Subscribe
Share
Share
Embed
“Degrees give you generalists. Focused training gives you employees who can actually do the job.” — William Wright
In this conversation, William Wright, CEO of Closed Door Security, shares his journey from a sysadmin to a chartered pen tester and entrepreneur. He discusses the importance of communication skills in cybersecurity, the challenges of running a business, and the significance of giving back to the community. William emphasizes the need for continuous learning and growth in the field, as well as the unique opportunities and challenges present in the UAE's cybersecurity landscape. He also reflects on his personal interests and the importance of maintaining a work-life balance.
Chapters
00:00 Introduction to Cybersecurity and Personal Journeys
03:02 Transitioning from Defense to Offensive Security
06:05 Understanding Chartered Pen Testing
09:04 Imposter Syndrome and Professional Recognition
11:48 Learning Methods in Cybersecurity
14:52 The Role of CTFs in Cyber Training
17:28 Communication Skills in Cybersecurity
20:10 Public Speaking and Overcoming Stage Fright
27:24 Embracing the Unexpected in Public Speaking
29:46 The Journey into Entrepreneurship
34:47 Building Closed Door Security: Challenges and Growth
39:57 The Importance of Relationships in Business
44:32 Finding Purpose in Cybersecurity
50:14 The Gap Between Education and Industry Needs
56:23 Leaving a Legacy in Cybersecurity
01:00:43 Creating a Safe Learning Environment in Cybersecurity
01:02:51 Building a Talent Pipeline in Cybersecurity
01:03:42 The Importance of Practical Experience Over Certifications
01:07:38 Understanding the UAE Work Culture
01:10:17 Navigating Job Competition in the UAE
01:13:31 Balancing Work and Personal Life in Cybersecurity
01:16:56 The Passion Behind Building a Business
01:19:27 The Value of Learning from Others
01:21:43 The Challenges of Teaching in Cybersecurity
01:25:41 Closing Remarks and Future Engagement
Takeaways
In this conversation, William Wright, CEO of Closed Door Security, shares his journey from a sysadmin to a chartered pen tester and entrepreneur. He discusses the importance of communication skills in cybersecurity, the challenges of running a business, and the significance of giving back to the community. William emphasizes the need for continuous learning and growth in the field, as well as the unique opportunities and challenges present in the UAE's cybersecurity landscape. He also reflects on his personal interests and the importance of maintaining a work-life balance.
Chapters
00:00 Introduction to Cybersecurity and Personal Journeys
03:02 Transitioning from Defense to Offensive Security
06:05 Understanding Chartered Pen Testing
09:04 Imposter Syndrome and Professional Recognition
11:48 Learning Methods in Cybersecurity
14:52 The Role of CTFs in Cyber Training
17:28 Communication Skills in Cybersecurity
20:10 Public Speaking and Overcoming Stage Fright
27:24 Embracing the Unexpected in Public Speaking
29:46 The Journey into Entrepreneurship
34:47 Building Closed Door Security: Challenges and Growth
39:57 The Importance of Relationships in Business
44:32 Finding Purpose in Cybersecurity
50:14 The Gap Between Education and Industry Needs
56:23 Leaving a Legacy in Cybersecurity
01:00:43 Creating a Safe Learning Environment in Cybersecurity
01:02:51 Building a Talent Pipeline in Cybersecurity
01:03:42 The Importance of Practical Experience Over Certifications
01:07:38 Understanding the UAE Work Culture
01:10:17 Navigating Job Competition in the UAE
01:13:31 Balancing Work and Personal Life in Cybersecurity
01:16:56 The Passion Behind Building a Business
01:19:27 The Value of Learning from Others
01:21:43 The Challenges of Teaching in Cybersecurity
01:25:41 Closing Remarks and Future Engagement
Takeaways
- William Wright is the CEO of Closed Door Security and has a background in both defensive and offensive security.
- He became a chartered pen tester through a pilot scheme in the UK, emphasizing the importance of giving back to the community.
- Learning in cybersecurity is often self-directed, and practical experience is crucial for growth.
- Communication skills are essential in cybersecurity roles to convey risks to non-technical stakeholders.
- Building a business involves embracing challenges and taking responsibility for the team's success.
- The UAE offers unique opportunities in cybersecurity, but competition is fierce due to a large pool of talent.
- Giving back to the community is a core value for William, who aims to help others in their cybersecurity careers.
- The future of cybersecurity in the UAE involves building relationships and focusing on trust rather than commoditization.
- Personal growth and learning are ongoing processes, and it's important to seek mentorship and guidance.
- William enjoys music, gaming, and spending time with his wife as a way to unwind from the pressures of running a business.
Creators and Guests
What is CyBytes?
CyBytes is a podcast that features bite-sized conversations with tech and cybersecurity pros - sharing insights, stories, and actionable advice to help you navigate and thrive in the industry
Nikhil Mohanlal (00:00)
Hello and welcome back my fellow nerds to another episode of CyBytes. The show where we skip the corporate yap and get into real talk with real people building cyber in the UAE. Today's guest is a CEO, entrepreneur, a charted pen tester, loves Russian food, and yes, he's Scottish.
He is an all around legend. I'm very excited to introduce to you William Wright. before the episode, we actually chugged several coffees. So we're absolutely flying in the studio. In the episode, we get deep into how he went from help desk to blue team to red team to running a consultancy, how he became the first Scottish chartered pen tester. that's a mouthful.
and also what the heck chartered actually means. The uncomfortable truth about UAE and its hiring processes, the paper search, salaries and standing out in this industry
and how pen testers and red teamers should leverage communication more so than the hacky wizardry, as well as what it takes to build a business like cold door security under pressure, the pain, the tolerance, hiring juniors and giving back to the community. there's also a crazy OSCP story in there you won't forget. Let's jump in.
Nikhil Mohanlal (01:15)
before we go anywhere, did you know we have a newsletter? That's right. Visit cybytes.io forward slash newsletter. That's C-Y-B-Y-T-E-S dot I-O, not cyberbytes or by recites. Straight to your inbox, no spam, no fluff, just honest, useful stuff from myself and my amazing guests. you'll get new episode alerts, breakdowns and tools and techniques we may have spoken about.
some insights on building this podcast, articles or jobs we mentioned in the episodes, and some more chaotic, unfiltered thoughts of mine. If that sounds interesting to you, visit cybytes.io forward slash newsletter. That's C-Y-B-Y-T-E-S.io forward slash newsletter.
Speaker 2 (01:58)
let's jump straight into it. All right. ⁓ So ⁓ I started this podcast as you know to kind of shine some light on the UAE cyber community which is why I wanted to get you on. ⁓ So I just want to give you the chance to first introduce yourself and kind of showcase to people who you are what you do what what is closed door.
Speaker 1 (02:19)
Yeah, so for those who don't know me, I'm William Wright, CEO of Closed Door Security from Scotland, if you can't tell. And I've been doing cyber for probably nine and 20 odd years. My background is mostly sysadmin, so mostly on the defense side. And then around halfway through my career, about 10 years ago, I switched into the offensive security stuff.
a few years back I was forced into a position where I had to kind of fend for myself and decided to go off on my own ⁓
So brave and unbeaten by the world ⁓ and very quickly got beaten hard.
Speaker 2 (02:57)
I didn't know that. thought you were very much red team centric for a long time, but you came from defense,
Speaker 1 (03:02)
Yeah, well, my first job was ⁓ building computers and help desk. ⁓ you know, the cliche kind of career path. In cyber, you must have worked in help desk. I did. So I'm one that perpetuates that. My first job was first line help desk. And then I my way up to second line. And then became a server admin that moved into security engineering. So but back in the day when Cisco was the only firewall you could buy and ASA was it, there was nothing else. ⁓
I feel old now. The career path is very much the stereotypical, I'm now a pen tester, red teamer career path. I've done all of the things you can imagine and then made the jump into red teaming.
Speaker 2 (03:46)
because that's something I've mentioned previously in other episodes as well, is like what you're learning about now is that typical path for those getting into cyber. Do help desk or work physically with computers. And there is benefit to that, But I'll get to that in a little bit. So you moved into red teaming, right? Which then you kind of enjoyed clearly because you were talking before the cameras started, you were about hacking boats and banks.
That then led you to get, or you kind of start chasing, to be chasing chartered, to get chartered. What is it to be chartered? Because I know just from general understanding, but for those who don't know, especially in the UK or UAE, what is it to be a chartered pen tester?
Speaker 1 (04:32)
So chartered itself is a thing that's part of the British Commonwealth. So it's an accolade given by the Royal Family to say that you're an expert within your field. Traditionally, it was more engineering, accounting, financial services, that sort of stuff. But very recently, was the NCSC in the UK decided, OK, we need to get rid of all these random certifications and start actually building a professional path for people to be accredited and recognized so that all these random certifications
can actually mean something in a single or almost like unified.
accreditation. So I was really lucky that I got onto the pilot scheme for that. So when they were first designing it, going through the initial stuff, the very first one they did was security testing. all the sub domains of security are going to be covered eventually. But security testing was one of the first. ⁓ And it just so happened I had gone through the process of getting a specific exam, which in the UK is called CSTL. So the cyber security team leader. that tech
was just almost perfectly because that's when the pilot scheme started and one of the prerequisites was you had to have passed either that exam or one of the crest exams that qualified within six months before. So it like it was just a really weird fate to happen. So I went for it and the the actual accreditation process you could tell it was written by somebody who didn't have a clue about cyber and was academic not practical. So it was all based around you know what white papers have you done. ⁓
Speaker 2 (05:49)
Yeah.
