 Welcome back to the Career Hacking Village here at DEF CON Safe Mode. Many times when we're talking on social media or on Discord, we're always asking, what is the best career path? And several times people will say, no, this is the way, no, this is the way, no, this is the way. What we can tell you is that there are many different ways, and I'm really excited to have my friend Pablo explain how he sees it and his recommendations on your career path. Take it away, Pablo. Thanks, Kathleen. So this talk is titled, In Theory, There's No Difference Between Theory and Practice. And so where did this come from? First of all, it's normally attributed to Yogi Berra, who dropped other pearls, like when you come to a fork and a road, take it, but this was actually not one of his. So the difference between theory and practice actually, according to Snopes, appeared first in the 1986 book about programming, the art and science of programming. So I thought it was apropos. A lot of times when we talk about how to get into infosec, we devolve into this discussion about going to college and learning theory or the school of hard knocks to learning practice. And so there's always this push and pull between theory and practice. So why are we here? As Kathleen mentioned, about every six months or so, we see these kind of flame wars and discussions pop up on Twitter about how do you get into infosec? And it comes from all sides. So you have some people that believe that security is a prestige class and that you have to spend 10 or 15 years on a watch floor or on a call desk before you can join security. And you have some people saying, look, I didn't go to college. I've got a fantastic infosec career and I make a ton of money and the college kids seem really upset by that. And the truth is there are many paths and they're all valuable. It's a matter of what you want to get into it and who you are as a person. So I thought it would be best to have a nice, balanced discussion on that. So why do we even have this discussion? Why does it matter? Well, we all go through these little life transitions, right? We finish a school, be it high school or college or a trade school that we have to go out and find work. Many of us serve some time in the military and we have to figure out what we're going to do once we take the uniform off. Some of us have life changes. We get married or we have kids or something in life changes and we decide that we want to do something else. Or sometimes our careers just go away or we decide we're just dissatisfied with our careers and we want to get into this thing called infosec. And so how do we really do that? So some disclaimers. First of all, these views are mine and mine alone. They don't belong to my employer. There's an exception to be found for absolutely everything I'm going to say. So if you try to find fault with this talk, congratulations, you will. Again, these are these are my opinions and what I've experienced. And those opinions are based upon my observations. But I'm also going to freely admit that I have biases, right? I took a very particular path and I've seen what I've seen and I haven't seen what I haven't seen. And so your mileage may vary. So a little bit about how my path came into infosec so that you understand kind of my latent biases. I've been doing this for a little bit. I got access to my first 8088 class computer in 1981 and then played with modems and BBSs. In the early 90s, I was a developer for expert systems. Those of you that are in AI may know what that is. In 1993, I went through a life change and I decided to join the United States Navy. Got a degree in computer science in 1998, spent some time at NSA. Got a master's degree in computer science 10 years after my bachelor's. Went back to cyber command. Then what was faculty at the Navy's postgraduate school teaching master's level computer science and information sciences. Then I went to US special operations command hacker maker space called softworks and I just finished a PhD in information sciences. Now that said, the picture is a little dated, but you might be able to make out that that's actually me with the rest of the school of root. So I have been in the community for quite a while. So with that all being said, we're going to have this discussion. Let's try not to turn it into a flame war. We can disagree, but we should be respectful about how we disagree with each other. So those of us that have been around for a really long time, remember the quote unquote traditional path and infosec job. There was no cybersecurity degree when I came up and went through college. And so the running joke was that if you wanted to be a computer security expert and you could either go out and work in a sock watch floor, become a forensic analyst and then the lab director and the chief security officer and 20 years later, you would be highly paid consultants or the hacker method where you became a hacker, you became a criminal, you got convicted of a crime and two years later, you were highly paid consultants, maybe 14 months with good behavior. Those days, unfortunately, or fortunately, depending on your standpoint may have gone by the wayside. So what are the contemporary paths? How do most of us get into infosec careers this year? Well, there's typically three paths. There's the School of Hard Knocks, there's the certification path, and then there's the college education path. And each of those come with their own pros and cons. And so we should discuss those a little bit. So the first one is the School of Hard Knocks. This is where you kind of teach everything to yourself. It's a very traditional path for hackers because there used to not be college classes. There used to not be a CEH or a CISSP. You had to go out and read Frack Magazine and read 