[Kyser Clark]

Do you have any tips on how to improve writing since you went through the struggle?

[Jim Schultz]

For sure, you know, I would definitely say, you know, practice and then get feedback from people that you perceive as good writers. It's really difficult if you write something and then you read it like 20 times and tweak it 20 times. It's really valuable to get feedback from others, right?

So like as an example, my wife, she's a much better writer than I am, and like especially when I was doing things like the OSCP and the CPTS exam, I'm like, what do you think about these mock reports I've written for like this box? I didn't hack the box in that. So, you know, I'm going to have to write this for real, right?

And it's not like, you know, something where I send it to my boss and he can give me feedback back and forth that goes, you know, directly quote unquote to the client. So yeah, work with people that you're comfortable with that you feel like can help coach you.

[Kyser Clark]

Welcome to the Hackers Cache, the show that decrypts the secrets of cybersecurity one byte at a time. I'm your host, Kyser Clark, and today I have Jim Schultz, who is an OSCP certified cybersecurity consultant and penetration tester with more than 15 years of hands-on experience. He's worked across application security, instant response, and GRC, while also spending years teaching cybersecurity at the University of Wisconsin-Milwaukee and Waukesha County Technical College.

Jim now focuses full time on consulting where he helps organizations strengthen their defenses through penetration testing, secure code reviews, and strategic security assessments. So Jim, thank you so much for hopping on the Hackers Cache podcast. Go ahead and walk through your background and introduce yourself to the audience.

[Jim Schultz]

Yeah, well, thank you for having me. Again, my name is Jim. I guess I'll start probably way back from the beginning.

So I've been in technology and IT kind of like my entire life, and I'm a child of the 90s kind of set the stage for this. So think about, you know, growing up in the mid-90s, you know, Super Nintendo, eventually Nintendo 64, Game Boy with Pokemon. I really enjoyed the concept of, like, this technology getting delivered to your hands on these cool innovative screens.

Growing up, I loved the idea of the future. So, like, for me, like, I really wanted to figure out how these devices worked. My friends, you know, we had GameShark, cheat codes.

It's like, oh, there's, like, ways you can kind of sidestep, you know, the intended path when you're working with tech. So really kind of at that point, like, I thought this stuff really kind of piqued my curiosity, and I really wanted to get more into that. At that time in the 90s, especially, like, most people didn't have, like, a computer at home, and if you did, it was, like, a family computer everybody would share, right?

So after, like, years of pleading, this is what felt like years, you know, as your kid growing up, time seems to move, like, quite slow. I convinced my family to get, like, our first family computer, and that's when I really kind of fell in love with IT and kind of when I really realized, like, this is going to be my path in life. So, you know, late 90s, no one else in my computer and my family knew anything really about computers or IT, but I knew I really wanted to figure out how this thing worked because I was so, like, just interested about this thing you could load applications on and would connect you out to the internet.

At the time, we had dial-up, but super curious to learn. So what do you think, you know, you know, at this time, like, a 10-year-old kid would do to get the first family computer? Super excited.

I had decided to take it apart, and my parents were super pissed off. It's a big, expensive computer, and my dad at the time, he was like, well, you took it apart. You have to figure out how to put it back together.

Inevitably, I did, and I loved that experience. I wanted to learn more, but I didn't really have anybody to help me, right? So what do you do in the late 90s when you want to learn more about computers, right?

You don't have any friends that are into that stuff. Your parents are kind of, you know, like, well, that's, this is Jimmy. He's interested in that thing.

We don't really know how to help him. I found out how to get online and then through internet relay chat, I got to meet a lot of really interesting folks that would teach me a lot about computers, but, you know, it wasn't just like the good guys on IRC. There are a lot of people kind of in the gray, right, that would teach you all the cool things you could do with them, and they got me super interested.

And I learned how to, how to build websites just kind of by reversing, you know, like in the 90s, you know, view source and see how you can mess with the HTML. Learned about, you know, server-side scripting primarily with PHP, about databases and networks and Linux. And I really loved that whole experience.

