Notes:
Despite being a GSE-certified cybersecurity expert, Chris Sanders is up front about the fact that infosec is not his true passion. In this episode, Sanders describes how diving deep into the world of computers and cybersecurity led him to his ultimate passion - teaching and helping others - and how continuing to pursue the infosec path allows him to fulfill career goals he may not otherwise have met. He also discusses how his upbringing has shaped his career path and guided him to give back to aspiring cybersecurity professionals.
Bio:
Chris Sanders is an information security author, trainer, and researcher originally from Mayfield, KY. He is the founder of Applied Network Defense, a company focused on delivering high quality, accessible information security training.
Chris is also the founder and director of the Rural Technology Fund, a non-profit that donates scholarships and equipment to public schools. Chris has authored several books and articles, including the international best seller "Practical Packet Analysis" from No Starch Press, and "Applied Network Security Monitoring" from Syngress.
Chris blogs at http://www.chrissanders.org. You can learn more about Applied Network Defense at http://www.appliednetworkdefense.com and the RTF at http://www.ruraltechfund.org.
Recommendations based on this episode:
- GCDA: GIAC Certified Detection Analyst, prepare with SANS SEC555: SIEM with Tactical Analytics
- GCED: GIAC Certified Enterprise Defender, prepare with SANS SEC501: Advanced Security Essentials - Enterprise Defender
- GIAC Security Expert
Transcript:
Jason Nickola
This is "Trust Me, I'm Certified" brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome.
Jason Nickola
Welcome back to "Trust Me, I'm Certified." I'm your host, Jason Nickola, and I'm excited to bring you this week's episode with Chris Sanders. Chris is a busy guy to say the least. He's the founder at both Applied Network Defense and the Rural Technology Fund, an accomplished trainer, a GIAC Security Expert and is currently pursuing a doctorate in education. In his own words, though, Chris should not be where he is or have been able to build the career he has, from a lack of technical opportunities in his native Western Kentucky. Having a forge his own path after tragedy struck his family in the early age, Chris's story is a powerful one filled with the kind of grit and determination you'd expect from someone who's built such an impressive career and skill set from scratch. I learned a ton here and was really inspired by some of the things Chris shared, so please enjoy this conversation with Chris Sanders.
Jason Nickola
Chris, thank you so much for joining us. We really appreciate it.
Chris Sanders
Hey, thanks for having me, Jason.
Jason Nickola
Yeah. So your passion for security and tech as well as education, it's something that really comes out in pretty much everything that you do. And we'll dig more into that in just a little bit. But where would you say that's rooted in? Like, when you look back at your past, are there things that you can look at and see, well, I was kind of always destined to be a security professional or always destined to really focus on how people learn - are things there?
Chris Sanders
You know, that's an interesting question. I think I would start by saying, I'm not really passionate about security. And that that may be, you know, for the folks listening, that's a weird way to start a podcast about security. I'm really not. And it took me actually a long time to figure that out. And I went through several jobs, and I was really digging in on the security stuff. And I've actually I kind of realized security was a mechanism that allowed me to do things that I was passionate about: helping people, working with the Rural Tech Fund and trying to help people out of poverty and things like that. It took me a long time to get there. But with that in mind, and not to start off too dark, but I had a little bit of an interesting upbringing. I lost my mom and my sister when I was in high school, and my dad kind of ran out on us so from about 15 on I raised myself. And so I've always been pretty motivated, and I think it comes from that, I've always had a bit of a chip on my shoulder because I basically had to get myself up and get myself to school, I had to do my own schoolwork. I had to figure out groceries and transportation, I had to figure out what was next for me. What did college - what did a career look like? I was kind of forced into that. So that sort of thing has always made me very motivated and ever since then, my life has been this series of figuring out how to direct that motivation and kind of identifying some of the sources of it.
Jason Nickola
So when you were a kid, even in high school, did you place as much emphasis on education as you did now? I mean, granted as an adult you have the benefit of some maturity. But has education always been a primary focus?
Chris Sanders
It has, for the most part, one of the things you know, and this to my mom, she got our first computer because she was the secretary of 4H, which is really big in West Kentucky. She was our 4H secretary. And she wasn't very good at how to use it. And so I was, and I was naturally drawn to it. And so I would have to teach her things, take these really complex topics and break them down very simply for her. And I didn't know it at the time, but she was kind of de facto teaching me how to teach people. And I've taken that throughout my whole career. I wrote a book called "Practical Packet Analysis" where I take something that's a very complex subject, and try to break it out very simply, for people an introductory level. And all that came from my mom. And again, it took me a long time to realize that. I was probably on the second edition of that book even before I realized wow, this is actually where I got a lot of that from.