Right.
Speaker 1 (06:05)
and stuff and I never went to uni. So I'm going through the process with, I won't mention his name, but I have a friend of mine who's doing the accreditation process and I'm going, none of this really applies. But here's all the other stuff and he's like, okay, well, I've got to go off the form here.
none of these things really fit in, but what do you want to tell? So what do you want to say that you've done? And I started going through my experience, the things that I've done, the talks that I've done, the mentorship that I've done, all the other things that I've done within the industry to kind of support and bring up the industry. Because that's actually a key part of it as well is to be chartered. You've got, I forget the first one, think it's associate. ⁓
And then you've got a principle and then chartered. So the main difference between a principle and a chartered is you've helped the industry somehow. So you've given back and you have a lot more experience to be able to almost run independently a team underneath you. So if you think of it like a manager's role, what they're trying to place it is a top end. This is as far as you can go in cyber. The reality is we all know there is no top on cyber. It's just they're trying to make a top.
I forgot where I was going with that.
Speaker 2 (07:17)
It's fine, go for it.
Speaker 1 (07:18)
Yeah,
so I'm having this conversation going through the pilot scheme and telling all the other things. And I can't say for sure, but I know the application has changed and the assessment questionnaires have changed based off of the pilot because there was myself and some others, I can't take full credit. The ego lets me. The accreditation process changed to allow for all these things that are outwith academia. ⁓
When you look at cyber that makes sense, but when you look at chartered and how professional accreditations are made it doesn't make sense. So the the engineering one is a great example CEng the chartered engineer, you have to have a think it's a master's degree in order to get it before you can even go near it ⁓ and it's I think it's similar in the accountancy world you have to have gone through these academic accolades before you
Speaker 2 (08:10)
I
see for accounting especially. Yeah, I would hope so.
Speaker 1 (08:14)
I mean, I kind of want my accountant to be educated. Exactly. But yeah, going through the process and then eventually I didn't think of anything about it. I just thought, okay, I'll do it. Why not? help out. And then I got, they were like, yeah, you got awarded charter. I was like, okay.
Speaker 2 (08:16)
I made a new Excel sheet.
Speaker 1 (08:35)
That's really weird. I didn't think I deserved that. I don't I really don't think I deserve this, but OK. And so the first tranche of charter, there was about 150 people and I was the only one in Scotland. So I was the first ever chartered pen tester in Scotland. So I'm holding on to that really tight. It'll eventually become a LinkedIn. One day. And yeah, it's like if we talk about professionally, it's not really changed anything.
Speaker 2 (08:53)
Right on, yeah, was gonna say that's I did.
Speaker 1 (09:04)
From a professional standpoint, it doesn't change what I day to day. There's no, there's no like I'm better than people or anything like that. But from a business perspective, being able to say that we've been accredited by not just the third party of like, know, Crest, TKM, whatever, but to say that the British Royal Family's own accreditation has gone through the process and this huge
Speaker 2 (09:31)
You don't
acknowledge that this is a thing,
Speaker 1 (09:33)
It's actually been really a massive boost to the credibility. being out here, I'm not saying there isn't any, but I've not seen anybody else with it. So in the GCC, as far as I'm aware, I am the only one.
It's quite a weird experience because I don't, I class myself as a pretty average pen tester, maybe even slightly below average. There's no, don't think I'm better than, somebody's always better than me. And I learn from so many people constantly. So having that kind of, you are the only one, but then that mindset of I'm not actually that good. It's a weird kind of battle inside. It's like, I almost feel like I don't deserve this.
because I feel like I don't.
Speaker 2 (10:22)
It cost me almost. But I think that's quite a cool thing to be in that weird limbo space, the way you described it, because obviously you have this recognition, which I'm assuming you do get a lot of recognition for, to be the only Scottish chartered pen tester, but then also having this internal feeling of, I good enough to even have that, be in this middle space, kind of keeps you humble, but you know that this is still useful for you. I think if you're in a different position to say, hey, I am the best, and because I'm the best, I then apply for this,
linear journey would make you feel a bit, I think you'd be in different position completely.
Speaker 1 (10:56)
The imposter syndrome never leaves if it does leave it means your ego is just taken over and as soon as that happens you're done like there's just no place for you in cyber at all you have to have to put the ego aside and and realize that There's so many things out there. There's so much training you can do they yeah I'm constantly doing training on both the business side and still on cyber. Yeah, I still do courses. I still do try try to do something Sometimes I'll have a bit of fun and do random certifications
But every engagement that I work on and I don't work on many now But everyone that I do I learn something and I learn something really interesting. It's not like, you know, I'm just learning random command here and there but I'm learning like that's a new attack path I'd never in my mind put it together or I'm learning like that new injection process. I've never done that. That's really cool
Speaker 2 (11:48)
that's a good point you bring up about learning as well actually and this is kind of falls upon this whole podcast right is is knowing how to learn and this has been my whole journey for the longest time when I was at immersive labs and you know trying to just starting off in cyber security I was always this whole problem of like I don't know what to learn. you know I start off and saying I want to go into red teaming because that's the sexy stuff but then I get told that's not because it's actually the real world is like this and I feel like
like, okay, I'll move into defense. That's the fun part, right? And so I constantly back and forth, constantly back and forth. And over this like next five or so years, I developed how I learned. That was my problem. It was not what I was learning, but it was how I was learning. And I guess I want to pitch that to you now. It's like, is something that you really did struggle to learn or are struggling to learn with right now? Whether it is a certification or whether it's something business related.
Speaker 1 (12:39)
when I started learning, there wasn't really any clear guidance. So I did my OSCP back in the day when you still did the Buffer overflow No, it's not.
Speaker 2 (12:50)
The longer part of OZP. Wow,
that's the only thing I remember about OZP.
Speaker 1 (12:55)
The
snow active directory and a bunch of other stuff which makes sense. Yeah, you know times move on but the Back then there was not really any unified source of information that wasn't a clear path yet You know you had your certification companies who made the paths for specific stuff But you were very much on your own unless you managed to find a mentor. I never I wasn't lucky enough to find a mentor ⁓ And really for me it was learning how to trick the dopamine because I hate learning
I was terrible at school. As I said already, I didn't go to uni. I flunked out of college. Education is not for me.
but the adrenaline and dopamine rush of breaking the machines in the lab was enough to almost make me addicted to, how can I do the next time? And then going through the exam, again, know, bit of an inside story. I did my OSCP completely drunk.
Speaker 2 (13:53)
Damn! There's a hook right there. ⁓
Speaker 1 (13:53)
Yeah, like a whole bottle of whiskey drunk. Yeah, that's that's that's your intro.
They started doing the exam. ⁓
and realized very quickly or the imposter syndrome kicked in and I I've got no chance to this. I'd just worked a night shift. So I came off the night shift straight in the exam, which was a terrible idea. That was a really bad idea. So I was absolutely exhausted, started doing it and I was like, I just couldn't get anywhere. couldn't get a foothold. Even so then there was like one metasploitable portable. I couldn't even get that to work. So I was like, I'm done.
So I went and got a few hours kip. And then when I woke up, I just cracked a of whiskey and was like, I'll run, let's put some music on, bottle of whiskey. And I got like, I'm probably about 12 to 14 hours in and I got started getting stuff. Okay, now I'm going. I got the buffer overflow machine. I've got a few of the other ones. And then the whiskey just kept going. And then coming to about hour 20, I'm like, oh yeah, I a whole bottle of And this was before they were proctored as well. So you just had the IRC.
Speaker 2 (14:52)
I'm
Okay, right, right.
Speaker 1 (14:56)
So
I'm messaging, and I remember this vividly, I'm messaging the guy because one of the machines, couldn't get the exploit to work. And then I look back on the chat history at the end of the exam and I'm like, none of that makes sense. No wonder this guy didn't tell me. Literally, literally. But yeah, the interesting thing is being drunk actually gave me the confidence to try stuff in the past. And then had an absolutely horrible hangover writing the report the next day.
Speaker 2 (15:10)
the key.
Of course, he goes right to the ⁓
Speaker 1 (15:28)
But that was my kind of first real experience. I'd done a whole bunch of Microsoft exams before that. So I wasn't a stranger to an exam. But I was a stranger to such a high pressure. The only training I've done is in a lab. Nobody sat down in front of me and taught me stuff. There's no book. There's no, I can't go off and Google stuff because there's really not stuff there. You are on your own in front of this.
And that was an amazing experience. And as the years went on, I started doing more more exams, different stuff, different courses. And I really learned that the things that caught me were the ones that were almost gamified. So the gamified training worked really well for me. What's interesting though is CTFs. I'm useless in CTFs.