So then of course, right, kind of going through middle school, typical, you know, nerd back in that day. And I really, really, really wanted to like work with computers for a job. And when I got to like 14, 15, I started looking for computer jobs where, you know, a company would actually hire like a teenager to do some work.

And there was pretty much nonexistence. And my dad at the time, he was an entrepreneur and he's like, well, you're really good at this stuff. And there's probably like a, you know, a career in this for you.

That's, that's probably pretty lucrative. And he ran a business and he's like, how would you like to build my business, a website and host it? And you could start maybe a company doing that.

So he really kind of pushed me to be an entrepreneur. And I started, I'm a shared web hosting company doing like web development and hosting for primarily companies like in the, in the Milwaukee, Wisconsin style area, but also had some clients kind of based all around. I love that experience.

It really taught me a lot about how to run a business. It taught me a lot about how to use Linux properly, right. How to build applications.

And that was great. And at the same time, going through then high school, I got really interested in like wanting to learn more. So I had an opportunity to go to my local technical college, Waukesha County Technical College.

And that was a really good experience. So I spent essentially like, you know, maybe five or six hours at high school and then I get released. And then I would at night go and take classes at our local tech college.

Programming classes, database classes, networking classes, there weren't really security classes at a time. But I love that. I enjoyed that.

I kind of ate that up. And then I'm thinking about the next step in life. My parents, they're like, well, you really need to get like a four-year degree.

This was an associate college I was at. I'd gotten most of my associates degree done. But they said, you should really get a bachelor's degree.

And I said, yes, mom and dad, I love you guys. I trust your judgment. So I started looking for places to go.

I knew at the time I didn't want to spend like a lot of money and I knew I had a lot of college credits. So I thought, okay, where's maybe a place that I could transfer my technical college credits to university to maybe get my undergraduate degree done a little bit faster. And that kind of led me to the University of Wisconsin-Milwaukee.

So most college, you know, seniors, what they do, they go to a bunch of places, talk with people. I went to the University of Wisconsin-Milwaukee. I actually ended up meeting the assistant dean for the program that ended up going through.

And he's like, wow, he's like, you seem pretty motivated as like a senior in high school. I can tell you really want to learn about IT and you really want to apply this like on the job. And I got actually hired my senior year in high school to do like desktop support at the university.

That was a really good experience. I really enjoyed that. And this was like at this time around like 2008.

So like for me, that got me like, again, like all those like curiosity things about security started coming back because like the university back in 2008, it was kind of a wild place, right? Universities don't usually have a lot of money for IT. There's a lot of researchers with way different needs.

So like as an example, and this is not the way things are anymore, but we had essentially like a slash 16 allocated to the university. Each device directly connected with a public IP address to the network. And for the most part, these devices were all unmanaged, right?

So it was kind of a really interesting environment. I got to see a lot of things and I started thinking like, things could probably be done a little bit better, a little bit better. Again, doing desktop support, kind of leading into like the geniuses admin territory.

Like it was a lot of trial by fire, but they got me tons of experience and really kind of allowed me to grow when I did my undergrad. And the cool thing is, I was able to get my undergraduate degree on faster. It took me three years.

So if you're thinking, hey, if you're in high school right now, if you're thinking, hey, should I go to that local tech school and get some classes knocked out? Absolutely, because that can save you a lot of money if you want to go to like a four-year school. But when I graduated from my program, I timed up really well because my boss at the time, who was kind of like a jack of all trades, this admin slash IT manager for this distributed IT department, primarily managing technology for the IT classes, our labs, servers, kind of custom infrastructure to make online learning work.

And like, you know, the mid 2000s, he left and I was able to kind of take on his job. And that was a super good experience for me. And one kind of unexpected thing with that is, I had a lot of opportunities to hire student employees and mentor them, get to show them, like, this is how you image a device.

This is how you troubleshoot drivers. This is how you like build like a basic, you know, bash script, things like that. And I really kind of enjoyed that.

Eventually, the department kind of grew. I got, you know, up to one point, maybe like 20 or so students and a couple of full-time people kind of under my wing, you know, a web developer and kind of like a service desk lead. And I really enjoyed that mentorship piece while getting able to do a lot of different things.