2600 or go to hacker boards and teach this stuff to yourself. One of the pros is the cost. The cost is essentially free. You only learn the things that you're interested in learning. You don't have to bother with any baseline things you don't care about. It takes the least amount of time before you get to the subjects that you care about. We'll come back to that least amount of time. And you get practical skills now. You learn what you need to solve your problems. And so you become a practitioner immediately. And really, you're only limited by your personal drive and talent. Nobody's going to tell you that you've got to learn about X before you learn about Y. Nobody's going to tell you that you have to spend two years doing this before you go do that. You can just hop right in and do the things that you're interested in doing. So what are the cons? Well, I mentioned time, least amount of time of the three pads. Well, that depends on how you cut it. Generally speaking, there was a paper called Outliers by Malcolm Gladwell that says, in order to become an expert in any one thing, you have to spend 10,000 hours doing it. So 10,000 hours, if you break it out into eight-hour workdays means 3.42 years, which sounds remarkably like a bachelor's degree, which takes about four years. And when you add summer vacation and when you add spring break, you're at four years. You can do it faster. And again, your mileage may vary. If you're a very talented, very driven person, you might be able to do it in less time. But it is still a substantial amount of time if you want to become an expert. Typically speaking, when you go through the School of Hard Onox, you're all practice and very little to no theory. And the problem with all practice is that the tools change. And the tactics techniques and procedures change. And the approaches change. And if you're not based in a theoretical background and you're not actively using it, those skills become very perishable. And so if you're not actively using it, you're going to lose it very quickly. And you're going to have to come back and reteach yourself. Employment opportunities, boutique shops are a good opportunity for you because they're smaller and they're willing to take a chance. A lot of the boutique shops are started by rock stars in this community. And they didn't take a college education in many cases. They learned through the School of Hard Onox. And so they understand it. Independent Consultant is another one. You have to do your own business development. But you can certainly do that. You certainly can't get hired by a corporation. The challenge with getting hired with a corporation without a degree is you have to pass the HR check, the human resources check. And the problem with that is the way that the industry has moved is a lot of times, unless you get a personal introduction, you have to go through an automated resume system. And it's looking for certain ticks. And if you don't check one of those ticks, like maybe they require a bachelor's degree, your resume may never get seen by an actual human being. The other issue with the School of Hard Onox is survivability. So when we go through hard economic times, what happens is usually there's an accountant somewhere, an executive somewhere that wants to cut cost. And the first thing they cut is high cost assets which don't have a whole lot of background. So it's easy to justify in a business sense, paying somebody with an advanced degree a large sum of money because they've got a demonstrated record that the school vouches for it. That may be harder if you learn through the School of Hard Onox, unless you're a name brand. If you're a name brand, then that may be different, but it is something to consider. So here's a fantastic example of an absolute rock star who came up through the School of Hard Onox, Frank Haidt. So, you know, Frank got started in this earlier than I did. He started with a PDP in 1979 at his home. In 1981, he emancipated and went to go work for Chase Manhattan, never finished 10th grade. So not only does he not have a college degree, he doesn't have a high school diploma. He's one of the best read, most educated people I know without any formal education because he's just a tremendously driven and intelligent individual. In 88, he went to work for the New York Transit Authority, created the emergency 911 system for MCI, went to go work for NAFC and SWIFT PAC, which are Navy entities, found a NSA penetration testing operation in 1997 and became the 10th employee at at stake in 1999. And since then he's founded Leviathan Security, which has a tremendous name in the industry and he's been a 10 speaker times three. So again, no formal education, just a tremendously talented, driven individual with a curious mind. So absolutely, you can do this without certifications and you can absolutely do this without education. And here's a fine success example. So the other way is certifications. Those have come into vogue of late. And we've all kind of heard the names, there's your CEH and OSCP and OSCE and CISSP and what are all these things? Well, the first thing to be aware of is not all these certifications are created equal and they're intended for different audiences for better or worse. If you wanna work for the US government, you're probably gonna do much better if you have a CISSP and that's actually true in industry. I've got one, I've got my own thoughts on that certification as compared to other certifications, but it's important for you to weigh what it is that you wanna do for a living, what kind of career you wanna have and see if that certification is gonna help you get that job or help you become more proficient in what you wanna do. Many of the certifications focus on practice with little to no theory, but there's