Speaker 2 (16:14)
You know what's really rubbish that's that's quite funny you say that because I feel like I feel like there's this weird shift happening with CTF's Yeah, there's a lot of people coming out with CTF platforms or Encouraging people to start with CTFs But if you look at what existing training companies are doing right now, they're they too are moving away from CTF's Yeah, right, which I mean hack the box. Yeah, right. They were the original
the mass produced one before Vulnhub or during Vulnhub. And now they've obviously gone into defense. They're trying to build a range and certifications and things like that. It's clearly that I'm not going to bash the CTFs, right? But I hear the same comment from all other pentester friends saying CTFs suck because they don't teach you anything. If you're going in there to learn, you're not going to learn the appropriate thing. You're going to learn maybe a technique or two, but it's not going to be, ⁓ this is why I'm doing this.
It's just, you're doing it for the fuck of it.
Speaker 1 (17:10)
Yeah, pretty much. I've got a guy that used to work for me and I would class him as a good friend. He's handled to Freddy and he's probably one of the best CTF players in the world. But he's one of the few who I was actually able to translate that into actual pentesting. ⁓
He is phenomenal at web app testing infrastructure testing the whole lot But he trained himself through CTFs And I've never met anybody who was able to do that properly and then translate it into a like a business perspective Usually it's as you say, it's you know, it's like you just learn how to break puzzles. You don't know how to test. there's a thing the UK called the check scheme and as part of the check scheme in order to do tests for that you have to be accredited
to certain level. ⁓ And the exams for the lead tester for this, it all focuses more around your ability to identify weak things on old aged infrastructure.
So it's really obvious stuff and it tries to pull out your networking knowledge. How, you know, it's all about pivoting. It's about finding stuff and like clear text databases. It's really obvious in your face stuff. Whereas CTFs, like I've done CTFs. I've never got anywhere high on any of them because my brain just doesn't work that way. I don't do well with puzzles. Like I'll be looking in places and it's like, it should be there. Why is it not there? It's somewhere over here.
I can't compute that.
Speaker 2 (18:43)
It's, think, from the bigger picture side of things as well, I if you look, I'm only one to say from one perspective, because I've only been in this industry for about 10 or so years. Maybe you can even say more, but I mean, like, what I mean is...
Kind of going back to the whole perspective shift as well because with this new influx of joiners coming in, new joiners who are learning about cyber on YouTube or they're introduced by a friend or something like that, and they just tend to have the technical skills, but they never trained in cybersecurity.
So they then go into a CTF and be like, hey, look, this is false. So why should I care? And this kind of thinking of why should I care is becoming a little bit more prominent. Why am I training for the thing I'm training on? Why should I care about this one SIEM event that's come up? Because that gives you context and that's key for anything.
And that context provides value in actual real world environments, not just, OK, I'm hacked a box, right? Exactly.
Speaker 1 (19:40)
The
skills that you learn in the CTFs usually, for the most part, can only get you so far. There is some talented people out there who are just absolute wits kids. The guy I mentioned before, I've never met anybody like him. I'm sure there's more. But for the vast majority of people who are spending their time doing CTFs, you're just essentially training your brain the wrong way. You're not. You could argue that the puzzle, the cryptographic stuff kind of helps to open the mind a bit.
But when you apply it to real life scenarios, how often are you going to go and decrypt an SSL certificate by hand? Probably never in a job. It's just not happening. But I've seen CTS where you have to build a decrypter for an SSL certificate and strip it out the traffic. Why am I doing that?
Speaker 2 (20:28)
It's just like
ambiguous puzzles that make no sense.
Speaker 1 (20:32)
But again, some people enjoy
it. And from an enjoyment perspective, yeah, absolutely. I was just saying, just not for me. And I don't get on with them.
Speaker 2 (20:39)
Fair enough.
I want to pivot into the other side of training as well, because obviously cyber is a very technical space. ⁓ But in this region, it's not so much or it's kind of developing. ⁓ how important is it, would you say, when it comes to communication skills? Because personal experience, is way more above than anything else. I still don't know some of the things, like some technical stuff, but I'm learning as we go because it's easy to learn.
But the communication elements of being in this industry is so freaking difficult.
Speaker 1 (21:11)
I think the problem is we're all, or the vast majority of us are hugely autistic. getting over the social, how to act social is quite a challenge. The issue is, if you look at it from a career perspective, if you can't portray what it is that you're trying to say in a way that people who aren't like you, you're going nowhere. It doesn't matter how skilled or how technical you are. Yes, you might get grabbed by some research group, maybe.
Speaker 2 (21:23)
Yes.
Speaker 1 (21:41)
But for the general, even in SOC positions, in ⁓ red team positions, wherever you are, you need to be able to communicate what you're doing. If you can't communicate, you're just going to fall flat on your face.
very few employers will keep people on who can't communicate unless they have a really specific skill set and they'll sit them in the background and they will literally put somebody in front of them to translate to make it so that the person on the other end can understand what this extremely talented person is saying. ⁓ But some of the pen testers, some of the best pen testers I've ever met, when you look at the technical skill sets, they're not actually anything incredible. What they are incredible at doing is portraying that risk that they've found to the business in a way the business
In a way the people who are non-technical can actually go, okay, I need to fix this. This is actually a problem. I need to do something about this. Communication is massive. Now out here you have a really big problem because there's a huge mix of languages. You know if you're looking at places like the UK, the US, the predominant language is English. Here the predominant language is English as well. However, there's mixed levels of competency and you tend to find that
People who speak the same language will speak in their own language when they're in the middle of a conversation. Because they're just maybe not comfortable speaking English or maybe not comfortable speaking Arabic.
whatever language it is, and you end up getting cliques. The problem is these cliques can't then translate what they're saying out of their clique. So you end up with security teams who are, yes, absolutely highly skilled, amazing, but they can't translate what they're doing to the business. So the business thinks they're just an expense. They're not doing anything. They're not really adding value, whereas security should be the number one driver of value.
Speaker 2 (23:27)
Yeah.
How can someone then get better at that? Right? Because my suggestion always to, whether it's management or whatnot, even though I don't have that much influence at the current stage, my suggestion is always to get involved as a techie. Maybe it's like an L1 or L2. It's always to try to present. Try to present, because it's tough. It's really tough. Even though you know the content, you might know what we might be talking about. I remember trying to encourage
lightning talks ⁓ when I was in the SOC and it genuinely helped me trying to doing my first ever lightning talk it was a generic talk about zero trust it was boring as fuck cared but I was put in the position where you kind of had to be the expert even though you didn't you had two days to prepare yeah
Speaker 1 (24:18)
to know what you're talking
Speaker 2 (24:19)
Exactly right and I think that is That's always been my suggestion to to really put them in that position to talk about something because when you eventually do get to a position you're sweating your ass off you're like How do I explain SQL injection to this guy?
Speaker 1 (24:33)
Like public speaking is probably one of the hardest challenges I've ever done. I've done quite a few things in my life, but there's nothing that's quite got me so nervous other than getting married to my wife. Nothing's got me quite so nervous as doing public speaking.
But that came way later in my career. I got really good at communicating from the help desk. Again, I know that's cliche to start the help desk, but you have no choice. literally have a phone strapped to the side of your face. And there's somebody on the other end who doesn't know what you're talking about. You have to try and talk them through it. And that's one way is going through that.
Speaker 2 (25:11)
What does the on button look like?
Speaker 1 (25:13)
There's
the old joke of pick up your keyboard and walk back. Did it come with you? But the communication is so difficult to build and I actually very recently learned a trick for public talking. And by recently I mean no more than a month ago. By the time this goes out maybe two months. I was speaking to a peer.
And was telling him about how I go about masking, you know, the masking, making personas so that you can build the confidence to do it. And he said to me, said, that sounds exhausting. I'm like, yeah, it is. I'm absolutely, you know, mentally drained afterwards. And he said, just don't give a fuck. So his method is, I literally don't care. That is his persona that he makes. Yeah, I don't care.
Speaker 2 (26:06)
you know what that really helps because I remember for me it was always a big issue as well. Communicating to people. I was always told later talk too slow or talk too fast or I'm too cryptic. And ⁓ I've always been in bands when I was since I was a kid right and it took probably three or four years to get over stage fright. I remember I used to get so nervous I'd be in the bathroom for like seven hours before before I go on the show like I to prepare for that seven hours right because I knew I had a show coming but
It's always been the stage fight. I could never get past it.
Speaker 1 (26:40)
still have
it.
Speaker 2 (26:41)
Right, it comes from time to time, but I think it was this shift of like, why am I caring so much? I'm being paid to be on this stage, or I'm being asked to be on this stage to be who I am. So why should I put anything else but me? It might sound a bit cliche, a bit like kind of cool-y, but like it helps a lot because the moment you play that first note or the moment you say your first line on your presentation, it just made it so much easier. ⁓
I can confidently go up on this any stage and be like hey look let's talk about this whether or not I know what I'm talking about but I can make do it like an improvise
Speaker 1 (27:19)
Yeah, I have a tendency to be very articulate a lot with my hands. And there's been multiple times where I've been in the middle of a talk doing a presentation in front of people ⁓ and
Speaker 2 (27:24)
Me too.
Speaker 1 (27:32)
I've hit the laptop off the stand. Oh God. And it disconnected and everything and everybody's laughing. But the funny thing is, is those little moments then lighten me up and I'm like, oh, okay. Exactly. It's just a bit of fun here. But it's funny you say about the seven hours in the bathroom. So my first ever public talk, I prepared for three days. The talk was to 15 people.
