The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#0 Security Is Not Everybody’s Responsibility
In this episode, I introduce myself, Kyser Clark, and share my background in cybersecurity. I talk about my experience as a client systems technician in the United States Air Force and my transition into penetration testing. I also discuss my certifications and educational background in cybersecurity. I explain the purpose of this podcast, which is to provide value to the cybersecurity community and learn from industry professionals. I'll outline the upcoming episodes and the topics that will be covered. I conclude with a hot take on the responsibility of end users and the importance of designing secure networks.
Takeaways:
- Kyser Clark has a background in cybersecurity and worked as a client systems technician in the United States Air Force before transitioning into penetration testing.
- He has obtained several certifications in cybersecurity and is currently pursuing a master's degree in cybersecurity management and policy.
- The purpose of the podcast is to provide value to the cybersecurity community and learn from industry professionals.
- Upcoming episodes will cover topics such as offensive security, CTF competitions, penetration testing, and the correlation between cybersecurity and everyday life.
- Kyser believes that security is not everyone's responsibility and that the focus should be on designing secure networks rather than relying on end users to be vigilant.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
[Kyser Clark] (0:00 - 2:43)
So here's my hot take. Security is not everybody's responsibility. A person who is an accountant, they don't care about cybersecurity. And unless you put cybersecurity in a job description, people don't care. They go to work, get their paycheck, and then go home. That is like the majority of people out there. We can't rely on end users to be vigilant. All they care about is doing their job and they will take every shortcut that they can to accomplish that job.
Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you. Hello, hello, welcome to The Hacker's Cache. My name is Kyser Clark. I have six years of experience in the field. I currently work as a full-time penetration tester. I have numerous certifications and a bachelor's degree in cybersecurity management policy. I'm currently working on my master's degree in cybersecurity management policy.
So in this episode, which is Episode Zero, the first episode of this new podcast, I am going to talk about what this podcast is about. I'm going to introduce myself a little more than I would otherwise to the audience. I'm going to go into my background, because one of the things that I like to highlight on this podcast is the guests' backgrounds. And since I don't have a guest in this episode, which is by design, I want to put my journey into cybersecurity as the first episode, as well as expectations of what this podcast is.
Normally, I have a guest, and hopefully, this will be my only episode without one. I have the first five recordings of this podcast already recorded and edited and ready to go. I'm super excited to get this podcast launched and out for the public to view and listen to. We're going to dive into specifics of those episodes further in this episode. So stick around for that.
Who am I? My name is Kyser Clark. I started my career in 2018 when I enlisted in the United States Air Force as a client systems technician. Before that, I was basically working a bunch of jobs for six or seven years or something like that. I enlisted in the United States Air Force at the age of 24 as a client systems technician, which is basically a system administration role. That involves end-user troubleshooting, help desk support, onsite support, and everything from the computer to the wall. Anything inside the wall, like the network closet, was not my responsibility.
[Kyser Clark] (2:44 - 6:02)
My responsibility was to troubleshoot issues on client devices only. So not only computers but also printers, and lots and lots of printers. Let me tell you what, I have troubleshooted more printers than I would like. And anybody who's ever dealt with a printer knows how frustrating those things can be. But I got really good at troubleshooting printers. And that was one of the things that made me stand out in my career. I think even though I don't like printers, I did provide a lot of value to my users in my squadron and on my base, because I knew how to work on printers. And they didn't because who knows how to work on printers. Those things are super frustrating.