Jason Nickola
Right. I don't think I've ever heard something in someone's past that's so neatly lined up with what they would end up doing that, yeah, I taught my mom and I had to take complex topics and break them down to be very simple. And just in the back of my mind, it's like that's teaching, especially in security where you get people from all different kinds of backgrounds. And you know, oftentimes you have to teach to more than one person with more than one learning style at a time. It's so cool to see that you've been able to identify that and hopefully carry a little bit of that forward with you so that every time you teach now, you get to think about that history and background that you have with your mom.
Chris Sanders
Yeah, absolutely. It's one of those things where it was happening at the time when I was 13 and teaching her about this stuff, I hated it, and I would get so frustrated. But I think if she could see what I was doing now she would kind of laugh and certainly gloat and take some credit. I don't blame her. But really, that's kind of been a through line for all of my career. I teach for a living all full time basically now. But even when I was working with Mandiant or with Department of Defense or InGuardians, I always had some type of educational role and always found a way to be teaching and one of my mantras has always been that any room with more than one person and it can be a classroom.
Jason Nickola
Yeah, that's true. That's really cool to hear. So, as far as the technical side, so you were younger and you had to teach your mom how to use this computer, how did you learn how to use it? Did you just start digging in and get interested in or did you have more of a background? And was that kind of just what you did as a kid and dug in and learn things?
Chris Sanders
You know, I think the first thing that drew me to the computer - probably what drew a lot of us to it - was just games. I'd use the computer to play games. And this computer we had was like this beat up old 386 that didn't work really well. So when I wanted to play games, and it didn't work, I had to figure out how to fix it cause we certainly couldn't afford to pay anybody to fix it. So, that's what I did. And I kept doing that over and over again. And eventually, you know, computers at school would break. And I'd be like, oh, I know how to fix this. And I would do it and kind of it snowballed. And here I am.
Jason Nickola
Yeah. It's funny, I recently bought a Sega Genesis, because we've all been looking for things to do for the last three months or so to fill our time. And I picked it up and I flipped it over and I realized that there's this little access port for expansion if you just slide off this little door, and it reminded me of being honestly like four or five years old and doing that when I was a kid, and just wondering what does that do, and then looking at all the ports, and even opening up wires and looking inside of it. And I never would have remembered that if I didn't go and buy this thing. So one thing I'm always really interested in learning is, what are those tiny threads that maybe they don't stand out over time, but when you look back and you can kind of reconstruct or kind of force a path in there, like yeah, it was always obvious that Chris was going to end up being a technologist that taught other people, even if it didn't seem very apparent from the beginning, and I have a lot of those same things in my own past as well. But would you would you say that back then looking forward that you felt like you were going to be a technologist and that education was going to be something that you pursued professionally? Or how did you view your prospects when you were younger?
Chris Sanders
You know, particularly in high school when I was starting to fix computers for other people, and they were offering to pay me for it, that's when I really started to kind of gravitate towards this could actually be my job. It's a good thing, because in West Kentucky, there weren't really a lot of other options available. So once I figured that out, I couldn't see anything else. The education side of it, I really didn't grasp till much later, even till after I'd written some books like I really - that seemed too far out of my realm of capability. For one reason, I was deathly afraid of public speaking. Really, even through college, if you were to go to my college professor, public speaking professor right now and say, Chris goes out to these conferences and does all these things and speaks thousands of people, she wouldn't believe you. She'd think you were lying. But eventually that kind of just came to me and I realized I wanted to do it. And I practiced at it and did more of it and got decently good at it, I think. And so once I realized I had the propensity to build the build the content, and I could relay those concepts, I had to work past some of my own internal barriers like my fear of public speaking and things like that.
Jason Nickola
So let's dig into that for a second. Other than just time and reps, were there things that helped you get over the hump with public speaking? Specific resources or groups or anything like that?