I was managing our computer labs, our servers, you know, Active Directory environments, building some custom apps. It was a lot of fun. And I had the opportunity then to also then get to consolidate a lot of them into like the central IT as security, you know, matured right out of the university.

You think about like every device connected with a public IP address to now like the 2015s, security becoming more of like, you know, a thing that the university and organizations needed to take care of. So a lot of cool ways then to harden that environment and do that. And that was a lot of fun.

And at that point, I was maybe like getting close to being like 10 years into my career. And I kind of wanted to change, right? I enjoyed working at the university.

I got a lot of time off. So I was able to travel the world. Between that and my teaching life, I wanted to maybe, I've been to maybe like, you know, 30 different countries, which I really kind of enjoyed.

I was kind of a jack of all trades, and I really wanted to do more security work. And as I was doing my full-time role, this is admin, I also then kind of fell into an adjunct instructor role, which is where essentially you teach like maybe one class at a time. Like a lot of folks do this, like you should night class, but they still work full time.

So you work your nine to five. Then you get to go and teach a class, which I really enjoyed. I was doing a web application development class, a networking class, and security classes.

I'm like, hey, maybe this is an opportunity. And this was kind of around the start of COVID, when I was getting kind of burned out with all the mergers, the consolidations. Like maybe this is a way for me to kind of pivot and learn security, teach security, and have, you know, a really kind of positive impact on my community.

So I did that around 2020. I switched over to being kind of a full-time IT and security instructor. That was great.

I learned a ton. Like that's when I got really into hack the box, right? A lot of fun.

At that point, my security expertise was a lot of like figuring out how things worked, right? Managing incidents, things of that nature, working with other teams around the university. But like the whole CTF thing, like I loved doing that and talking about like CTFs, hack the box, how to learn this stuff in my classes.

That was a lot of fun. But the classes at the four-year institution, they were like very academic. Like I think for those of you that are watching this, if you've taken like a college class, there's definitely like a high likelihood it's like essentially just like a professor goes up there and reads through a slide deck, right?

So you're not really learning a lot of like the hands-on keyboard stuff that I personally love, right? Or even practicing the soft skills that I think are super valuable for this field. It's more so just like learning the book material.

And I'm like, man, like there has to be a better way I can learn this, practice this, and get that hands-on experience that I was really kind of missing. So at that point, you know, I thought back to when I was at the technical college. I had like a lot of really good experience taking those hands-on keyboard style classes.

And that technical college was just like 15 minutes from my house versus the University of Wisconsin-Milwaukee, which is like, you know, 40 minutes each way. So I looked at, you know, the job board one day and there was an opportunity for full-time cybersecurity instructor. So interviewed, I got the job and I loved that role quite a bit.

That was around like 2022. And I liked those classes a lot, all very much like hands-on keyboard, practical. I primarily taught like ethical hacking, web app security, but also, you know, firewall security, log and threat analysis, security one, security two.

I'm in a bunch of their classes and I also had the opportunity to work on with our cybersecurity club as a coach and a mentor. And I got to teach and coach National Cyber League, CCDC, which is the collegiate cyber defense competition. Got to give even most recently talks at conferences like CypherCon, which is kind of the one of the largest IT conferences here in Wisconsin, do a lot of really cool things.

So love that job. My colleague, Mark, if Mark, if you watch this, I really miss working with you. A lot of good experiences, but after teaching full-time for about four years, I really, really missed like doing real IT work.

Right. So what did I do? Right.

I thought about how could I start maybe doing some work, maybe part-time to keep, you know, pique that interest. And as it happens, the individual that I replaced in my teaching job, his name was DJ Vogel. Before he was a teacher, he started a company here in the Milwaukee area called 403 Labs.

He sold that company and then kind of was thought, you know, maybe I'll go and teach for a few years. Left, I took his role. But the cool thing is I got to kind of know him after I kind of stepped in his role, we kind of became friends.