some exemptions. They're vendor motivated. Those certifications are there to make money, right? They wanna sell you a bootcamp, they want you to pay for the class, they want you to pay to take the certification and then they want you to pay fees to maintain that certification. There are lots of paths to getting these, but primarily you can take a class, a bootcamp or you can do online and self-teaching by picking up a book. Most of these certifications have books where you can teach yourself the same things and then your certification exams are tends to be to either proctored exams, which means that you go to a testing facility and they verify you are who you say you are before you take the exam and then there are online exams. One of the things that does come up and it was a problem in the past with some of the certifications is that the online exams, you could actually go out and pay somebody to take the exam in your stead and get the certification. So once that's out, those certifications become less valuable in the eyes of industry. And so just be aware of that. So what are the pros of certifications? It's a great bootcamp, right? If you're starting at zero and you don't know how to get going, you're gonna get lots of practice in a very short amount of time. Most of these bootcamps are a couple of days or maybe a week long. Some of them are a little bit longer if it's a program. You're gonna go from nothing to functional a very short time. Theory may vary, but typically very little theory in these. If you do a bootcamp, you're gonna get some lead learning, which means that you're gonna have somebody that's ostensibly a subject matter expert to answer your questions. There's gonna be defined progression of knowledge. So if you don't know where to start or where to go next, typically these bootcamps will help you out with that. In the certifications, many of them will help you pass an HR check because they're familiar with the vendors, they're familiar with the certifications and they're familiar with the knowledge you have to demonstrate in order to achieve those certifications. And so in many cases, those automated resume checkers will actually tick the box if you've got the right certifications that they're looking for. So what you're looking out of the screen now is two courses. In the red box is one course and in the blue box is the other course. And my question for you is what is the difference? And I'll give you a few seconds here to read it. Good. So both of these are actually courses and exploitation development. One of them is a master's level course. The other one is a course from a vendor that you take in one week. So the master's level course takes 12 weeks. The vendor course takes one week. You're covering the same information. But what you should think about is if you take it in 12 weeks, are you gonna get a much deeper understanding and much more practice than if you take it in one week? And I would suggest that, yeah, you will. If you're spending 12 weeks with the material, you're gonna spend more time exploring that material and going deeper on it than if you spend one week. That doesn't mean that you're missing out on a whole lot of stuff. You've taken the one week, but just be aware that a one week bootcamp is just gonna give you an introduction to all of these subjects. And so you're gonna have to go through and spend some of your own time really studying it. So what are some of the cons of certification? So I went out to a well-known vendor who will remain nameless and I pulled up the cost for achieving their certification. So their one week class is $6,200. And then you have to wait a certain amount of time before you can take the certification. And so if you want access to their online labs after the course, it's another $729. So we're up at $7,000. And then each certification attempt is $729. So you're up close to $8,000. And that's if you pass it the first time. If for whatever reason you fail it and you have to go back and take it, well, you're probably gonna need access to the labs and you're probably gonna need to pay for another certification event. So that's another $1,500 every time that you fail to pass. And then on top of that, you're gonna have to pay to renew this every three to four years. So at $8,000, and we'll talk about the cost of college later, but $8,000 is a substantial amount of money, not just compared to college, but compared to anything, $8,000 is a substantial amount of money. The other part is, as I mentioned, the certifications tend to be tools focused, not always, not all certifications, but they tend to be tool focused. And so they're perishable, right? If you take a certification and then you don't do that on a daily basis for your job, your skill in that set is going to deprecate. The other thing is, what do they demonstrate? And so there's this ongoing discussion that always happens about, does that demonstrate knowledge or does that demonstrate your ability to take an exam? And different people have their own biases on this. I absolutely know people that could not pass a certification exam that absolutely had mastery of the material. They just couldn't take a test. And I've also seen it the other way where somebody passes the test and they clearly knew nothing about the material. And so there's really a discussion there that happens and hiring managers will think about this, about does the certification really demonstrate that you know what I need you to know? So let's talk about college. I know that this is a very personal subject for a lot of people. Not all schools and all programs are created equally, okay? If you go and get a computer science degree from MIT, it's gonna be very different than if you get a computer science from maybe a community college or from University