Chris Sanders
No real specific resources or groups, but honestly, and this is not an exciting answer. But it was really just reps and kind of thoughtful deliberate practice at it. I put in when I first started doing public speaking it was to teach packet analysis classes to these groups and it was a lot of pressure because they were paying me to come in and teach them this stuff and I wanted to earn that money. I didn't want to leave there - and I was definitely afraid they were gonna ask for a refund. Yeah, and I was poor and we talked about motivation, like one of my main motivators when I was that young was that I was poor. I was on my own. I was paying for college and I was living in poverty. I was sleeping in my car a couple times during college when they kicked us out of the dorm for spring break and stuff like that. I needed to make money. So I knew this was a way to do that and I wanted to do a good job of it. And I knew that if I did this well, it would lead to other potential career type things. So it was extrinsically motivated in many ways, in that regard, but it was really just I would go in and I would prepare insanely, I focused on relentless competence. I knew if nothing else, I could sit up there and ramble about TCP/IP for six hours. And hopefully people would learn some things. And then the cool thing about that type of learning is it's really never ended for me. Every time I do a presentation, I don't go back and sit and watch them all but I'm very conscious of what I'm working on when I go into it and how I did with that thing when I'm done, and I seek the right type of feedback from people who trust which really means a lot.
Jason Nickola
Right. So you mentioned wanting to be really credible and capable and relentlessly pursuing a mastery and expertise of your subject matter. One of the things that I identify with is feeling like you don't belong, or you aren't good enough for some of the things that you've lucked into an opportunity to do. And trying to compensate for that by doing way, way, way more work behind the scenes and at night and between things when no one is looking to try to get to that magical bar where, okay, I've mastered this stuff enough that these feelings can't possibly be real. Was there some of that for you? Were you trying to overcome maybe a feeling that you didn't belong doing what you were doing? Or is it more I just I have to succeed, and this is how I'm gonna do it.
Chris Sanders
Oh, yeah, there certainly was some of that and still is some of that, you know, and I mentioned I have a chip on my shoulder like I'm a kid from West Kentucky and it's a place if you want to get there you fly to Nashville and drive three hours. It's not on anyone's map, you really have to want to get there to get there. And I have this thick accent and most people, I mean, people hear me talk and they don't know that I think - a lot of people hear a Southern accent and think the person is stupid, right? Like there's documented scientific evidence that people think those things. And I always had that chip on my shoulder. I remember working for the army at one point in a colonel walked up to me and said, oh, you're from Kentucky? Well, there's no intellectual capital in Kentucky. And you deal with things like that. So just based on where I'm from, and what I sound like, that's certainly part of that. And also I came from very little, my dad was a truck driver. My mom was a sewing machine operator, we lived in poverty. There's no reason I should really be here, if you look at my past, but I am so that chip on my shoulder has always been one of those things that made me feel like I didn't belong. And also going back to an earlier part of the conversation, for a long time, I thought I was passionate about security. I really tried to be the best at certain things. And one of the things you realize as you gain more expertise is you're never gonna be the best at anything. There's always someone who knows something more. And knowing what you don't know is a pretty crucial thing there. But once I realized that a lot of my passions lie outside security and security was just a vehicle or vessel to help me achieve those things, it made me be more okay with it. It made me you know, certainly understood that I don't always fit in and certain facets of security, but I was a lot more okay with it once I figured that out. So it's kind of an acceptance of this is who I am, and I'm okay with that.
Jason Nickola
Right. It's kind of like finding your niche and finding where you can provide the most value and then feeling most comfortable with that. I think that's a really great message.
Chris Sanders
Yeah. And that shifted me - figuring out what I actually care about really only happened, I would say it started maybe five or six years ago and I really started to conceptualize it like three or four years ago. So this is not a far in the past thing for me, which surprise to people since I've been writing and teaching for so long.
Jason Nickola
Right. So you mentioned not a lot of opportunities in Western Kentucky and growing up kind of poor and wanting to find something to have better opportunities for yourself. I was going to ask the question did some of those experiences feed why you eventually started the Rural Tech Fund, but I'm pretty sure that the answer is probably yes.
Chris Sanders
Yeah, yeah, absolutely. I have this distinct memory of sitting in our high school honors day, and everybody got scholarships for all these different things going to college, and there wasn't really anything for kids interested in computers. And why would there be? I was the only one that anyone knew about who had any interest in that in my whole county. And I think that's what happens with a lot of these rural counties, particularly back then, is every school has like one kid who's really into this. They eventually get out, get some education, move on and go elsewhere. And I thought, well, heck, if every county has one kid like me, that's just kind of getting ignored, and there's not a lot opportunity for them, that's a lot of people. And of course now I think that's not just one - I think these counties, maybe even the most rural are gonna have five or six kids like this. So I thought it would be cool to be able to do something for them. I didn't really know what it would be when I started it fully. I just knew I was gonna offer a scholarship once a year. And I guess, boy, has it grown.
Jason Nickola
So you say that there are a few more kids now in these world places now that might be interested in technology, what do you think is contributing to that? Is it just more tech making its way into K through 12? Internet and social media? And how can we help?