And he started a company called GoScale, where I get to work today. And today's recording this actually just realizes our two-year anniversary of GoScale, which is pretty cool. But talking with him, I had the opportunity to join on as like a part-time consultant.

And that was pretty awesome. That's when I met my colleague, Trent Miller, who's been on the show as well. And I started doing that about a year ago.

Really love the part-time work, but it is tough to work a teaching job where you're working 40, 50, 60 hours a week, and then find time, right, to do the consulting stuff. And leading up to that consulting job, I did a lot of studying, a lot of prep. As you may see, if you look on my LinkedIn, I did the OSCP.

That was a lot of fun. I did the OSWP, which was the wireless one. And then, of course, Hack the Box, the CPTS, the CBBH, those exams, I don't know how people can take them unless you have a summer, quote-unquote, off as an educator, right?

They're like 10-day exams. Very hard. I love that.

And then, of course, really wanting to do that, then having conversations with my predecessor, like, hey, how can I be involved? Then doing the part-time consulting, and it was a lot. And I had to make a choice this past spring.

Do I try to do both? Do I stay as an educator? Or do I go and kind of jump back into a full-time practitioner role?

So I jumped back into the full-time practitioner role now as of June. And yeah, full-time consulting, primarily doing pen testing in the application world. So web apps, APIs, cloud infrastructure, embedded systems testing, plus a whole host of other things, like incident response and GRC compliance work, kind of all over the board.

And I love all that because it definitely keeps my mind happy, being able to see and do different things. And doing like the IR work and the GRC work, that helps my testing abilities so much because I can apply those different perspectives as a tester and vice versa. And that's kind of how I got to where I am today.

[Kyser Clark]

Trey Lockerbie Nice. What a story. I mean, that was what an introduction that your career is also your life story, it feels like, which is really cool.

[Jim Schultz]

You've been doing it for a long time. This is my jam.

[Kyser Clark]

Yeah, that's great. Yeah. I wish I was as early as you did.

That's great that you had that support system that helped you make it a career. So that's really cool. So before we get into further in the show, let's go ahead and do our Security Mad Libs.

Mm hmm. And for those who don't know, Security Mad Libs, Jim will have 40 seconds to answer five questions. If you answer all five questions in 40 seconds, you'll get a bonus six questions unrelated to cybersecurity.

And then we'll have a discussion on that. My stopwatch ready? All right, here we go.

Pressure's on. All right, Jim, are you ready? I think I am ready as I'm going to be.

Your time will start as soon as I'm asking the first question. Jim, my favorite terminal theme is whatever is default. Most brutal feedback I've ever received was your writing.

Sorry, the riskiest move I ever pulled off during a test was the put operation. The weirdest pen test report request I got was to know.

[Jim Schultz]

I don't know. Oh, my gosh. Everything.

Everything is so real. My gosh, what can I say? I don't know.

I'm out of time. I'm out of time. I don't know.

[Kyser Clark]

You can pass if you want.

[Jim Schultz]

I'll pass. Yeah.

[Kyser Clark]

If I had to explain hacking to a grandparent, I'd say it's like a home inspector. Do you want to go back to the weirdest pen report request or you can't go with them?

[Jim Schultz]

Weirdest question. OK. Weirdest request on a pen test, I would say probably to look in a very specific individual.

[Kyser Clark]

That was over a minute. You know, that was failed.

[Jim Schultz]

I failed. That's OK.

[Kyser Clark]

That's OK. That's a hard question. I mean, I would think a long time for that one, too.

[Jim Schultz]

I see so much weird stuff all the time every day. That's yeah, that's OK.

[Kyser Clark]

The weirdest pen test report request that I got, which isn't so weird now, but at the time it was was because I was like, well, I was getting my first pen test position, which is actually my current position. I'm still in my first position. You know, I have clients always arguing findings like, no, that's not a finding.

That's too high. Like it needs to be downgraded. Like this makes us look better or worse than what we actually are.

Yada, yada, yada. And then I went to my client. I was like, hey, can you up the severity?