of Phoenix or some other schools. Take a look at what the reputation is, not just of the school, but of that particular program in that school. Most of you have never probably heard of University of Texas Dallas. They happen to have one of the top ranked schools for computer science in the country. University of California, Santa Barbara has one of the top ranked schools for cybersecurity-based computer science. So really take a look at the programs, take a look at the schools and realize that they're not all created equal. Most of the colleges will focus on theory with varying levels of practice. And again, that is a question that you should ask when you're considering a school and a program. How much is this theory and how much of this is practice? Then the other question you wanna ask is, do I wanna just study? Do I wanna become a full-time college student or do I wanna work and study? Now, some of us, we're not gonna have that option. Our life situations are such that we've got people that depend on us, we've got dependents and so we're gonna have to work and study and that's okay. But for those of us that have the choice, we've got to balance possibly taking larger loans out to concentrate on our studies, vice taking smaller loans out and working and studying. And that's very much a personal choice. Job placement, if you're gonna go to a college, you should find out if they're gonna help you get a job afterwards. College degrees are not cheap, they're very expensive. And so getting the degree shouldn't be where your college stops. If your college or university should help you with job placement afterwards. And then there's a value proposition versus cost. If you, getting a college degree in something that is not marketable is a personal choice. So really, if you wanna work in Infosec, that history degree may or may not help you and we'll talk more about unrelated degrees either. But if you know you wanna work in Infosec, perhaps you wanna consider cybersecurity or an IT or a computer science degree. But there are other degree paths. You can either get an unrelated degree and get into Infosec or you can get a related degree and get into Infosec. And those have their own pros and cons. And I'll show you an example of somebody that has an unrelated degree and has a fantastic Infosec career. So the pros of colleges is that all industries and all companies recognize bachelor's degrees and master's degrees and PhDs. They're resilient, they tend to be theory focused which moves at a much slower pace than practice. And so the tools change the theory very rarely does. But if you've got a degree in that field you're gonna get that HR pass. If they're looking for a bachelor's degree I'm not aware of somebody that says, well you've got a bachelor's degree but it's not the right bachelor's degree and therefore we're not gonna take you. Job survivability I talked about when we hit hard economic times. The people with degrees that have been in the that are working in a field with their degree tend to be more survivable than the people that don't have degrees that are working in a field. Right, wrong, or otherwise that's just kind of how it happens. It's a non-perishable skill, right. Again, I talked about the 10,000 hours become an expert 3.42 years. That's roughly the amount of class time that you're gonna spend getting a bachelor's degree. Writing, writing is absolutely critical. I'll talk more about that. You're gonna spend a lot of time writing in college. You can be the best penetration tester in the world but you have to be able to communicate your findings in writing. And if you can't do that you're probably not gonna be hired back. Non-related courses, is that actually a benefit? I actually believe it is. It's easy for us to learn things that we're interested in within our chosen major. It is much harder to pay attention and learn things that we're not familiar with than we're not good at. But learning is like anything else. The more you practice at learning the better you become at learning. And so as you're asked to learn new things throughout your career it actually becomes easier to learn things if the more you've practiced it. And then cost, it may or may not be a pro. Again, that depends on how you choose to fund your college education. If you use grants and scholarships then cost is probably not prohibitive. But you also have to make some lifestyle choices about how you wanna live while you're going through college. Otherwise, you're gonna end up racking up a lot of debt that may or may not be a good value proposition. So writing in unrelated courses writing is absolutely critical for success. That's not just me saying that's Lenny's ulcer. Lenny's ulcer among various and sundry other things is a fantastic SANS instructor and he teaches the reverse engineer malware. And he says, listen, if you wanna excel on information security you've gotta have strong writing skills. Often these things are ignored. Many of us don't like to write. I am not a fan of writing. I'm not gonna sit there and practice writing and I don't do short stories or any of those things. And I know lots of people do and I envy them. It is something that I've had to work very hard at. Most of us in this field tend to ignore writing because we're more interested in the technical skills. But just like technical skills, writing requires practice. And so if you go to college and you're forced to take unrelated classes you're gonna be forced to practice writing. And it's one of those things that if you're not gonna do it on your own you need to find somebody that's gonna force you to do it. This may help you do it. The other thing is that understanding other fields helps you explain things. Very rarely are we gonna do infosec for the sake of infosec. Normally