Chris Sanders
You know, certainly just the general proliferation of technology. I mean, not all but most kids now have computers in their home. Even the most rural schools are now able to do things like one to one computer to student ratios thanks to different forms of federal funding and lowering the cost of equipment so - that's not everywhere, but it is a lot more places and will continue to be so kids now see computers, they understand their role in life and civilization. Particularly, you know, with the pandemic, we depend on them so much more than ever and people say this, and just the general exposure of the internet, social media, people know that those careers exist. When I was a kid growing up, not to date myself too much, but I didn't know what careers existed in the world other than what I saw on TV, which could be entirely fiction, depending on what I was looking at, or what I saw in my own community, which was, well, virtually nothing. A little tiny bit of manufacturing, a lot of farming, and then just service jobs. So now kids have, they're able to see more of what is out there. And I think that's a useful thing. So part of what the Rural Tech Fund's job is, and what I try to do is say, well, not only do I want you to see what's out there, I want you to see that it's interesting, it can pull you and your community out of poverty, and also, hey, you can probably do this - you don't have to be a genius to do this.
Jason Nickola
Right. So when you were coming up, would you say that there was someone that provided a model for you that had a career in technology or an older person that was interested in technology, or just because of the timing was it really just you until you got to college or started working in the industry?
Chris Sanders
You know, I had a couple of people that I kind of look to, some more than others and really, you know, I mentioned games got me into computers first and one of the other people that got in - this is kind of a weird story, but it begins with my cousin Billy building a meth lab. And he was a pioneer. He built this meth lab, he went to jail because that's what happens when you practice redneck chemistry, and he did that and he learned about computers, he took a computer class and he was in prison, he came back. And he showed me some stuff on the computer, the games and things like that. And, he was also at that point taking money from people to fix their computers, because he couldn't he couldn't get work as an ex-con. And so that was certainly one of my influences, fortunately, in good ways, and not some of the others. And then beyond that I didn't really have a lot of role models to look up to who worked in computing. At that point, I just fortunately had a lot of teachers in my life who saw that I had an interest in this and I was capable of it and they did their best to push me in the directions they know would be most beneficial to me, like going to college for instance, which was probably one of better decisions ever made in life.
Jason Nickola
Well, I didn't know where you were going with that, Chris, but it ended up really well. And I'm glad Billy turned it around.
Chris Sanders
Yeah, Yeah, me too.
Jason Nickola
So you initially studied telecom systems in college? How would you say that experience in higher ed translated to your ability to get a job?
Chris Sanders
Um, it didn't. You know, that program in my college at Murray State was brand new. At that point, I was working, I had been hired from the school district I graduated from to basically be their network administrator. They realized they could hire me for cheaper than they were paying for these consultants to come in and do the work. It would also be a good thing because it basically allowed me to pay for college. So that was going on. And at this point I had as much or more experience than a lot of my professors. I remember at one point, I had to take a class called packet analysis. And this was like a year after my book had come out. The professor saw that I'd written this book and said, hey, this is silly that you have to take this class. If you'll just help me build some labs for it, I'll give you full credit. So cool things like that happened. But for the most part, I didn't really learn a lot in college from my technical classes. Now with that said, I actually learned a lot from other classes. I was thoughtful enough, I guess, or maybe I just lucked into it where I took some classes a little outside of the realm of what I was doing, like I took a couple of psychology classes, which is paying dividends now. I really learned a lot from world civ. I had a world civ professor who was brilliant, and my world civ class, which is one of the most dreaded classes in all of college I think, for most people, it really taught me how to learn and taught me how to be aware of my own learning and think about that, this concept of metacognition, thinking about thinking. That was absolutely critical and probably formed a big base for a lot of the work I'm doing now. So that necessarily didn't translate into me getting into the workforce at the time, but it's been a super valuable thing later on, as I've really embraced some of it.
Jason Nickola
I love those things where even if it's not immediately applicable, you learn something and then a few years later, something clicks and you figure out a way to leverage that prior knowledge that you hadn't seen before. And then it's like, oh, I took this random class or did this random thing or had this random conversation, and I had no idea how that would pay forward years down the line. And now I'm reaping the benefits of something that almost happened by chance.