Speaker 2 (27:41)
you
Speaker 1 (27:53)
in a football club in a really remote part of Scotland. So it was very insignificant, if you like. And to get there, I had to drive, on a ferry, drive four or five hours and stuff. And my wife's in the car with me. The entire way, she's sitting with a laptop on her lap.
going through the slides as I'm reciting this often reciting this often I'm going through it and I've like three days just practicing practicing practicing it's a 10 minute talk it's not even it's not even technical this is speaking to people about like accountants and stuff we don't know anything technical about ransomware but it's my first ever one so I'm absolutely shittin' myself
And in the hallway and even in the morning as we're driving up to the place we're practicing on the way and she said yeah You've got this perfect don't soon as I up for go I put the laptop ⁓ if we look at where your laptop is probably the same distance away, right? But it was down and I'm standing up so I couldn't see the script So it's soon, but as soon as I stood back and looked everybody went
But at the same time, was getting the thing off. So the first ever talk I had the laptop. So I've kind of got this running theme. I did a talk at the British Embassy during GI SEC And you can if you watch a recording, you can see I'm holding myself on to the podium. As the talks going on, I'm backwards because my feet, I'm like, instead of with my hands, I'm doing it with my feet.
Speaker 2 (29:13)
Yeah
You gotta move your foot somewhere.
Speaker 1 (29:23)
And
the last five minutes you can barely hear what I'm saying because I'm so far away from the mic.
Speaker 2 (29:30)
my
god, that's something drummers have drum pads so the kick drum doesn't move in front of them. Man, so I want to pivot into entrepreneurship, if you will, or closed doors security and how that came about. ⁓
Speaker 1 (29:34)
Exactly.
Speaker 2 (29:46)
Because you were telling me earlier about how you started everything and before the pod started. Because
The flow is like you're typically working like a corporate environment like maybe you're you know working a big a big ol embassy or something and They like ⁓ screw this I've had enough of this. I don't deal with some person I need to build it myself Yeah, and so then you'd go off and make your own business or consultancy or whatever, but it was a different story for you was that yeah
Speaker 1 (30:07)
It was I was forced. I didn't have a choice. At the time, I was working a contract and role in the UK and contract and roles in the UK. But basically it was you were essentially a business and you were hired in a contract. Now, the downside of that was you could be dropped in a second. So you get a decent salary, get a decent wage and you get lots of really good roles.
you could turn up the next day and be gone and that essentially happened. I turned up one day and it was like, you're not getting in here, goodbye. So my entire income was gone. Being young and stupid, I didn't have any savings. I was living, I was having a great time. I kind of was in a situation where I didn't have a place to rent at the time because I was working on military bases So I'd stay in and around there. They would put us up in accommodation.
So I was literally essentially on my ass out the door one morning with no warning at all. So what I had to do was figure out something to start getting an income. the traditional way is you were going to get a job and then just do something else.
I've always had this anti-authority. I've always, throughout all my roles, I've always thought knew better than everybody. I always hated being told what to do when I knew it wasn't right. And when I knew it wasn't good is probably one of the key things. ⁓
So many points in my career where I had to do things where I knew it was bad quality or where I knew it was the wrong choice. But because I was not in a position to fight it, I didn't. So there was this kind of there was that spirit was almost there already. Kind of I could do this. can go out on my own. can the cliche. can go and choose my hours. That didn't happen. It was there. Yeah, I didn't get to choose anything. Everything was put on. ⁓ And yeah, I started doing something in the UK called Cyber Essentials, which
which is a GRC, essentially a GRC. So I just took that and started running with it. And I was really lucky that at the same time I landed a pen testing contract. So almost at the same time as becoming a GRC expert overnight, really easy to do, I had landed a pen testing contract. So I had these two, if you like, jobs.
my god.
I can't keep doing this. There's too much work going on here. So I started actually hiring people. The first few didn't really work out. They weren't great. They were young, really enthusiastic, but they just caused more problems. But I was spending more time doing their work.
than they were, and I'm paying them, and I'm not taking a salary because I'm trying to reinvest everything. So I'm I'm paying you for me to do your job. And it started grinding me down, and it was really difficult. But I got quite lucky. Again, just the right place at the right time. A contract came out through the Scottish government for a funded Cyber Essentials Plus contract.
that gave me enough work where I was like, okay, I can't do this on my own. need somebody who can actually do this so that I can focus on the pen testing.
guy who's still with us now, a guy called Connor, he joined the team. He was the first real employee and he's been with me ever since. that's really was like the initial journey was very much ⁓ I have absolutely nothing and I need to do something to then I have too much and I can't do anything. And to be fair, that's kind of how the rest of it's went. It's now it's now very much I have so much going on. I can't do anything else.
which is a different challenge.
Speaker 2 (33:56)
I mean, congrats, only. That must be intense,
Speaker 1 (34:00)
It's very intense. I don't get much free time. Whatever free time I do, I spend with my wife because the poor girl barely gets any time with me. I don't do anything else. I barely go out and do anything. I'm either working or we're going out on a date or something.
Speaker 2 (34:18)
there's this whole thing about, obviously, building your own business, and it is tough to do. I'm not gonna sugarcoat it, not that I do it, but like, I hear stories from guys like yourself, and it's like, it's not just, hey, make a business and go buy a Lambo and live off it. Yeah, it's not that easy. So, I mean, there's a of hidden cogs to it, right? I mean, what was it like building closed-door security from where it was to what it is now? Because now you got stationed up in Scotland, you got stationed up in US, you're based out of here as well.
and it's obviously growing quite well.
Speaker 1 (34:49)
Yeah, it's
every single day has been more difficult than the last, to put it frankly. The day that I thought was the hardest was never the hardest. And every day that I think, my God, this is horrible, the next day is worse. you essentially, you build this tolerance for pain and anxiety and stress and you just become almost hardened to it.
And over the years you start to develop and like, if I look back at year one, I'll be like, yeah, that was pretty tough. But the stress levels that I felt then, if I was in the same position, I'd be like, this piece of piss. What was I worried about? Everything's going to be fine. Versus now it's really, really ⁓ intense. It's really, really hard. Like the entire team is flat out constantly. The guys are doing amazing work. ⁓
put a lot of pressure on them and they absolutely kill it every day. probably the biggest challenge they faced was me, my own worst enemy, sabotaging myself, the imposter syndrome, taking advice from people who I shouldn't have been taking advice from and just...
being in the wrong mindset to build a business. I'm not the most successful entrepreneur in the world, I'm not claiming to be, but there is a specific mindset about it. You have to stop thinking about you, and you have to think about everything. So there's probably the biggest pressure and the biggest thing that differentiates so you can understand if you're in that place is... ⁓
you become responsible for everybody else on your team's livelihood. So if you don't perform, they lose their house. Their kids can't eat. They get homeless. They can't pay their car. And that's you. It's not them. If they mess up, that's your fault. That inner accountability that every single mistake that happens every single day is your fault.
You see a lot of people who try to start business. There's an example of a company, I won't say who they are, but they came out here at the same time as us. And instead of embracing the challenge, they blamed everybody else for it not working. So they blamed DESC for the accreditation, not rolling them in money. They blamed the culture for not being able to win deals. They blamed everything and everything possible.
like to think that we did the exact opposite. We embraced all the challenges. said, okay, this is a totally different culture. We need to learn how to operate within this culture. This is a totally different regulatory environment. It's not actually, but they make it look like different words. ⁓ And learning and going through all those challenges was probably the introspection every day of saying, okay, if this isn't working, it's me. It's not the sales guy. It's not the engineering team.
dentists, it's me, because I'm the one who has to figure this out. And that shift happened probably like six or seven months in around the time that hired Connor. Because he a bit of a sentimental story. He had his first daughter around the time that he started working for us. And he won't know this. So if he does watch it, he'll finally find out. Fuck you, He his daughter was born in a
I just always, those really tough days, I would remember and say, if I don't do this, she suffers. Not him, I don't care about him. She suffers. ⁓
things like that little things to kind of bring your mentality in, look at yourself, become introspective and accountable for all the things that you do was really, I think that was the pivotal point that kind of went from we're just messing about here making some money to actually okay we need to really improve things, record our problems, record the lessons that we're learning, improve efficiencies and just get better overall.
Speaker 2 (39:07)
Because I was going to ask like when was that moment? obviously you just said right and it's it's not just ever one moment that ever happens. It's you know, it's it's chipping away at you. Yeah, yeah, you to think okay wait a minute. This is more than just what this is more than just me. Are you like you said? And I guess that would that kind of begs the question like what's what's going to come next for closed door?
Speaker 1 (39:27)
That is the big question. we're obviously starting to really build the foundation out here. We're making leaps and bounds in the UK and the US as well. Saudi is obviously on everybody's radar just now. mainly it's just doing more of the same stuff and building relationships. we don't do the traditional selling that you see a lot of people do, know, the cold call and all that kind of stuff. of our relationships are actual relationships.
our customers, can, I could probably take them out for lunch and they'd be like, like we're sitting and talking right now. Um, every year we do a partner event where we take a bunch of our channel partners somewhere. Uh, a few years ago we went to a place on the island of Lewis, rented it for a week, did whiskey tests and went fishing, dolphin spotting, climbing mountains, pulling a trek and the whole lot. Like it's building a proper relationship with our customers.
customers and genuinely being able to be ⁓ almost a confidant when it comes to security for them because we specialize in Red Team Pentesting We don't do anything else beyond that.