we're gonna do infosec for the sake of a company that company's mission may not be infosec. It may be a bank. It may be an educational institution. It may be an engineering institution. And if you can't understand what it is that that company does you're probably not gonna be able to communicate very well why they should be concerned about infosec. So what are the cons? Well, cost, right? You have to be cognizant of the financial cost of college. College is definitely not cheap. You have to make some choices about how you're gonna live. You have to think about the applicability. Unrelated courses are gonna be required. Listen, any degree that you get you're gonna have to take English composition and you're probably gonna have to take history and you're probably gonna have to take college math. It's something we all kind of suffer through but you're just gonna have to do that. The baseline related courses are good because that's where you get your introduction to theory but they tend to be not very exciting. For those of us that love this stuff we already kind of know how to program in Python, right? We don't really need to intro to Python class but the college is gonna probably require that if you're taking computer science and so you're just gonna have to suffer through it. One of the criticisms is that college is not practical. They tend to be a little bit behind and that's true in many programs. They're not keeping up with the latest and greatest because they're not trying to teach you practice and many cases are trying to teach you theory which moves at a much lower pace. The other problem is time. College requires a significant time investment even if you're a full-time student it's probably gonna take you three or four years to finish a bachelor's. A master's is gonna take you even if you're a full-time student probably two years. So let's talk a little bit about the cost. This is the average cost as pulled from an independent journalist for a university. So a public two-year in-district is $3,400. A public four-year is $9,000. Now, if you remember a few slides ago we talked about certifications and a one-week class in a certification attempt was $8,000. So for $1,000 more you get to spend an entire year at a university becoming a dedicated learner. So what's the value proposition there? If you're gonna go to an out-of-state school yeah it's gonna be a lot more expensive, right? You're looking at on average $24,000 and if you go to a private university you're looking at $32,000. So these are all things to keep in mind maybe the best option is not to move far away from home unless you're chasing a particular school in a particular program because they really teach the things exactly that you wanna learn or they have good insight in the industry that you want to go. If you wanna work in Silicon Valley absolutely go to a University of California school, right? Because they're there and they have established relationships. But these are just the cost for tuition and fees. These don't include things like your living expenses. They don't include things like your meal plans and they don't include things like your books. Let's have a little bit of a discussion about reducing cost. This is a mock-up of my dorm room. Actually, that's not quite true. This is a mock-up of the dorm room after they remodeled it after I graduated. It looks pretty much like a prison. I lived a very smart lifestyle but because I did that I incurred very, actually in my case I incurred no cost. But if you wanna have a really nice apartment and you're a full-time student and you're not working recognize that your lifestyle is gonna go on your student goals and so that's gonna drive up your cost. And so while I fully recognize that college is expensive I often question when people say, well I've got $107,000 of debt for going to school and I ask if they lived in a dorm and they show me pictures of this fully laid out apartment with giant screen TVs. Delayed gratification is a thing. If you don't wanna incur a lot of cost while you're in college you may wanna cut back your living expenses a little bit. So comments of college, the applicability you're gonna be taking a lot of unrelated courses you're still gonna have to pay for those courses. Again, they're tangentially related. Practice varies, not all programs provide you the same amount of practice and not all schools are the same, right? Contact hours with your professors and your instructors matter. Faculty that have been in the real world and really are subject matter experts matter. One of the things I will tell you is you were gonna meet a lot of faculty members at some schools that have never been in the real world. They've spent their entire life in academia and so their view of industry and what's needed to succeed in the industry is gonna be very different than someone who has spent some time in industry doing it. Usually you get good, faster, cheap, choose two with universities and college education it's normally choose one. There are some that are good and cheap that's rare, you really have to be lucky enough to be living close to a school that has a good program but they're definitely not fast. If it's fast, there are some schools out there that are online and they will tell you that you can get a master's degree in one year. It's probably not gonna be cheap and it's probably not gonna be good. Let's be honest about that. So go into it with your eyes open. The other thing that you see is a lot of schools are gonna advertise that they're NSA academic centers of excellence. I will tell you having taken two schools through that certification program that that certification is absolutely worthless. It is not that hard to get accredited as an NSA academic center of excellence and it's a paperwork