Chris Sanders
Oh, yeah. You don't realize sometimes the role people will have in your lives until much later. And I think this world civ professor's name was to Taufiq Rashid. And he's still there. He's still teaching, and I was back at Murray State a couple years ago to receive a Distinguished Alumni Award. And so I just went found him. I walked up to his office, and was like, hey, I don't think you remember me - of course, he didn't - but you had a tremendous impact on my career, and I don't think I would be anywhere at all where I am without you. And he was brought to tears. He's been teaching this for like 30 years. And he said I was only the second student ever come back to him after taking this class and say something like this to him, which was - we all had a good cry and it was great, but it just made me really think about like, you just don't realize the impact some people have on you. It's never too late. Unless it is too late to kind of go back and let people know about that.
Jason Nickola
Have you had - I mean, you've taught thousands of people to this point, have you had students come back and tell you something similar?
Chris Sanders
I have. And it's awesome. I'm fortunate, I've had many jobs in this field that were very thankless. The one I'm doing now is not at all. I have students, I get emails, weekly, from students here. Some of them may have just taken the class like, oh, wow, I used this thing or they'll send me a DM on Twitter, and they're like, wow, or they run into me at a security conference, and they tell me about the impact it's had on their life. And I love hearing about that. I love hearing about when people take my classes and they leverage that and that gets them a new job or it gets them a raise and they're able to better provide for their families. And there was a point in my life where I was really consumed with wanting to be the best, I want to be the most passionate about this, I want to care the most about this. I want to make this big name and do all those things. But at this point, and really in the past, like seven, eight years, I've really been drawn to this idea of, let's use what I have to enable that sort of thing for other people. And that so far has been a very rewarding experience for me. And I think I've been fairly successful at it.
Jason Nickola
I love it. So, when did security comes into the picture? And do you think there was a benefit to you starting outside of the security focus?
Chris Sanders
So security really came into the picture when I was working for the school district that I graduated from. I was a network administrator; I was the only one for this entire district. So security fell under me as well. And I remember the time like I installed version .01 beta of Snort the IDS on the school network. And as I tell people, I saw a lot of things that I couldn't unsee very quickly, as is the nature of things when you install an IDS on the network that's never had that before. But it just immediately hooked me: the investigative side of things, and finding bad guys and getting them out of the network and that just immediately pulled me in. So that got me into security. And I think there's a lot of paths into security. And I think that's in some ways the beauty of the industry, in some ways kind of a limitation of it, because, well, that's a little beyond our scope. But anyways, I do think there was value there for me, because, obviously, if I'm an investigator, I'm concerned about stimulus and response, systems, and having set up and configured and troubleshoot a lot of those systems, I understand that a lot better. Doing help desk type work, I better understand customer service and understand how people think, there's some diagnostic related thinking that comes with that, which is part of my research now that really flows well into investigative type work. So I certainly - while that is not the only path into this field, it was certainly one that worked for me.
Jason Nickola
Sure. So there's a quote from a tweet that you had, and it goes, so if you're looking to get into security from another technical area, it's not so much about pivoting your skill set, but leveraging it further. It's an evolution using what you've already acquired, embracing that, but not being limited by it is important. I think that's fantastic and absolutely sums up the same way that I feel about it. A follow on question is, do you think that there are similar things for people who do not already work in technology, but work in other fields and are interested in getting into security are the things that generically you could look for in other fields that might hint at potential success in security?
Chris Sanders
Sure, it's a big question. But I think a lot of what security boils down to is kind of investigative thinking, right? It's this notion that we have some type of input, we ask questions about that input, we look at evidence to find answers, and we build timelines and things that have gone on in order to solve problems. When I describe it that abstractly, it can really apply to a lot of different fields. It can certainly apply to help desk type work. It applies to what people in medicine do, what nurses and doctors do, it applies to the financial industry and how you apply things there, applies to lots of sciences. Investigative thinking is not something that is exclusive to what we do in this field. We do it every day, both in our professional lives and in our personal lives to some factors. So becoming aware of that type of thinking, this notion of metacognitive awareness, being aware of how you think about things is absolutely crucial. And one of the things we know is certainly the highest performers in our field are incredibly metacognitively aware in some cases. But more importantly, the folks who are metacognitively aware, assimilate experience much, much quicker. So if you're aware you're able to consciously think about what you're doing, if you're able to deliberately practice things, not just practice and not just getting reps, but getting those reps with the idea of getting feedback from people you trust, from sources you trust, working on one thing at a time, looking at different scenarios and acquiring a diversity of experience. Those things all lend themselves well to accumulating experience and assimilating faster in the security field. So most of maybe not most, but a lot of what will make folks successful if they're not in security and getting into security has nothing to do with securing a web server or using technical specifics. It has very little to do with that in most cases.