So not only did I do printers and computers, like I said, I did mobile devices. So I set up mobile devices for leadership, I probably set up hundreds of different mobile devices. And I've also worked with public key infrastructure, that's PKI. I manage user permissions on folders, so access control on different assets within the squadron. So when I first got in the Air Force, my first duty station, which is actually Kunsan Air Force Base in South Korea, which was the first time I've ever been out of the country, it was a wild experience. But first out of technical school, which is a school after basic training. So you go basic training, then you go technical school, and then you go to your first duty station. So I went to my first duty station. And I learned how to image computers, I put the standard Air Force desktop configuration on 1000s of computers, and then ship them out to the squadrons around the base. Then after I did that, for about three or four months, I started going out on the field on site to different buildings. And that's where I learned how to troubleshoot things on site. And that's where I learned how to develop these customer service skills. And after a year of doing that, I actually had two years in South Korea. So I went to the confocal point, which is basically a help desk, but it's more than a help desk. So we had to take instructions from high-level Air Force, and then we had to disseminate those instructions out to the rest of the base. And I had to coordinate all the trouble tickets between all the back shops because I was the focal point. That's why they call it a focal point. They get it ties all of the back shops together. And I was basically a middleman between the customer and the back shops. There was a lot of coordinating between, you know, the client systems shop, the network infrastructure shop, the cybersecurity shop, and overall, it was mostly IT work. However, there was a lot of security built into our configurations and our policies that we had to follow. So there was a lot of cybersecurity baked in, but it was mostly an IT position. So after two years in South Korea, I went to my next duty station, which was Elmendorf Air Force Base in Anchorage, Alaska. It's also known as Joint Base Elmendorf-Richardson because there's also an army base right next to it. And they basically combine the army base and Air Force Base into one. And that's why they're called Joint Bases. And then the abbreviation for Joint Base Elmendorf-Richardson is JBER. So if you hear me say JBER, that's what I'm referring to. So I spent the remainder of my career at JBER in network operations. And I was basically doing more or less the same thing. So I was doing imaging, I was doing end-user support on mobile devices, computers, access permissions. And it was more or less the same, but it was on a more personal scale. So rather than troubleshooting issues for an entire base, I was only doing for a squadron.
[Kyser Clark] (6:02 - 8:19)
Think of a base as a whole company, whereas a squadron is a single department in an organization. I'm kind of all over the place, but I said the remainder of my career, which my career was six years in total. And during my career and my free time, I was building up all my skills necessary to transition out of the United States Air Force and become a full-time penetration tester, which is what I am today. So the Air Force, the first certification they had us do, which was mandatory for my job, was the CompTIA Security+. And that is what got me hooked in security. I really enjoyed that certification. I enjoyed the aspect of cyber warfare and just defending a network against attackers. And I just thought it was such a cool subject that I wanted to make my career into cybersecurity. Because when I joined, I thought I was just going to be working on computers and doing IT work, which is what it was. But Security+ was mandatory for my job. And that's what got me hooked into security. After my first year in the Air Force, I actually signed up for college. And my major was cybersecurity management policy at the University of Maryland Global Campus, that's UMGC. And I have a minor in business administration. So I did that for four years and graduated and got my degree and then immediately rolled into my master's degree that I'm currently working on now. So technically I have a full-time job and I'm a full-time student and I make content. So my life is super busy right now. So if you ever reach out to me, don't take it personally. If I accidentally don't respond to your message, I've just, there's a lot going on right now. So please bear with me. And then my next certification was a Linux+. It was right around the time when I joined college that I decided I wanted to be an ethical hacker slash penetration tester. And the reason why I wanted to do that is because I thought ethical hacker was such a sexy title and such a mysterious title. And I knew it was going to be extremely hard to get into, but I accepted that challenge and I just studied, studied, studied, and worked my butt off to get to get there. That's really what it came down to. And the first thing I had to learn was Linux. Obviously, as a hacker, you have to know how to use Linux to learn Linux. I tried a few different things and honestly, I wasn't learning Linux. I was actually struggling at first. And I'm like, oh my gosh, I'm struggling on the first topic, the first area that's needed for this profession.
[Kyser Clark] (8:19 - 9:45)
So I went back to the drawing board and I remembered my pleasant experience with the CompTIA Security+. So I went back to CompTIA and went after the CompTIA Linux+. And that's how I learned Linux. Passed the certification. And once I got that certification, I was like, okay, the next thing I got to do is I got to learn networking. So when I decided to learn networking, I decided to go for the Cisco Certified Network Associate.
That's the CCNA, which is the most popular and probably the gold standard in network certifications. So I went and got that one and I actually skipped over Network+. And the reason why I skipped over Network+, was because Security+ is technically a higher level than Network+. And people assume that you have network knowledge if you have Security+. And trust me when I say this, if you have Security+, you do not have network knowledge. Let me say that again. If you have Security+, you do not have network knowledge. So after I got my CCNA, and I failed that certification the first time, by the way, by about a half a percent. So I barely missed that certification. So I had to go back to the drawing board and go through all the content again. And then I passed it on my second try. And once I passed the CCNA on my second try, I was like, well, I already know how to network. So I might as well just go for the CompTIA Network+, because why not? I can get the Air Force to pay for it, which is what I did. And I got the Network+, added onto that as well. I spent almost no time studying for Network+, because the CCNA is a much harder certification, more in-depth networking certification than Network+.