So we get a lot of people coming to us and asking, what about this MDR? What about this EDR? And because we are not selling it, there's actually some kudos behind what you're saying. You there's some weight behind it saying that this technology is probably what you need to fit your budget and your requirements. And they know it's not coming from a place of, I'm going to profit from it. It's coming from a place of that's probably the right thing to do. ⁓ and that those relationships and keeping those and just building more of those.
Now, obviously there's a limit to that. I'm only one person. So with that in time is going to come more people. I mean, at the minute we've got a great team, but eventually the team will have to expand. I mean, we're at this point in time, we're doing really well commercially. ⁓
very very proud of the entire team for for what they're doing and what they're delivering but there is a certain breaking point you know if you think of an elastic band you can only stretch it so far so yeah it's just gonna be more of the same ⁓ and try and really to differentiate ourselves in the market as a point of trust yeah rather than just another commoditized pen testing company yeah it does pay
Speaker 2 (41:45)
Having DESC helps as well.
Speaker 1 (41:48)
It does a bit. I'm
in the UK Council for Crest in the UK. ⁓ I do some work with DESC and just try and really get myself out there with the regulators and stuff like that. that really helps to credibility. But let's not beat around the bush. Pentesting is commoditized heavily. So differentiating is really difficult. I think we've got a good model of doing that with the threat-led pentesting, which obviously you saw my talk about.
that the threat led pen testing is just so much better so much more precise and probably costs about the same as what your commoditized VAPT is.
Speaker 2 (42:29)
It's backed up well, right? It's not just some random service. It's coming from a place of...
Speaker 1 (42:33)
Yeah. And the,
the output that you get is much more customized. So, you know, we're actually emulating or simulating, ⁓ APTs within your business while still delivering all the standard VAPT style stuff that you would expect and being able to contextualize that and output it in a way that the business says, okay, so yeah, we've got all these critical vulnerabilities over here, but you can't exploit them. So it doesn't matter. So we don't need to focus on that. But what we do need to focus on is our, you know,
our email platform isn't catching phishing emails. And if a user clicks it, you can grab the session, stuff like that, and then contextualize that so they can focus their investments as well. Because at end of the day, the business has to make money. And if the security is coming and say, you need to spend all this money on all this random things. If somebody came to me and said that, the first time I say, why? No, I'm not spending all that money. It's got to be focused. I think the product and the service that we've put together,
really will make a massive difference to those who use it. And all of our customers who have gone through that so far absolutely love it.
Speaker 2 (43:40)
It's apparent that having a good product, having a good service, that's clearly quality. It's being recognized by such an authority. I think kind going back to the point of the presentation, in your presentation you talked about being... ⁓
being that person for the country that you work for. This is why I wanted you on as well, is what does that actually mean? when you mention that, it clearly, it resonates throughout your entire messaging. Not just like, this is who I am, this is I learned recently. You can see it throughout closed door security, how you talk about it online, how you talk about just the country and your services and what you actually do. It's very apparent that you're trying to do a service to the country that you live in.
is something that really hit me hard recently because I've been in this industry for a while now.
Again, it's always been like a money thing for me, right? Get some good money and come to Dubai, get no tax, whatever, la la la. But I think I always struggled with this thought of purpose. Why am I doing what I'm doing? Okay, I can train people, I can teach people, I can do some incident response and some forensic stuff, but okay, I enjoy it. But what is the purpose for that? I can teach anyone how to hack, right? Or I can teach anyone how to defend, but.
When it came, it just kind of subconsciously came to me, especially in my current role. I'm helping these people out and I'm seeing their transition from new joiners into actually developing into kind of knowing how to direct their own career as opposed to just being blindsided by everything. That kind of impact.
it was nice to see and I'm realizing, oh, wait a minute, this is happening in this country now. And I'm like, okay, maybe this makes more sense if I start to think about it this way. And then I saw your presentation and I'm like, oh, wait a minute, this makes more sense now. Like, how does someone come to that realization?
Speaker 1 (45:34)
So I think the main background behind that all is nobody helped me. The entirety of my career, learning how to do what I do, there was not a single person to help me. I had to go and find that the hard way. And if I had somebody to guide me, somebody to point me in the right direction, I probably could have cut that career path in half. But I learned things the hardest way possible, probably through my own choice. to be fair, I still do things the most difficult way I possibly could.
But that kind of created in me this...
almost mentality that if I'm not helping somebody else, why, why do I exist? There's no point in doing this just for me. ⁓ it's the, it's not philanthropy. That's totally not what it is. It's more of this feeling that if I'm benefiting from something, everybody who's with me should benefit from it. It's not, it's not about something called like communism, but it's not that.
Speaker 2 (46:36)
company.
Speaker 1 (46:38)
The UAE actually in the cyber strategy, one of the things that they mentioned was that they want to foster international national relationships to help increase the skill set. Now, if we are here doing good work and growing the business here, we should be investing back in the country. Be that through unpaid talks at universities, ⁓ training things, helping with regulations. ⁓
doing charity pen tests, we do a couple of them occasionally, things like that and 971Sec shout out, they give them back to communities like that where people are actually interested in what you're doing. It's really easy to sit in a room and teach people.
but it's not that easy to actually make an impact. And that's what you just talked about. You can see a proper impact when you make one. And I'm very passionate and really enjoy when somebody somewhere comes up and says, by the way, what you said or what you did or what you said to me actually was really important. And you helped me like that's for me, that's priceless. And if I can get that from,
you know, somebody in a very senior role in government or whatever, it's like, okay, you're great. But I'm not targeting them. I want to help the people who are in university and don't have a clue what they want to do.
You know, the people in cyber degrees just now who have spent four or five years got the end and like crap, can't get a job. But I want to kind of get to them before they get to university. Exactly. I want to speak to them before that helped them to, to point where they're going. And that's where like customized training really comes in helpful there because ⁓ I genuinely truly believe university degrees are massive waste of time in cyber waste of time, waste of money. There's very, very few situations where it's a benefit.
⁓ Fair enough, if you're in the US, you have to have one, otherwise you're not getting a job. I get that. But in the period of time that you spend in a university, you could do some targeted focused training and come out 10, 15 years ahead in relative terms of somebody who goes to university and gets a degree. It's just night and day because the knowledge that you get at university is very generalist. Even if you do specialisms and you go through ⁓
target your training classes and stuff. You're still learning generalist stuff. Now, am I wrong again? There's exceptions to that rule. There's some great courses out there where, and there's some great people come out of university. That's not to say anything about the people. But if you spent those three years instead doing really focused training and certifications and maybe doing unpaid jobs, internships, whatever, and focused on that, you would be so far ahead of everybody else and probably much more useful as an employee and
to society as a whole.
Speaker 2 (49:45)
Exactly. Yeah.
And it's that's something I'm realizing now as well is there is this disparity between university students graduating, whether it's here or anywhere else. And then them obviously, obviously, they struggle to find the job first. But then when they do get into the job, it's wait a minute, there's nothing like what i learned at university this I'm not doing this. What do I what what is this tool? Right. That was my experience as well. Right. I I from university, I struggle to find a job and I eventually landed the job I did, which was
creating labs and things like that, I learned loads But again, I never really worked on a SIEM tool before. I eventually got this L1 position. I'm like, the fuck is this ArcSight tool? It just makes no sense to me. And I'm seeing that still. This was done, this was like four years ago. I'm still seeing that now. And...
I think there's a problem is it's not so much the course itself and not so much the lecturers or anything like that with the universities, but it's, the exposure that these students aren't getting. And it's, it's, it's problematic because especially for a country that's developing so quickly that needs, you know, that, is spending and investing into training, into upskilling existing, existing talent here. It's that is important, To bring these students or new joiners, having them expose this type of environment,
where they can learn it safely, not just learn it for the sake of, okay, I'm learning how to use a CTF. It's, okay, why am I blocking this IP address or what does this PowerShell script do and why do I care about it, right? And so I think having that exposure is definitely a key thing here.
Speaker 1 (51:17)
Yeah. So the UAE do something, which I'm not saying other countries don't, but I've just not seen it. And if you work for one of the government departments, they have this skills matrix. It's genuinely wonderful. And basically it outlines career paths for people who want to work in the public sector and all the different steps, what they need to do, how they need to get to it, the skills they need to learn. And they'll put them on programs to like for pen testing, for example.
They put them on shadowing. They'll go and secondment with people. Here's the exam you need to do. Here's what this job title is and here's what you need to get to. It's wonderful. So if you come to the UAE as an expat or even ⁓ as a local and you're working in government, there's clear paths on how to progress. But you're going to the private sector and that just does not exist. to be frank, that's most of the world. There's exceptions like the UK have got structured programs. The US have got structured programs.