Jason Nickola
Yeah, I completely agree. You can teach someone who is willing and able and interested how to code or how to configure an IDS or, or how to attack a web app. But do they have that investigative and curiosity that you mentioned.
Chris Sanders
And that's the key word right there. Curiosity, it's that desire to know more, and I've written a lot about curiosity. I've spoken a lot about curiosity, that information is out there. So I won't repeat it all. But curiosity is inside all of us. A lot of times, it's not necessarily about creating curiosity. It's preventing other things from smashing our curiosity. Because that's kind of what the world tries to do to us. In the midst of a global pandemic, with tons of justified civil unrest, it's easy to let your curiosity to be stamped out, let alone all the other things we have going on in our lives. So actively defending your curiosity and doing things to keep that going, is one of the things that's gonna separate you.Jason Nickola
And I think that's such an important point as it relates to doing too much and burnout because I find in my own personal life that as I get spread too thin, and I get burned out, the first flame that dies is my curiosity and willingness to just go explore.
Chris Sanders
Yeah, absolutely. There's this notion in psychology text called margin theory. And margin basically says we have these two components that we're dealing with. One is called power and one is load. Load are all the things that deplete us. It's things like the pandemic, it's things like I'm worried about money or I'm worried about school or I'm worried about my significant other, relationship problems, all those things are your load. Power is kind of the opposite. It's all the things that kind of push you forward. It's things like, I like my job. It's things like I have a support system at home, I have a support system with my family. I'm wealthy, right? Those things are your power, the difference between your power and your load is called your margin. People with lots of margin are generally going to be more curious because they have the cognitive capacity to be more curious. People with lower negative margin, their bucket's full, they can't really add anything in there. So it's kind of an abstract concept. But these notions of power load and ultimately margin are crucial to really all things motivation. Motivation, massively complex thing, you take a psych course on adult learning, you'll spend half of it on motivation, because that's so critical to how adults learn. But that margin part of it kind of underscores all of it.
Jason Nickola
Spoken like a true Doctor of Education student.
Chris Sanders
Yes, sir.
Jason Nickola
So you've done a ton of training in terms of your own learning and offering training for others. You're certified as a GSE, and lots of other things. What role would you say that your opportunities to do formal training and certification have played in your ability to develop as a professional?
Chris Sanders
Good question. So I think it's changed a little bit. Earlier in my career, the certifications were to some degree extrinsically motivated, because I knew I needed them to get jobs. But also particularly after I got the first one, I got the A+ certification when I was something like 17. And it kind of proved to me that I could do it. So that caused later certifications to be a little more intrinsically motivated because I certainly learned some things while doing the A+ certification, particularly at the time and the type of work I was doing. But it proved to me that I can do it. I think that's what happens with a lot of folks, particularly with their first certification. This stuff is daunting, right? It's very hard when you're just approaching it because you don't know what you don't know. It's all this abstract information. You don't have mental models built for processing yet. So whether it's a simpler certification like A+ or something really complex, like even a GSE or a CISSP to some degree, they have this ability to make you think you could do things you couldn't do. I always believe that knowledge gives you superpowers. And when you're able to demonstrate your knowledge that kind of bolsters that. So you kind of seek increasing challenges. That's what I did, I got the A+ certification, then I got some Microsoft certifications, eventually some SANS certifications, the CISSP at some point, which gets knocked a lot. But it's a ton of information you have to synthesize and doing that successfully is something to be proud of. And then the GSE, which is an insanely difficult challenge for me at the time. And so I just set up more and more of these things that helped me prove to myself that I can do it. And they certainly had utility for getting jobs and proving expertise, but particularly talking about things like dealing with burnout, proving to yourself that you're competent, certifications provide a mechanism to do that.
Jason Nickola
Absolutely. Yeah. And one thing that's similar to what you're saying - one thing that they've done for me is pushed me out into the world and had me interact at these training courses with people that I might not have had the opportunity to interact with, instructors and students alike. And not just the learning and gaining of skills, and then eventual credential that you get. But realizing when you have limited experience in the community that hey, I can hang with these people. I don't fall all over myself when I communicate with them about social or technical topics. And I can be in the same environment as some of the best people in the world and hold my own. And I think if you pay attention, infosec Twitter or conferences, you start to think that that is all or most of security and technology, when in reality, most of it is people that are at home and go to work and then that's it. And they don't have maybe a lot of experience interacting with other people in the field from areas that they're not in. So I think that process of mixing and not measuring because that sounds like a negative but just getting that sense that yeah, I belong here. And I can stand up and back up what I'm saying, I think that is a very, very important part of feeling secure in yourself in your field.