[Kyser Clark] (9:45 - 11:16)
And just in case you're wondering if I recommend Network+, or CCNA, I would go Network+, because CCNA is a little too in-depth for a cybersecurity professional, especially a penetration tester. You don't need to know how to configure Cisco routers and switches. You just need to know how networking works, which I think Network+, does that just fine by itself. With that being said, I'm super glad I had the CCNA. And I actually, my CCNA is about to expire, and I'm about to go through the Cisco CyberOps Associate certification, just so I can renew my CCNA, because I really like having the CCNA. And I don't want that to expire on me, because I worked so hard to get it. So after I got CCNA Network+, I went on to Python. Everyone says you have to learn how to program and you have to know how to code to be a hacker. And everyone says Python is the best language to start out with. And that's what I did. I started with Python, and I did 100 days of code challenge. And I just coded in Python for 100 days. And I still code in Python a little bit here and there. Honestly, with ChatGPT come out, I don't code as much now. I kind of have ChatGPT write all that code for me almost. And then I make modifications where necessary. But I still do think that 100 days of code allowed me to prompt ChatGPT to make programs for me. And when ChatGPT tells me things, I can actually read the code. And I know how to troubleshoot the code, because ChatGPT doesn't always give you the best code ever. So Python in programming is definitely a vital skill in this field. And then after I got Python out of the way, I moved on to the CISSP.
[Kyser Clark] (11:16 - 13:18)
And I actually didn't plan on getting the CISSP because I was still pretty early in my career. So at this point, I'm like four years in my career. So at my school, it's taking the last class textbook was the CISSP book. So I was like, well, if they're gonna base a course around the CISSP, I might as well get the CISSP after this course, which is a good course, because they make you read the book, and then they give you quizzes about it. And there's discussions about the topics in the book. And then I did a bunch of practice tests. And when I say a bunch of practices, I mean, thousands and thousands of practice, but probably at least 1500 practice questions I did for the CISSP because that exam is extremely brutal. And I actually got that certification pass on my first try. And it was no walk in the park. And I got it at like four and a half years into my career. And you're probably wondering, CISSP requires five years experience. That is true. But if you have another certification that's on an approved list, Security+ being one of those on the approved list, you can waive one year of experience. So because I have Security+, I could waive one year experience and I can get the CISSP that is a Certified Information System Security Professional certification at about four and a half years into my career. So after CISSP, I moved on to Cloud+, because I want to learn more about the cloud. And that certification was actually very beneficial to me. I understand cloud concepts, I understand cloud terminology, much better having the CompTIA Cloud+. So having that baseline foundation in cloud computing has been very beneficial for my career. Then after Cloud+, it was time for me to move on to the CompTIA Pentest+, because I want to be a pentester. So this one was an obvious one to get my feet wet into pentesting. And then after the Pentest+, I went and got the CompTIA CYSA+ as a cybersecurity analyst. And that one wasn't too necessary for my career. However, I did take a beta exam. And if you're not familiar with the beta exam, basically you pay $50, you take the exam that hasn't been tested. And if you do good, then you can get the certification for relatively cheap. The problem with it is there's no study material for the new version of the test. And you don't know exactly what's going to be on the test.
[Kyser Clark] (13:18 - 13:32)
It makes it incredibly hard to study for, but I didn't have to study for it because I had a degree in cybersecurity. I had the CISSP, the Pentest+, which is very similar to CYSA+. There's CompTIA cybersecurity analyst and the CompTIA Pentest+, they're on level playing fields.
[Kyser Clark] (13:32 - 13:43)
And one's just blue team and one's red team. And there's a lot of overlap between those two certifications. So because of that, I actually got the CYSA+ by doing minimal study.