But generally, it's a free-for-all, it's me. So here, if you come out university and you don't go into government, you become one of those...
floating people who don't have a clue what they're doing. Now in the UK, I occasionally get asked to give feedback on courses for universities and one of them recently that I gave some feedback on, I was going through the degree and all the syllabus and everything and I'm like, this is actually good, but it's just disjointed. So I went back to them and I said, ⁓
identify careers. So I went by to them with three examples, GRC, blue team, red team. Nice and simple. I said, now align all your extra career, I can't say that word, extra career. All of the additional. ⁓
Speaker 2 (53:05)
Extra crispy.
No.
Speaker 1 (53:14)
courses that you can do in university and align them with a career path so that they still get the core learning of the degree. But if they want, they can then ⁓ specialize in these career paths. So all their additional learning, like say if they wanted to be pen testers, all their additional courses that they would do outside, Would be directed to pen testers. like report writing, ⁓ vulnerability management, ⁓ exploitation development, vulnerability research, all that kind of stuff on top of
the core syllabus or for SOC. It SIEM how we manage alerts, incident response, detection engineering, stuff like that. And again, for GRC, looking at policies, what policies exist in the world, how do you apply them to business? And that actually got wonderful feedback. I have no idea if they've implemented it. universities kind of have a responsibility.
Speaker 2 (54:04)
Just about to say
⁓ that.
Speaker 1 (54:06)
Yeah,
they are perpetuating this by not doing that. Now it's not difficult. Yeah. Like all I did in that situation was take their existing coursework and structure it in a way it says, this is actually what, if you want to do that job, here's the things that you need to learn. Here's the courses that you need to take on top of everything else that you're doing. And that when you come out of it, you'll actually be in a place where it's like, okay, I can probably do this job. Yeah. Yeah. You're not going to be a senior by any means and whatever role, but you could go into a role and probably know what you're doing. And
It's almost negligent, honestly, on universities. I don't hate on universities much, but it's such an easy thing to fix. Now I understand that they've got regulations that they need to apply to. They have structured programmes that comes from wherever it does, they're regulatory bodies. They have to fit within these merits, these learning metrics, whatever it is. But still.
It's so easy to make this better. if we, as people who more developed in the industry, yourself, myself, and other people, if we put the pressure on the universities to say, listen, the people coming out aren't good enough, you are the reason, here's how you fix it. So not just pointing fingers and blaming them. Here's the solution. Let's go off and implement it. Let's do it. ⁓
Speaker 2 (55:23)
actually providing solutions.
Speaker 1 (55:29)
I think that would make such a huge difference. that kind of feedback into the giving back. Yeah, we're talking about UAE because we're here. But anywhere in the world, you can apply that. If you are someone who is at reasonable level within their career, you will have influence on something. And if you can influence that so that the person who's receiving the influence is better, then absolutely go ahead and do it. Some people will do that at a government regulatory level.
Some people will do it at a classroom level. Some people might do it on a discord level, you know, in a specific discord channel or something. But being able to give back, if you can improve somebody else's life, why not? Like what's the point in us being here if we're not making everything better for everybody else that's coming up after us? we're not going to be here forever. Yeah. It's very existential to think about, but.
the people who are coming after us have to be better. Otherwise, society as a whole just disappears.
Speaker 2 (56:28)
it takes the selfishness out of it. Especially I mean, it's tough to get out of that headspace in this country, though, I'd say, because obviously everyone coming over here is like tax free, raise whatever. But it's amazing. Right. Sure. But then again, you will lose that sense of enjoyment within a year or so. It will go away for sure. And then you'll be like, well, why am I here? What's the point? I need a purpose.
Speaker 1 (56:38)
Yeah.
Speaker 2 (56:53)
And then you will just forget maybe you want to move out, right? And maybe that is a journey for a few people, but having that sense of purpose of this is what I'm doing, whether it's for the company or for the country, for the people in the company, it gives you this feeling of like, okay, I'm still giving back.
Speaker 1 (57:09)
You could almost call it legacy. It's one way to do it. know, if you can, if you can go somewhere, a country, a place, a university, whatever, and you can tangibly change how things are and you can see it, then that is your legacy. You know, that is your impact upon the world. And in cyber security, we're in this kind of really weird place where there's so few of us that you actually can make a massive impact. Whereas, you you go into any other industry, like to be the,
⁓ A joiner that makes a huge impact is so rare. It's tough. Because I mean, show it to joiners, by the way, they do amazing work. Big fan of joiners. But the, you know, the carpentry and stuff to become like a master craftsman takes decades. And but there's so many of them because there's so many people coming in and do it. Whereas in cyber, you've got this very pyramid shaped ⁓
Speaker 2 (57:46)
You
Speaker 1 (58:04)
population where there's very very few people at the top who are actually... yeah who actually know what they're talking about.
Speaker 2 (58:12)
Primo, primo.
Speaker 1 (58:16)
I would say I'm under, but there's some absolutely wonderful people out there, but there's so few of them. And once they actually gain influence in whatever it is that they're doing, the impact they have is significant. It can change entire global regulations. You don't have to look far to look at all the OWASP chapters. Very, very few people who are in control of the OWASP chapters, but what they do, impact globally. Like the top 10, everybody knows the last.
Speaker 2 (58:44)
It's in every job interview. It's in every job description. Give me number seven.
Speaker 1 (58:47)
Don't ask me. The
the that's the kind of the impact you can make. You these little communities and groups that grow up that BSides BSides is such a tiny idea. It's a tiny idea. The idea is literally I want to tell some cool shit. Yeah. Who wants to listen to it? Yeah, that's it. That's the whole premise.
Speaker 2 (59:12)
There's
no sales talk. No, there's no product selling or anything like that
Speaker 1 (59:16)
the impact that
those have on you'll get CISOs there, and you'll get people who are not even in university yet, are just interested there, and you get everybody in between. And I mean, I went to the first one here in Dubai, and I remember the talk by the guy from Kaspersky. I'm like, shit, this is amazing.
Speaker 2 (59:33)
Yeah, yeah, I that one. It was really sick.
Speaker 1 (59:36)
It was such a good talk. And that had an impact on me. don't know if obviously, oh, no, it never feels like that. But that's an impact. And that's how easy it can be. You don't have to go out and lobby government, but just give something. And again, it doesn't have to be talks. It can be somebody on a Discord server who's asking you advice. And instead of trolling them, you actually give some tangible advice.
Speaker 2 (1:00:01)
Don't join Cybersecurity
Speaker 1 (1:00:04)
Yeah, it could be somebody you meet in university who you know something they don't and you share it in a way that they're able to understand it. It can be really simple little things. And then in a career perspective, once you get beyond that junior level is being the change that you wish you had. So I've been a junior. I know how horrible it is. I know what it's like to make the coffees and get told to shut up. The going through that process. And then once you get to the way
you have juniors under you, it's like treat them how you wanted to be treated as a child. Doesn't mean don't tell them we're gonna make the coffees because that's the right passage.
Speaker 2 (1:00:41)
Don't burn that shit.
Speaker 1 (1:00:43)
But actually, you know, giving them the opportunity to learn, the room to grow, the room to make mistakes. That's huge in a career. There's so many people who are so focused on not failing and in cyber specifically because the let's be honest, the risks are pretty high. If you mess it up, you're going to make a pretty big mess. You can take down a whole business or country in some senses. ⁓
Speaker 2 (1:00:50)
Yeah, honestly.
Speaker 1 (1:01:10)
The impact is massive
Speaker 2 (1:01:15)
you're right there. Having that space to make mistakes. It's tough to make mistakes in this industry because obviously to learn anything you have to make mistakes but in this space if you make a mistake you're fucked.
Speaker 1 (1:01:19)
Yeah, sorry, was a failure.
Speaker 2 (1:01:33)
having these environments where people can come in and safely make a mistake or safely assume something or test or whether it is a pen testing environment or a lab or so sorts. But, and it's also safely to ask questions to be like, hey, am I doing this right? Or is this how it is? Or having this open discussion that needs to be like more prevalent Without getting patronized. Yeah. Without being told like you're wrong.
Speaker 1 (1:01:52)
without getting patronised.
Yeah, I'm not saying we do it the best in the world, but the way we do it is for our junior staff is they get to do the test first. Under close watch, they have methodologies to follow and stuff so that they know the guardrails, they've got to stay with them. But then somebody comes in after and does the proper testing. So you essentially get two tests. Yeah. But what happens then is the person who's the junior gets this freedom to go off and do what they think is right. And then they get to see, here's what you missed.
why you missed it. And then there's that education piece and over time that takes time, it takes a long time. Over time they start to learn, okay, I missed this because of that, I missed this because of that. Sometimes we've seen situations where some of the junior guys find stuff the senior guys don't and we never let them live it down. But it's building that path that they have the freedom and safety to do it is extremely important because...
Speaker 2 (1:02:41)
That's nice.
Speaker 1 (1:02:51)
Yes, arguably you could go out and get a pen tester every day. We put a role out, we get like two and a half thousand applicants. Maybe one of them is actually what we need. Because the vast majority of them just either haven't got the experience or don't have the skills or don't have the qualifications or just aren't able to articulate themselves in a way which we actually can put across their skill set and their value.
So building that pipeline that we can grow people into a role is extremely important for us because finding people is just as hard. ⁓ So that learning path just gives them the room to grow. ⁓ And yeah, there's been some horrific failures. Thankfully, we've never broken anything. Well, not there. There's been some breaks over the years. The juniors haven't broken anything. ⁓
Speaker 2 (1:03:21)
Good.