drill. They will, the NSA ask schools to make sure that they teach certain things and if they have one slide on one course that mentions that subject then they get to claim that they taught. That is really not what NSA and cyber command were after. So I would not really consider that academic center of excellence certification for a school is worthwhile. Don't buy that. So another con is the applicability. I used to teach not just at the graduate level but at the undergraduate level and I teach one of the last classes that my undergraduates took before they graduated. And many, many, many of my students would come to me and go, hey, listen, you know, Professor Brewer loved your class. It was great. I'm about to graduate with a degree, a bachelor's degree in computer science. I don't feel qualified to do anything. Congratulations, you're not alone. We all feel that way. If you spend any time in infosec, you're just gonna get used to the imposter syndrome. I still have it. Many of the people up on stage today are still gonna have it. But what you need to realize is that having a degree doesn't demonstrate that you're an expert in something. A bachelor's degree demonstrates that you're capable of being taught and learning new things. And so your employers know that because you've got a bachelor's degree in computer science, they don't expect you to hop in and be an expert programmer. They expect that when they stick you with a more seasoned senior programmer that they're gonna be able to teach you the things that you need to do to accomplish your job there. A master's degree doesn't mean that you're a master of your trade. It absolutely does not. What it means is that you're capable of teaching yourself. If you don't know something and you're asked to do it, you're capable of going out and finding resources and teaching yourself. And a PhD absolutely doesn't mean that you're an expert in anything. What it means is that you're capable of conducting independent scientific research. So a lot of people do ask me because I've just got one, should I get a PhD? And my answer to this is you should only get a PhD for three reasons. The first one is if you wanna work in academia, if you wanna be a university professor, absolutely go get a PhD. There's a hard cast system in there about tenure track PhDs and non tenure track PhDs and then lectures. The other reason is if you wanna do research, professional research for your career, go get a PhD. And the last reason to get a PhD, which was my reason was I just wanted one. Does it really help your career? It's arguable, I would say most cases, the juice is probably not worth the squeeze on that one. It was just a personal goal I'd set for myself for reasons that, well, I'm just not gonna get into, but just be aware of what those degrees are supposed to demonstrate. None of these demonstrate that you're an expert. So unrelated degrees, everybody needs infosec. It doesn't matter if you're a book publisher, if you're a bank, if you're a manufacturer, if you run industrial plants, all these things right now run on IoT and computers. And so they all need infosec. And taking these unrelated courses helps you learn the language of non-infosec people. If you're an infosec person and you go talk to your boss at a bank about IP addresses and Rop and they're just gonna run you out of the room. They pay you good money so they don't have to hear that language. They wanna know, what do I gain? What do I lose? What does it cost and why do I care? So you're gonna have to translate the geek speak and the infosec to business processes and thought processes of executives. Baseline courses regardless of degree are gonna be the same. It doesn't matter if you're gonna get a bachelor's in history, a bachelor's in women's studies, a bachelor's in computer science, or a bachelor's in electrical engineering, you're all gonna have to take college math. You're all gonna have to take English composition. Those baseline courses are the same and they're meant to be a good foundation for the rest of your learning. I mentioned writing practice. You're gonna get a lot of writing practice regardless of your degree. That writing is important. It's actually critical, I would say in many cases. It's at least as critical if not more critical than your technical knowledge. But if you're gonna get an unrelated degree and you wanna work an infosec at some point you're gonna have to come back and either get some training or some education on the tech side. You can't just hop in from a history degree and decide that you're gonna be an infosec analyst without going back and actually understanding what some of the infosec language means and understanding something about how computers and networks work. So here's a fantastic example of somebody that's successful with an unrelated degree. Tracy Malif, many of you know her, Infosec Sherpa. She's got a bachelor's in history and she's got a master's in library sciences. She spent 10 years working as a librarian, then was a cyber analyst at Glasgow Smith Klein, got her first infosec certification in 2017 and in 2019 she became an infosec analyst for New York Times. So library sciences doesn't seem like it's a related degree. However, what it taught her to do was how to do research very, very well. She's certainly a much better researcher than I am and it taught her how to write exceedingly well. And because of that, she's been tremendously successful, not only in the hacker community, but as a professional infosec analyst. So absolutely, all degrees are valuable and you certainly can work in infosec if you have an unrelated degree. So Emanuel Kant said that experience without theory is blind, but theory without experience is mere intellectual play and it's true, you need both. You need a little bit of