[Kyser Clark] (13:43 - 15:50)
Then after CYSA+, I got the Certified Ethical Hacker, that's the CEH. So if you go to my website and you see the dates between CISSP and Python, that gap's kind of long in my opinion. But the reason for that is because I was actually going for the CEH in between those. And while I was studying for it, there was a lot of controversy surrounding the CEH and EC council in general. And because of the controversy, I decided, I was like, I'm just not going to get the certification. I don't want this to hurt my reputation. And I decided not to do it. But then later on, I was like, you know what? I already did the studying for it. I read the book. I was literally like 90% done with the study. So I was like, you know what? I might as well finish it. I honestly don't care about this controversy. I just want to learn terminology and definitions, which is what the CEH really was for. It doesn't teach you how to be a hacker. It kind of teaches you how to think like a hacker a little bit, but it really introduces you to terminology and definitions, which is what that certification is good for. If you're wondering, I don't really recommend, I'm not going to get into it too much, but that certification is a bit overpriced. And I'll probably make a whole video about the CEH on my YouTube channel in the future. Then after CEH, I got the EJPT. So that's the INE security, which is formally E-Learn Security Junior Penetration Tester, which is a very good certification for, if you want to get out of pen testing. And I got that certification because I wanted to get eventually. And I know the OSCP was a huge hill to climb and I needed to prepare myself before going to OSCP. So I thought the EJPT was a very good certification to prepare myself for the OSCP. And it did its job quite well because the next certification I got was OSCP. And I have a whole video. It's like 40 minutes long on my YouTube channel about the OSCP. And I actually have a blog post about the OSCP. So it's something I've talked about a lot. So if you're interested in my thoughts and how to pass the OSCP, definitely check those out. But I really love the OSCP. It gets a lot of hate and a lot of flack for various reasons, but I highly recommend it. The OSCP changed my life. The OSCP changed my career trajectory. And I don't think I would be a pen tester right now without the OSCP because it really does help you get a lot of interviews.
[Kyser Clark] (15:50 - 24:29)
And then my most recent certification pass was the OSWP. So that's the OffSec Wireless Professional, which is all about wireless hacking. I don't do wireless hacking in my day job, but it is nice to understand how wireless hacking works. And I passed that certification on my first try. And that certification is was a fun one to do. And I'm going to make a video about that one in the coming weeks. So stay tuned for that. So that's all my background. So like I said, I spent six years in the Air Force doing client system technician work, network operations work, and they actually changed the title to cyber defense operations. And even though they changed the title, my job really didn't change. So even though it was cyber defense operation,
it was still more of an IT type role. And I think right now they're trying to build, slowly build more cybersecurity into it. But by the time I got out, it really remained mostly unchanged. So after five and a half years of the Air Force, I decided to go into the Skillbridge program. If you're not familiar how that works, it basically gives transitioning service members, like I was, a chance to work for a civilian company in their final months of their active duty contract. So at the six month mark, I decided to go into a penetration testing internship. And I did a pen testing internship for a company which was real pen testing work. It was exactly what a pen tester would do day to day. However, that company wasn't paying me. I was still getting my pay and benefits from the Air Force. And the Skillbridge programs are really good for both the transitioning service member and the companies because the transitioning service member gets real world experience. And they can do that while they're still under contract in the military. And they don't have to pay for that person because the military is paying for that person. And they get, I don't want to call it free labor, but it's cheap labor at best. And it's a really good opportunity for the company to try transitioning service members out in their company before they commit to them full time. And unfortunately, I didn't strike a deal with my Skillbridge company. It wasn't a good fit for me. So I decided to look for other opportunities. And that is how I got my current position that I am in today. So I'm a full-time penetration tester at my current company. So yeah, that's my career in a nutshell. If you have any questions, you can always hit me up on the internet if you want. So now I want to talk about why this podcast. Why did I start this podcast? So the main reason why I started this podcast, I really came down to one thing, I wanted to create value for the community. And then furthermore, I wanted to network out and I wanted to talk to other industry professionals, and I wanted to learn from them. And I thought the podcast was a great forum for that. And the fact that they're recorded in the fact that they're on the internet, for everyone to access means that everyone is going to get the same value that I'm getting out of these conversations, because I'm getting professionals in my field, and I'm learning from them. And I'm applying that into my day job. And hopefully the goal of the podcast is for you to do the same whether you're new or experienced in the field and really learn and grow from this podcast. I also want a no-nonsense podcast. So I'm sure a lot of people listening or watching this podcast, they probably run into a podcast or it's like, you know, they spend the first 10 minutes 15 minutes, you know, talking about random stuff before they even get into the topic at hand. You know, like, man, I just want you to talk about the topic. So first