Chris Sanders
Yeah, absolutely. And you mentioned the social media thing, and particularly talking about motivation and curiosity, for some folks, I think the notion that the entirety of security is what you see on Twitter or something like that, whether people realize it or not, is a massively de-motivating thing, because just the nature of that type of communication and all these things, and you really got to be careful and curate that stuff. I've gone to a pretty extreme efforts to be very careful about who I'm following because I just noticed the stuff affects me and there are a lot of people who are really smart and have a lot of really useful things to say in our field, but it's also laced with all this negativity, and it's the drama of who said, what, when, and how and this and that. And I just eventually at one point, I realized there are enough smart people in this field with great ideas that I can just follow the ones who are also generally realistic and positive and I get what I need out of social media. It took me a while to get there, but I feel good about that now
Jason Nickola
So you've also had some experience as a SANS mentor, you've worked at companies like InGuardians and Mandiant. What was that experience like? Because those are very highly talented communities, I guess I would say from the outside speaking about Mandiant. What was it like for you to begin to mix with those communities? And what kind of rub off or effect did that have on you in your own career?Chris Sanders
You know, it was a little bit different in different places. I know with InGuardians, I was very deliberately kind of going to work with a company that's very penetration testing, red team focused, and there was value in me coming because I was bringing some blue team expertise to do some of the type of work, but also knew I was gonna get exposure to ways of thinking that were new to me. I always tell people was kind of like the rumspringa for the Amish community where when they turn 18, they leave Amish community for a while, decide if they want to go out into the broader world or come back. And that's what I did. This was my rumspringa to the red team. And I learned a lot of valuable information there, obviously met a lot of great friends. who I'm still in contact with today but realized that that type of work was not really for me. But learned a tremendous amount. And I compare that with Mandiant, where Mandiant is kind of, particularly at that time, one of the meccas of blue team work. There's been a lot of shifting around and stuff like that with the fire acquisition, but at that time, you name the big names of blue team work, most of them, or at least half of them were at Mandiant. So that was cool. It was also very intimidating. Cause for the most part, anything I knew there was someone there who probably knew more about it. So to some degree a little bit of a humbling experience, which I was prepared for, that was good, but it also allowed me to spread my wings and figure out where I wanted to focus. And it was really at Mandiant that I started to find more purpose and actually it was realizing that the purpose was not at Mandiant. It's when I realized that the work I did was very disconnected from actually helping people. This isn't a knock on Mandiant. It's just the nature of being a security vendor. Yeah, okay, I helped build this product, which people use to secure their networks, which does good things. But there's a lot of steps between me and that happening. And one of the things I really realized was I needed for me to be at my best and do be my best self and do my best work, I needed to be able to draw straight lines between the tangible work I did, and the people I helped. I can't really do that at Mandiant, I don't think I could do that really at any security event or most security vendors given the nature of that work. However, doing what I'm doing now full time teaching, full time writing, researching, the people I help, I'm talking to them. I'm tangibly talking to them every day, we talked about how they're coming back and telling me how thankful they are for that. That's been - finding that, Mandiant and that diversity of experience and expertise they have there allowed me to find that and realize that's what I wanted to be doing, which I'm very thankful for.
Jason Nickola
So education and security in technology are obviously major parts of your story. What gap do you see in security education in our industry? And I guess technical education in society overall?
