companies who want to move to the cloud or that are already in the cloud and want some extra governance.

We design it, we implement it, and we also look after it. So, we’re doing managed services. I’m really loving working here. Plus, it’s really interesting to work for a foreign company. I’m based in the United Kingdom, in Scotland, and I work for a company in the Netherlands. So, it has been really good fun.

Since the Covid-19 pandemic began, a lot of companies have been rushing to migrate to the cloud. What are the biggest mistakes you are seeing being made as a result of this hastiness?

I do some workshops on governance and Azure, so basically setting up things correctly from the get-go. And sometimes we see customers who have started in Azure and have created resource groups and have started deploying stuff but there’s no governance in place. There are no rules, no naming conventions. There are no limits to what you can deploy and who can deploy what.

When I deliver my governance workshops, it’s quite interesting to see people who are like “Oh, I didn’t know you could do that.” It’s just things like stopping people from being able to deploy huge virtual machines. stopping people from leaving things running. In the cloud, you can spin up things quickly, but some of them can cost quite a lot of money. You can burn through your credits and your money quite quickly in the cloud if you’re not careful.

I have also seen some poor naming conventions where everything is just random names and it’s really hard to work out who deployed what and when and what. It’s quite funny when you see a mess and you’ve got to go and tidy it up. I don’t often see that, but one or two customers have kind of run before they can walk.

So, governance is mainly the thing that people need to keep an eye on. It’s easier to do it from the start. You can certainly put governance in once you’ve got your Azure environment running, but it’s just nicer and easier to do it at the start.


Check out more of our interviews from our podcast episodes.


For more tips on cloud careers and how to become an Azure MVP, make sure to follow Gregor on Twitter and LinkedIn and don’t forget to check out his blog.


Need advice on how to start or develop your freelance consulting business in tech or IT? Need to start a new permanent or freelance assignment? Join Mindquest and get support from our team of experts.


Categories
About us Featured Podcast Interviews

Becoming an Oracle Certified Master: My Ticket to a Stellar DBA Career

Born in Brazil, Rodrigo Mufalani is an expert Oracle DBA working at IBM as an Infrastructure Specialist for hybrid cloud projects. He recently sat down with us to discuss how he got started in his DBA career and how becoming an Oracle Certified Master and Oracle ACE catapulted his career and allowed him and his family to start a new life in Luxembourg.


🔊 Subscribe to the podcast


How did you get started in your DBA career?

My journey in the database world started a long time ago, back in 2004, and it happened by chance. 

I was at college at that time and applied to a developer position at a company, but my programming logic was not as good as that expected from a developer at the company. But the HR department saw that I did pretty well on the SQL part of the test and invited me to apply to an internship position as a DBA. 

Why did you decide to pursue that opportunity and go down the Oracle DBA career path?

When they offered me the position of DBA, I started looking on the Internet for what exactly a DBA was. I had no idea at that time.

I had started my career doing first line IT support, helping out with Windows installations and network stuff. But I was searching for something closer to the development side of things, as that’s what I was studying in college. So, that offer was perfect.

And that’s how I became an Oracle DBA. I think it was destiny. 

And now you are an Oracle Certified Master (OCM) and Oracle ACE. How has that helped you in your DBA career?

It has helped a lot in my career. It’s why I am speaking to you from Luxembourg. Until 2018, I used to live in Brazil with my family (my wife and kid). Because after the certification, I got an invitation from a company based here in Europe to move here and help them with their customers.

How is the exam to become an OCM?

I cannot talk a lot about it because I have an NDA, but I can tell you it’s pretty hard. 

You have to prove you have hands-on expertise in a list of skill sets in different areas, some of which you rarely use on a daily basis. And it’s pretty hard because you have time, your mind and the exam itself against you. It’s a two-day exam at Oracle’s headquarters, and I took my exam in the UK.  

At the moment, and due to Covid-19, the exam is suspended, so there have not been new Oracle OCMs since 2020. But the future OCM exam, if there is one, will probably be related to the cloud and offered online.

Join our community and find your next job or expert in IT

What about the Oracle ACE award? When did you receive that one? How has it helped you in your DBA career?

I can’t believe it happened more than ten years ago, in 2009. Especially because it’s not an easy distinction to maintain over the years. If you receive the award but you don’t keep participating in the community, sharing your knowledge with the community, you lose the award. 

It’s funny because I remember I was reading the email in which they notified me that I had been awarded the distinction when my boss at that time called me into his office to go over some stuff. And I told him I just got awarded the Oracle ACE award, and he goes “Oh, congratulations! But what exactly is that?” He just had no idea. It was so long ago. I was the third person in all of Brazil to be given the award. 

The program has grown a lot since then, and it’s a pleasure to continue being part of it. I like talking to a lot with people and love to do presentations and talks at conferences. I founded the Luxembourg Oracle User Group with some colleagues, and I’ve had the opportunity to speak at several conferences. Also, I even had the opportunity to go to Azerbaijan before the Covid pandemic, and it was amazing. I have met so many great people through these conferences. 

I must really thank the Oracle ACE program for giving me the opportunity to meet all these amazing people.

What is your main role at IBM?

Right now, I am helping with a large migration project for a big customer. I am doing some automation and am involved in all the migration activities as part of the cloud migration team. So, ensuring performance, that all is done according to the plan and on time, etc.  

For the moment, I am mainly helping with Oracle-related subjects. My role is a little bit wider, spanning to all things database-related, but for the moment I am mainly playing with Oracle.  

Connect by Mindquest Newsletter

As a DBA, what are the most challenging aspects of working in a hybrid cloud environment?

Nothing in particular. The same challenges that we have all the time. So, tight deadlines for delivering projects, ensuring as little downtime as possible, etc. The customer always wants to have the, and we try to deliver the best to them.

What advice would you give to those starting in IT?

My advice for the starters in the field of technology would be to read and research as much as possible. Try to pay attention to the senior people around you and don’t be embarrassed to ask questions. But ask questions after you try. Of course, in a safe environment, not in the production environment.  

I prefer that someone asked me after trying these or that step and failing to find a solution. Sometimes, people get so accustomed to getting every answer at once that they don’t even try.


Check out more of our interviews from our podcast episodes.


For more advice on cloud careers, make sure to follow Rodrigo on Twitter and LinkedIn, as well as on his blog.