and foremost, we get straight to the point here on The Hacker's Cache. And that's one thing I really pride myself on because we really stick to the topic of hacking and cybersecurity. There are off-topic conversations, but they are very rare, and they have to be earned. So what I mean by that is from Episode One, going forward, there will always be a rapid-fire question round. And in those rapid-fire question rounds, the guests will get 30 seconds to answer five questions. And if they answer all five questions in 30 seconds, then they get a bonus sixth question that's unrelated to cybersecurity. And that is the only way an off-topic conversation will happen. And when it happens, it won't last for very long. And in my opinion, it's a fun question to talk about. So that's what I mean by off-topic conversations have to be earned on this show. So the goal of the podcast is to provide value to viewers and listeners every week for years to come. And while there will be topics that are continuously brought up, you receive a different perspective, since the guests on the show will always be the star of the show. And their perspectives are unique. The goal of this show is to get value and information from the guest. And I try my best not to interrupt the guest. And I try my best to speak less than the guest because the guest, like I said, is the star of every single episode, not me. Next, I want to talk about what to expect in the near term. So let's just talk about the first five episodes after this episode. And like I said earlier, I've already recorded five episodes and are fully edited. So I really do know what these episodes contain. So Episode One, the guest is Joshua Raglin. And Joshua talks about the importance of offensive security, the cybersecurity skill shortage, strategies for excelling in CTF competitions, and the correlation between cybersecurity and everyday life. Josh also shares insights on preventing burnout and the impact of cybersecurity attacks on society. Episode Two will feature Val Vask and Val will share his insights on his journey from intelligence analyst to penetration testing and red teaming. He discusses certifications, the Metasploit Pro Specialist, the relevance of education and cybersecurity, and the transition from penetration tester to senior penetration tester. He also provides valuable advice on training, note-taking and maintaining technical skills as a leader in cybersecurity. Episode Three features Robert O'Connor, who shares insights on his journey from IT intern to senior analyst to penetration tester, discussing certifications, specialization in active directory assessments, and the challenge of transitioning into pen testing. The conversation also talks about the nuances of different types of pen testing, the impact of imposter syndrome, and the evolving landscape of pen testing roles in the industry. Episode Four is Christopher Johnson, who shares his journey into offensive security, the challenges he faced, and the importance of continuous learning and perseverance. The conversation also talks about the significance of different certifications, the value of practical experience and the need for clear differentiation between vulnerability assessments and penetration tests. Additionally, at the end of that episode, I talk about the relevance of LinkedIn for career growth and networking within the cybersecurity industry, which goes perfectly into the next episode, Episode Five, where the guest is George Raeleneau, who discusses the importance of mentoring, strategies for finding a mentor and the benefits of building a strong network in cybersecurity. He also shares advice on continuous learning, dealing with imposter syndrome and burnout and the value of paying it forward in the industry. Going forward, there will always be a strong emphasis on the career journeys of cybersecurity professionals, since everyone's journey is unique. And just in case you're wondering, this is not a technical podcast. We might talk about some technical aspects, but overall, don't expect me or the guests to make you an elite hacker. You can expect us to point you in the right direction to become a hacker though. Let's talk about what to expect long term. So for the first two years of the show, there's a strict requirement of offensive security professionals only. And what I mean by that is to be on the show as a guest, you have to be an active practitioner in offensive security. Now that doesn't mean you have to work full time as an offensive security professional. For example, the first episode with Joshua Raglin, he's a full time blue teamer. But I let him on the show because he is doing Hack The Box every single week he has OSCP and he is actually an ethical hacker. So between years two and four, I plan on having a 75-25 split between offensive security pros and other cybersecurity pros, such as blue teamers, government risk compliance, GRC, etc. Years four and five, I plan on having a 50-50 mix between offensive security professionals and general cybersecurity professionals. Years five to six, I plan on going back to the 75-25 split, but in favor of more general cybersecurity pros. So as time goes on, you're going to see less offensive security professionals and more general cybersecurity professionals. Now that doesn't mean we're not going to talk about offensive security and ethical hacking, quite the opposite. Actually, I'm going to bring these guests on the show. And we're going to talk about threat actors, we're going to talk about their perspective of offensive security as a blue teamer. For example, I'll ask a blue teamer, hey, you guys get red team assessments, or you guys get penetration tests, what makes a good penetration tester from a customer point of view and other conversations kind of like that. And then after six years, I plan on opening the floor up to be even more general. And I'll invite other IT professionals such as network engineers, system administrators, help desk professionals, cloud engineers, and we're going to talk about offensive security and cybersecurity from their lens from the non-cybersecurity professional point of view.