NDA.
Speaker 1 (1:03:42)
But I mean, if I think back when I was a junior pentester...
if someone had just given me the freedom to do it, I probably would have learned this stuff two or three times faster because I would have been able to develop the muscle memory myself. You know, you have your guardrails, here's your methodology, here's what you need to do. Here's your tools. This is what you're doing. You have somebody sitting watching you so that you know you're not going to make anything terrible. They're going to stop you before you do anything really bad. But you have that freedom to be creative and then Pentesting and Red Team and it's arguably a creative role in some senses.
And not in like an art seaway, but there is very much a creativity about piecing together all the little pieces to bring it all into an exploit. So giving them the freedom to develop that is extremely important. And a lot of companies don't do that. Like they just, you you're in there until you get your OSCP, you're not touching anything and then OSCE and you're not getting anywhere else. Such a bullshit certification.
Speaker 2 (1:04:44)
I hate that.
Speaker 1 (1:04:51)
There's an intro.
Speaker 2 (1:04:54)
It is it is a good start for people to start but yes To understand what it's about, but then just go watch YouTube video. I'm gonna pay 200 bucks to do
Speaker 1 (1:05:03)
I'm not looking for any libel case, but it's a load of shit. It's needed for some jobs, like in the US, but it's part of the There's some job you can't get without it. So that's why it's there. But even like EJPT, if I'm looking at two candidates, one's got EJPT and one's got CEH I'm looking at EJPT. the great thing actually, if we talk about EJPT, I've done it. I did it for a lot.
Speaker 2 (1:05:25)
Yeah.
It's great cert
Speaker 1 (1:05:31)
I did it
for fun because one of the boys says there's no way you'd pass it first time. Come on. The great thing about it is you need to understand the practical application before you can get anywhere with it. Because, not to spoil it, but the very first thing you've got to do is read a PCAP file. And what's in that is things that you would only know if you know what they are. You can't guess that.
Yeah, you can't can't guess that stuff. You can guess a multiple choice and get lucky. You know, I've done it. I've done it on a Microsoft example. That's probably right. I have no idea what I'm talking about. Well, hey, I passed 70%. That'll do. And that's a multiple choice. don't. Same with Pentest Plus, the CompTIA one. It's just we're talking about below foundational knowledge. ⁓
is I don't think it's something that people should focus on. And that's actually, if they think about giving back is, I can say to anybody watching this who's thinking about where to go if they want to do pentesting, don't waste your time on that crap. Do not.
just go straight to practical service, whatever that is for the country where you're in, which leads to the career path that you want to go to, because it's different in every one. ⁓ Go for that. The difference that that'll make instead of spending six months learning how to pass CEH or Penthouse Plus, you spend six months, for example, with OSCP or Crest CRT. Six months doing that, the skills gain is so much, so much further.
It's tough though. not easy. And that's, you know, I'm maybe saying all these things, but I'm saying all these things because I've been through it. So I know how tough it is, but I know it also can be done.
It doesn't mean they're bad, ⁓ but it can be really tough for some people, especially exam situations are different from normal situations. They're not like CTFs. They're there to test a specific skillset. And if you've not got that specific skillset, you're not going to pass.
Speaker 2 (1:07:38)
I have one more question before we pivot into something that's sans cyber. Because it's more to do with UAE again, right? I think I asked all the guests this, right? And this is kind of one of the reasons I wanted to get this pod going, was to demystify this industry a bit. It's UAE, no tax, amazing salaries, kind of, right?
Speaker 1 (1:08:04)
Depends on who you are. Depends on you.
Speaker 2 (1:08:05)
⁓
But everyone wants to come here, right? It used to be that UAE, was a stigma about it, where it's like, ⁓ what is UAE? And now it's, I want to move to UAE, because obviously it's been tough out in UK and US.
people need to understand a little bit about the UAE work culture. It's almost, I would describe it as not transactional kind-ish, but you're coming here, you're gonna get a great salary, but you're also gonna sacrifice a lot of the... Truthless. Exactly, the work ethic is drastically different. so I wanna ask you, what would you say is the negative side of working in this country?
Speaker 1 (1:08:48)
Probably the biggest negative is that there's always somebody better than you that will do it for less than you. Now that can be both a positive and a negative because it should motivate you to do more. But the negative is if you're coming over here as somebody who's looking for a career path is you're competing against people who will do it for half of what you want and have double the certifications and accreditations you do. That is probably the biggest negative.
for the country, that's wonderful. For the economy, that's brilliant. Because they get access to ⁓ qualified skills for much less than anywhere else in the world. Maybe not everywhere, but certainly in this region. The downside is there's negative effects for people who are skilled or who more skilled or who have more certifications or who have career history. You you're very much being compared on paper. You very rarely get a chance to
Speaker 2 (1:09:18)
you
Speaker 1 (1:09:45)
to put your point across from a career perspective. You're not going into a negotiation for a business deal. Your only opportunity is you've got a CV. And if that CV has two less certifications than the person at half the salary, most businesses are gonna go for the one that's got more certifications for half the salary. Obviously that drives salaries down. But there's good opportunity here. The negatives.
are vastly outweighed by the positives. ⁓
Everybody talks about tax and stuff, but I don't think that matters. I don't see that as a big issue. Whatever country you're in, your salary will be relative to whatever living style you get. So the living style you get here from a specific salary would be the same as in the UK. If you had the salary to emulate that, just your pay tax. So it's possible, whatever. I don't think the tax matters. And a lot of people focus on that like heavily. yes, we need that. Especially the people from the UK. Yeah, I get my extra 20%.
Yeah you do but lifestyle creeps really easy. really is. You can very quickly blast through a month's salary in a couple of weeks.
Speaker 2 (1:10:52)
Really?
Don't go driving in D.I.F.C. if you like cars.
Speaker 1 (1:11:03)
Exactly, I
don't go down don't go down to the road to Abu Dhabi without the limiter on the speed But it's
another negative is because of those, the opportunities, there's so many people. So if, like I said earlier, if we put a job application out here, I will get thousands of applicants from people here and from people who want to come here. So going through that, I have to be ruthless. A lot of people use recruiters to help cut that down. I like to go through them myself because it sounds really, really weird.
But I like to see our team as a proper team. So I need to know everybody who's in it. I need to know them in depth. Eventually we'll get to the size where I can't do that. But for now I can. So going through CVs is a horrible process for me. I hate reading stuff. And I know that's kind of a contradiction because all it is right reports. I just, it's so dull and boring to me. So going through that many, have to very ruthlessly
say this is what I'm looking for if you don't fit sorry and that's a negative because if you're trying to come here if you're trying to get a new job if you're to move change career whatever unfortunately people like me are looking at thousands of CVs and have to draw the line somewhere yeah yeah
Speaker 2 (1:12:28)
I didn't know you
didn't like CVs. I'm the opposite. I like seeing these people. You're like, ⁓ this is what they're into. This is how they talk. This is their name.
Speaker 1 (1:12:35)
There's a discord server called cyber jobs hunting ⁓ UK base. Yeah, and we used to do weekly CV roasts. I really enjoyed doing that because you got to be just pretty horrible. You read them to shreds live. Yeah. It was stuff like that. And genuinely, I spent a lot of time doing that. I would really invest my time in doing it to help people improve those. He needs to give them a better chance. So when I see CVs that aren't
very good. I think back to the times when I did that, that's all recorded.
There's written steps, there's recommendations. It's like, you were just lazy. You either didn't know and ignorance, ⁓ it's not really an excuse, or you were just lazy. It's so easy to make a CV good enough that it attracts the attention. It doesn't have to be the best thing in the world. I've seen some absolutely dreadful CVs over the years.
Speaker 2 (1:13:31)
so I said earlier, I want to pivot into a bit more of yourself, right? Because this is very much a people-centric podcast. You're clearly very much...
you're aligned with your business. are a closed door security. Cloud security? ⁓ You're very much closed door security. You personify it, And so part of that means to bleed cyber. It means to be the business, be the person to face and whatnot. But that's fucking exhausting. It must be.
Speaker 1 (1:13:47)
Where going?
is up.
Speaker 2 (1:14:04)
What is it that you do outside of this? how do you stay sane? Because I'm a musician, I stay playing music. What's that thing for you?
Speaker 1 (1:14:11)
So honestly, as I said earlier, at this point in time, it's been able to switch off and spend time with my wife. That's such a rare occasion and I enjoy it so much that that is my thing just now. Now, in the past, I've done all sorts. I used to go surfing, I used to skateboard. As I got older, I used to race cars. I was a rally driver at one point. I used to build rally cars. Shooting, absolutely love shooting, fishing.
boats, big fan of boats, planes, all sorts. Obviously a massive gaming nerd. Yeah, obviously. Not that anybody can see, but the Alienware bag sitting right next to me. I used to play Microsoft Flight Sim back in the day. Nice, nice. I had the proper yoke and stuff. Right on. Yeah. So now I occasionally spend some time gaming. Total War. Love Total War. Absolutely massive fan of Total War. ⁓
But I take so much pleasure in learning the business side of stuff that that's almost a break for me now. Nice. the sales, the running the team, all that, it's exhausting. It really is. Being this ⁓ constant face and ⁓ constantly under eyes and being watched is exhausting. But all the backend stuff, which people would normally find pretty boring, like accounts, ⁓ regulations. I kind of like that.