Chris Sanders
That's a big question. You know, that's a lot of my focus now. I'm working on this doctorate, which is a doctorate in education, but it's heavy focus in cognitive psychology. And obviously, it's all centered on security. So that's one way to say my professors love me because this is really weird for them. But a lot of the problems we have in information security are education problems. Most of the knowledge we have is very tacit, that means it's unwritten. People know how to do their jobs but they don't know how to tell you how they do their jobs. And that's a big problem, in part because - it's an artifact in part because the field is so new, it's so young, and we forget that sometimes, most of our best practices have still yet to be defined. We lack a lot of mental models we need to understand process to teach things. And we also particularly in education, sometimes I've been thinking about a lot lately is this notion of andragogy. And that's a word most people will have never heard. Andragogy basically means teaching and educating adults. People heard of pedagogy and pedagogy often gets used as a catch all word for like, this is how you teach anybody, but pedagogy is actually specific to children. And most people don't realize how you teach children and how you teach adults, they're dramatically different things in a lot of ways. And in security, the fact that we're mostly teaching adults because you can learn a little bit of cybersecurity in high school with some prerequisite knowledge, that's really not happening till college age, kind of a formal level and then after that. So mostly we're teaching adults and adults have a lot of different things going on. Education is something that simply happens to children, they kind of experience it. For adults, it kind of defines who they are, like it's part of their identity, because adults have agency. Adults can choose, I want to learn this or I want to learn that. They're self-directed learners, they have a high degree of self-directedness. So what people learn in their prior experience as adults, It defines their identity. And anytime something to find someone's identity, it changes the game. And how you approach it, how you talk about - this is why with people you don't know very well, you often don't have conversations about religion or politics, because those things define their identity. People's education also has that same thing. If you don't believe me, just go have a conversation with someone and say, well, why did you learn that? That seems silly. And you're going to be in for a world of hurt on that. So you have to acknowledge those things when you're teaching adults, it's a challenging thing. You have to acknowledge adults' experiences, because when you have an adult in a classroom setting, and they have experience, if you reject that experience, you're not just rejecting the experience itself. You're rejecting that person. And that turns people off, it turns off their motivation. It turns off their curiosity, they're going to shut you out and you're not going to reach that person. I'm not one of those sorts of folks who believes that as an instructor, it is my job to reach every person because I don't believe I can. I think instruction is a relationship between a student and a teacher. And just like other types of relationships, if you put all the blame on one person, that's generally not usually the case, right? It's usually a combination of that. Sometimes learners and educators are not paired well together for different reasons. But that doesn't mean we can't strive as educators to really focus on what's unique about adult learning, let's acknowledge and pull out the existing experience people have. And let's work that into what we're doing. So this notion of andragogy, the principles that surround it, something that the industry really has mostly ignored on the whole.
Jason Nickola
And I've read things that you've written on the topic and as someone who does a lot of teaching, I feel and agree that the concept of practitioners first and teacher second can be problematic. And I think if you want to be someone that is going to educate and try to reach as many people as you can, then I feel I own responsibility to try to become the best educator that I can. So hearing you speak about things like that and reading things that you write on the topic and other things are, I think, an important part of starting to bridge some of that, because I don't even know that many people understand or recognize that there. There is a gap there.
Chris Sanders
Yeah, absolutely. And you're mentioning oh, I'd sent you for the folks that know by the time this podcast is released, I published a new article about this andragogy topic and some thoughts there. And you mentioned the practitioner first, educator second model, which is something I wrote about in the article, and that's generally how most education occurs in our fields, whether it's SANS or other private training, even at some universities, the person is a practitioner first, and then they're an educator. And if everything were gumdrops and rainbows everyone be educators and they would have the cybersecurity knowledge and that would all work, but that's not how it works. Practitioner first, educator second, that's how our industry is going to be for the foreseeable future. But we have to realize that education is not simply relaying rote concepts. It's not saying this is a procedure, here's how you do it, steps one through 10. I've showed it to you, so now it's done. That's not how education works. You have to approach these things in ways, again, that incorporate the experience, the people, that acknowledge the agency that adults have, that acknowledge that people. There's kind of a myth that people learn in different ways, like this whole notion of learning styles. There's really not any science to support that. Most people learn in the same ways. But how people learn is a little bit different than the notion of approaching information in different forms. So, for instance, I can talk all day long about packet capture, and different people will understand what I'm talking about, and some will, some will not. But some people will only understand that when I apply that to a real-world situation that makes sense to them, like you have to connect to what they already know. You have to meet people where they are, and that gets harder for adults because they already know so much more and their information is so much more nuanced, which means it's also so much more biased in some ways, so you have to kind of work within that general construct.
Jason Nickola
It kind of makes me think of the importance of storytelling and narrative in teaching.
Chris Sanders
Yeah, absolutely. Connecting with people, meeting them where they are, and connecting their existing knowledge to the knowledge you're trying to relay, and then to future knowledge. How can they use that in the future and what is the application? It's not are they going to walk away with something from this class, it's are they going to be able to apply that to make the world a better place.
Jason Nickola
I think that's a great point to end on. Chris, thank you so much, this was a fantastic conversation.
Chris Sanders
Thanks, Jason. Appreciate it.
Jason Nickola
That was Chris Sanders, thanks to him for sharing his story with us. If you want to learn more about the Rural Tech Fund and how you can help, visit ruraltechfund.org. Really appreciate all of you joining us again for another episode of "Trust Me, I'm Certified." We'll be back in two weeks, so don't forget to sign up at giac.org/podcasts and wherever you choose to listen for alerts about new episodes and guests. Thanks again and we'll see you next time.