[Kyser Clark] (24:29 - 30:23)
And that pretty much wraps up everything about this podcast that I want to convey to you. And I think I talked about my background enough for you to really understand where I'm coming from and where I'm trying to go with my career in this podcast. That brings me to the final question that every single guest on this show will have to answer. And that is, do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share? But before I answer that question, I want to give a story. So my goal was to have everybody drop a hot take and just put it on the air because hot takes are fun, hot takes are great. But I realized that not everybody wants to do a hot take. Not everybody wants to rock the boat. Not everybody wants to light the fire. And one of my guests actually brought up a concern. It's like, I don't really want to do any hot takes. Can I just skip the question? And I was like, okay, let me make it to where they can do a hot take or share additional wisdom. So it's really a forum for them to
just talk about whatever they want. And because I wanted to do the guests originally to do hot takes, I have to do a hot take here. And my hot take is definitely unconventional, which is what makes it a hot take. So here's my hot take. Security is not everybody's responsibility. When you say that, I just cringe. And why do I cringe? Because security is not everyone's responsibility. So as I said earlier in the show, I worked as a system admin, and I've troubleshooted and I fixed thousands and thousands of issues, thousands of problems. I've interacted with hundreds, maybe even thousands of different people. And one common theme persisted between all of them. They did not care about technology. One of the things that made me really good at my job was because they appreciated me because I was good using technology and they didn't know how to use technology because they didn't care because they had a different job to do. And I think that correlates into cybersecurity as well. So a person who is an accountant, they don't care about cybersecurity. They care about accounting. An HR person doesn't care about cybersecurity. They care about people. The custodian doesn't care about cybersecurity. The custodian cares about being a good custodian. And unless you put cybersecurity in a job description, people don't care. Because at the end of the day, if the company gets hacked, they don't care. All they care about is their paycheck. They don't care if the company has to pay millions of dollars. It doesn't affect them. I mean, it does because the company is going to be impacted by that. But at the end of the day, most people don't care about their company's bottom dollar. They go to work, get their paycheck, and then go home. That is like the majority of people out there. And as someone who used the word dead-end jobs, one of the major problems looming within the company, you just don't care because all you care about is that paycheck. We can't rely on our end users to be vigilant. We can't rely on our end users to do the right thing because all they care about is doing their job and they will take every shortcut that they can to accomplish that job. And back to my system administrator days, we circumvented tons of security controls to get the job done because my job as a system administrator was to make things work, to make things functional, to fix problems. My job wasn't to make the network secure. Now, technically it was, but at the end of the day, what my users cared about was the network working, was their computer working, was their phone working. And if I had to break a cybersecurity policy to make it work, you bet your bottom dollar, I would do it. I would do it every single time. Me and my co-worker, which is my supervisor at the time, he's a really good friend now, he coined the term gray hat sysadmin. And what that means is he broke rules. He broke cybersecurity rules to make things work, to make the end users happy because when the end users weren't happy, they complained to my leadership. And when they complained to my leadership, I got in trouble. So IT workers don't even care about cybersecurity. IT workers care about things working. The only people, and I truly, and I really mean this, the only people who care about security are security professionals. And we have to stop this nonsense of shoving security down our throat. They pay us to secure the network and they expect us to secure the network. We have to design the network policies and procedures in a way that to where if the end user does something that jeopardizes it, it doesn't spread across the network. And that's really where we should be focusing our attention at. Don't set the end user up for failure because they're going to click on links. They're going to accidentally give the wrong information over the phone. They're going to let people tailgate in the building. They're going to let all this happen because that's human nature. There's entire books written on this. So my argument going forward is don't expect end users to do the right thing. Build the network, secure the network, expect your end users to mess up. And your goal is to limit those incidents as much as you can. Think of your end user as a child. Now this is probably a really bad analogy, but just picture the end user as a child. And your goal is to, you know, make the environment for the child safe. You would never throw your child in a dangerous situation. You would always put them in a situation to where if they fall down, they're not going to die. Right? Like a sandbox, for example, like you could put a kid in a sandbox and they might fall down. They might scrape a knee or something, but they're not going to get seriously hurt. And that's, that's kind of the, how we should approach cybersecurity, in my opinion. And that's my thoughts on the matter. And that's my hot take. That's something I've been wanting to say for a long time on the air, and I'm glad to get off my chest. Hopefully I'll see you in the next episode and then connect with me on LinkedIn. I'm on LinkedIn all the time and check out my website, kaiserclark.com. But if you had to do one thing, just check out the next episode. If you got this far in the episode, thank you so much for your time. Thank you so much for your attention. And I hope to see you again soon. This is Kyser, signing off.