Speaker 2 (1:15:38)
It's
you. It's you. It's your name on it, right?
Speaker 1 (1:15:40)
Yeah,
it's it's it's learning all that stuff is almost like a break and I'll find myself if I'm on a reasonably quiet day, I'll just do not disturb on teams and like go build a tool to do something back end that maybe it takes me an hour to do a week and I'll spend six hours writing a tool for me. But that kind of stuff and all the the back end business. But mostly like music, I love music. I've always got music on in background.
I don't know what Microsoft done with teams, but the noise cancellation is wonderful. pretty much every meeting I'm in this music playing in the back. Nobody. Yeah, yeah, I've got a big Bluetooth speaker just sitting playing in the background. Nobody ever hears it. Nice. Usually you can imagine what it is. the traditional Scottish stuff as well. So mountain climbing love, love being in the snowboard.
Speaker 2 (1:16:18)
like you have it on the speaker.
Speaker 1 (1:16:36)
snowboarding so much. I actually met my wife snowboarding. But throughout my career there's always been something else and now there's not. It's all encompassing and it's exhausting
Speaker 2 (1:16:39)
Awesome.
Speaker 1 (1:16:56)
For those that are maybe parents, you might understand slightly, it's a baby. And it's not just any baby, it's my baby. So no matter how tired I am, I'm gonna look after it. I'm gonna care for it. gonna feed it. I'm gonna clothe it. I'm gonna try and do the best and teach it and it's gonna teach me. That's the way I see it, is it's now beyond the point of it's just a business. ⁓ I started a business. It's now, like this is my thing. I made this.
that's weirdly addicting.
Speaker 2 (1:17:29)
That's really cool. I'm glad you speak about it that way. This is again why I wanted to have you on was to really pick your brain about closed door. Having this conversation with you is kind of getting me inspired about this stuff. Because I've been planning my own thing as well. It's always been on my mind.
tied to the job and nine to five and whatnot. I do want to explore this avenue. And part of that for me is to learn how others do it. Yeah. And that's why I want to learn, learn from you and figure out how your, your, your perspective on it, how you started, how difficult it was, your mindset around it. And I'm going to speak to others as well, but like even just knowing it from you, man, it's, it's been killer Cause like it's, it's now I'm like, okay, cause while you're talking, I'm thinking, how can I apply this? How can I put it into my, into my own ideas and how can I
build something or how can I, where are those moments to me where I was feeling anxiety, where I was feeling the imposter syndrome and how should I think this way? And I think knowing how you did it kind of paved the way nicely. So it's nice for you to showcase that. You gave back to me, exactly.
Speaker 1 (1:18:33)
what you can say is I give back to you.
Genuinely though, I do the exact same thing. So we were talking earlier about meeting people who you just have no right to meet. I would deliberately try and put myself in situations where I meet people I have no right being next to, just so that I can see how how do they portray themselves? What are they doing? If I get the opportunity to speak to them, I will ask them not about their business, not about, how did you become you?
tell me something that nobody else in this room knows. That's usually my question I go to is, how did you become you and tell me something that nobody else here knows? How can I apply your knowledge to me? it's really important to constantly be looking for that. As soon as you stop doing that, you're just gonna stop learning, you're gonna stop growing. So it's really interesting.
Speaker 2 (1:19:27)
⁓ just kind of leave it a final question to you, man. I mean, like, what's ⁓ is there anything you want to showcase? Anything you want to promote or think about?
Speaker 1 (1:19:36)
So
I genuinely attend not to do that typical type of sales. But I almost want to put a challenge out there. Is that if you've had a VAPT done recently, give me a call and I will show you what a threat led pen test looks like that costs the exact same, no matter how much it costs. I'll show you what it looks like and what the output could look like. And I think you will be very surprised at how much more useful it is.
Speaker 2 (1:20:05)
How can people get in touch with
Speaker 1 (1:20:07)
So
LinkedIn, website, email, phone number, everything on the website. New website coming soon, because the current one is pretty bad now. There's a running theme here. I built it while I was drunk.
There's a bit of theme there in the early days. But thankfully not touched any alcohol for years now. But yeah, it's very, very easy to find me on LinkedIn. I'm the only one with CHCSP with William Wright. ⁓ And yeah, I'm in Dubai quite a lot, in Qatar, in the UK, US, I'm all over the place. So I like to meet face to face.
Yeah, sometimes you have to do teams, I'm much more a face-to-face person. think it's very important for building relationships. ⁓ I like to do business stuff in business and then go for lunch. I don't go for coffee. I go for dinner somewhere. Just sit down with somebody and get to know them because whilst, yeah, you maybe want a service.
We have to be a fit for you. There is an element of it's a two way street and we might not be a fit for everybody. So need to spend time with somebody, understand the business and make sure that we actually are useful to them. Because it's very easy to not be useful and take the money and make no impact. That's not what I'm about. I want to make an impact. Nice man.
Speaker 2 (1:21:36)
Right on. ⁓
Speaker 1 (1:21:38)
So now the question
for you though. everybody watching something that nobody else knows.
Speaker 2 (1:21:43)
knows about me, about my career.
⁓ I'm an open book, everyone knows everything about me, that's the thing. Something, I gotta think about that one. Something about my career. It could be a good thing, mean, training has been really fun for me. Like I mentioned earlier, it's been a...
Speaker 1 (1:21:51)
⁓ no, no, there's got to be something in there.
Speaker 2 (1:22:07)
It was always a struggle to figure out who I wanted to be, especially in cyber. I'll say it before, I'll say it again. I absolutely despise this industry because it's soul sucking. But ⁓ it's when I'm able to teach someone something or get an idea from my head out clearly and concisely to someone who gets it they go, okay, that makes sense. I'm like.
I'm on cloud nine, man. It feels so nice. It feels so nice. And I really want to chase that some more. And again, this is why I started this thing, to talk to people like yourself, not just business owners, but also I want to get students on. I want to talk to lecturers. I want to talk to sales folks. Talk to tech recruiters. Because it's all cyber, isn't just hoodies and hacking.
Speaker 1 (1:22:50)
No, it's not.
Speaker 2 (1:22:51)
I despise
that. Because there's so much more talent behind it than people think there is. And I think having this training skill set really helped me. Because man, I remember my first ever session I gave, I ran out of breath so quickly. It was tough. It was so, so tough. And I'm panicking, dude. I'm ⁓ teaching this topic on SQL injection. It's like detecting SQL injection. man. No.
Speaker 1 (1:23:05)
Here we go, now we're getting on to something.
Never heard of that.
Speaker 2 (1:23:19)
Fun fact, my first interview I had to describe what SQL injection was and I completely sweat through my entire shirt. I didn't have a vest on so you could see everything. I ⁓ was teaching this group
about a SQL injection, like detecting on the SIEM And I had my scripts, you know, I prepared three days in advance. I'm like, okay, I what to do. I've got my guide to go everything. And then the moment comes up and I'm like bricking it fully. Like these are people I don't even know. I hadn't met. I didn't have a training flow. I just jumped straight into it and what their names were. And I'm like so out of breath within the first 20 minutes. I'm like, I don't know what to do.
Speaker 1 (1:23:58)
You should not breathe in between senses. ⁓
Speaker 2 (1:24:00)
I'm out of it. I'm
out of it. And so it took me some time to get that flow of like how to teach Okay, when do I breathe when to not breathe? It's weird, man. Like I never thought I'd be doing that Breathe through my hands But yeah, it's been fun training has been great good so I'm hoping to build upon that do my own business that way as well, My favorite podcast guest
Speaker 1 (1:24:09)
Remember how to breathe.
So who's your favorite podcast? So far.
don't have to me.
Speaker 2 (1:24:26)
It's you,
we're this lovely little room here.
Speaker 1 (1:24:31)
some really interesting people on. I've watched them all, think. Every single person I've learned something off. Which means what you are doing is already valuable for me because I've learned something. So if I'm learning something, other people are learning something. So means you're doing something good. Amazing, thank you for making an impact. I'm looking forward to whoever you get on next and then the one after.
Speaker 2 (1:24:53)
⁓ I've got one final question. Go for it. What's next for Billy Clava? We'll see.
Speaker 1 (1:24:53)
Yeah.
You will see there's something very interesting in the pipeline that will hopefully be absolutely hilarious. Yeah, keep an eye out for Billy Clava. Big shout out Billy Clava. He's off the rails.
Speaker 2 (1:25:13)
keep a lookout for.
William, thank you so much for joining. I appreciate it. Like I said, if you want to get in touch, obviously reach out over LinkedIn. I'll put everything in the show notes and put closed door and everything on the links.
Speaker 1 (1:25:34)
Thank
you
Speaker 2 (1:25:38)
Awesome.
Nikhil Mohanlal (1:25:42)
so much for listening. you found this episode valuable, please consider subscribing on Apple Podcasts Spotify. Drop a review, a comment, and share it with your network. It'll help other listeners find the podcast as well. You can find the details of my guests and myself in the show notes. Or visit the website, sidebites.io for more info on episodes, guests, newsletters, or sponsorship. See you in the next one.