theory and you need a little bit of experience and practical knowledge if you wanna be successful, otherwise you're really just a one-sided professional. So you need a bit of both. So great, I've got more questions about this. Where can I go for learning and networking resources? Well, congratulations. If you're listening to this, you're already doing that. DEF CON and hacker conferences and hacker collectives are great insight. It's a great place to meet people that may be doing things that you're interested in or they have good and bad experiences to share with you on their path. Maker spaces, there are maker spaces throughout the country and throughout the world. Lots of professionals have a passion for infosec and what they do that are willing to share their experiences and share their knowledge for little or no cost. Capture the flag exercises are great. One of the things I often hear is, I don't feel like I know enough to do capture the flag exercises. That's great. If you knew how to do the capture the flag exercise, it wouldn't be fun. So what I would say is go out there and try it and figure out what you can figure out and what you can't figure out. Go back a week later, what you're gonna see is that the teams that did well did write ups on how to solve the challenges. And that's gonna give you insight into not only how to solve the challenges, but subjects that you may wanna go back and learn more on. Mentors and mentees, everybody needs a mentor. I've got several and I learned a lot from my mentors. Here's a hidden trick though. I learned far more from my mentees than I learned from my mentors. They often ask me questions that I go, you know what, I actually have no idea and I have to go back and research it. And I have to learn it well enough to explain it to my mentee. So both being a mentor and a mentee is a great way to learn things. There are lots of free online training, everything from YouTube to online classes to Khan Academy. Hacker Khan's, you can attend or you can volunteer. Attending is always great because you get to go to ideally all the talks that you wanna do. Hidden trick of mine is to volunteer at the Khan's. I've been doing it for a long time, particularly if you volunteer for speaker operations, you get a lot of one-on-one time with the speakers. You get to ask questions without anybody else in the room. So that's really, really great. For military members that are leaving, there's a program called SkillBridge where you can go get an internship for six months at a company. That company doesn't pay your salary. The DOD pays your salary. So they get a free intern, you get free job experience, you get to try out that company and decide if you really wanna get hired there. So that's a great deal. For college students and for people taking either at the School of Hard Knocks or the certification path, go get an internship, either paid or unpaid. Internships are great. Not only do they let you gain some skills, they get, let you learn about the company that lets the company learn about you. And oftentimes you get a job, not because you submitted a resume, but because you have a personal relationship with somebody in a company. Professional organizations, ISC Squared, ISACA, all of those tend to have monthly meetings. Those are great. Go network, go talk to people. They will give presentations. If you wanna know how they got to learn about what they learned, they will tell you. Oftentimes they're happy to do that. Boot camps and lunch and learns, a lot of organizations will offer boot camps and lunch and learns for free in some cases because they want you to sign up for their paid classes later, but you don't have to. You can go for an hour and learn about network recon or OSINT or whatever it is that they're talking about. So lots of free resources out there. So at the end of this, what's the best solution? It's a choose your own adventure, right? If you wanna be a ninja, do all three paths, right? Do some experimentation on your own. Go through the school of hard knocks, get some certifications, take some college classes, get a degree, but choose a path and start on it, right? Journey to a thousand steps, you have to take that first step. What you should consider is what are your goals? When you start on this journey, what is your next goal that you wanna achieve and how can you best get there given your timeline, your finances and your goals? So there is no wrong path. There are pros and cons to all of them. Eventually, if you wanna be professional, you're gonna find out that you've done all three. And so it's really just a matter of which path you wanna start on first. There is no wrong path. So with that, thanks so much for your time and I will be on the Discord if you have questions. Have a great day. Pablo, thank you so much for all of that. Just sort of great overview because as you said, we tend to have this discussion and everyone camps in my way as writer, and it really is everyone needs to customize their own career path and take bits and pieces and depending on your finances and where you are in life, all of it. And that's what's so great about the industry is that we have so many resources. We have so many role models. We can craft our own path and employers are also starting to really realize experience over certifications, but it's going to change depending on the employer. I really appreciate you pulling this presentation together and also all of your great comments to people's questions and Discord. I wanna remind everyone that we're doing resume review and career coaching all day Friday and all Saturday afternoon. You need to sign up in the Discord channel. Pablo, thank you so much. I can't wait to be able to hug you in person. Thanks, Kathleen, looking forward to seeing you. Take care.