I'm like. Huh, why? Well, it turns out that some clients will actually ask you to up the severity, which helps them justify more of a budget and more help when it comes to security.

[Jim Schultz]

Yeah. Companies get pen tests done for all sorts of reasons.

[Kyser Clark]

Yeah. So, yeah, I didn't realize that. I didn't know that companies use pen tests to like help justify security budgets and to get some backing by the company leadership and stuff.

So your most interesting response, man, your most interesting response was the most brutal feedback I ever received was you're writing. It's interesting, but you want to explain like why that happened?

[Jim Schultz]

Yeah, I mean, yeah, and yeah, this is this goes back a while, right? So like, you know, again, thinking back, like I'm a very like tech minded person, right? Growing up in particular, like I did not take like the spelling, English grammar classes, classes seriously at all.

So when I first started getting an IT, I think about like writing reports, right? Even like as a sysadmin at a university, you need to write them professionally, right? And I was not a good writer.

My assistant dean at the time, very nice guy, but also very candid. He's like, yeah, your writing is crap. Like you need to work on that.

And that's when it kind of hit me. Like I really need to work on that. And let me tell you, it's way more difficult to work on improving your writing in your 20s than when you're like 10, 15 years old, right?

But for sure, yeah, not a good writer, still not the best, but it's something you can work on and improve.

[Kyser Clark]

Yeah. And that's something that a lot of professionals harp on in our field is like, you got to know how to write. It's a soft skill.

We talk about soft skills a lot in a general sense, but that's just one of many soft skills that you have to have. And that's why like the certs that require report writing are some of the more softer certifications you get because report writing isn't easy and writing a good one is like what separates certain... It's what separates you as a pen tester, I think a little bit.

[Jim Schultz]

Yeah, it is your work. It's what the client sees. That's how they perceive the quality of your work.

A lot of times, they don't really care how much you found. They just care about how it's presented and how it's communicated.

[Kyser Clark]

Yeah. It reminds me of that saying, it's not what you say, it's how you say it. Mm-hmm.

100%. Yeah. And your pen test report, that's your product.

That's what you hand to the client. That's what they pay for. It's important to get that right.

Yeah. Do you have any tips on how to improve writing since you went through the struggle?

[Jim Schultz]

For sure. I would definitely say practice and then get feedback from people that you perceive as good writers. It's really difficult if you write something and then you read it like 20 times and tweak it 20 times.

It's really valuable to get feedback from others. So as an example, my wife, she's a much better writer than I am. And especially when I was doing things like the OSCP and the CPTS exam, I'm like, hey, what do you think about these mock reports I've written for this box that didn't hack the box in there?

So I'm going to have to write this for real. And it's not like something where I send it to my boss and he gives me feedback back and forth that goes directly, quote, unquote, to the client. So yeah, work with people that you're comfortable with, that you feel like can help coach you.

[Kyser Clark]

That's good advice. Yeah. I just, I just won my first report for when I did the OSCP.

That was my first like pen test report that I did. I did write like some hack the box blogs, I guess, but I never like submitted like a deliverable until I did the OSCP. It took me forever to write it.

And I, I, I read it over 20, 30 times. And after I submitted, I read it over like another seven times.

[Jim Schultz]

Same. And it's like, I kept finding like small grammatical things, right? Things that should have been in there that you thought were in there, but the 10th time you read it, you're like, how did I miss that?

Right.

[Kyser Clark]

My report, I was, after I turned it in and it was like my sixth time reading through the report again, cause I had nothing better to do. Cause I, I had to, I had to go to Japan for an Air Force thing on a last minute whim and as soon as I was done with the exam. So I'm like flying on this plane all the way to Japan, super long flight.

I'm like, Oh, I had nothing to do about reading this report. And I, every time I read it through, I found a new error. I'm like, Oh my gosh, I'm going to fail.

I was like, the technical details are here. I got the flags, but I'm making these errors. Like one time I like one of the ones errors that I made was I wrote like, you know, I'd give the sections number.

I'd be like, okay, section three dot four, section four dot four, section four dot five. I did like section four dot four twice in a row. And I'm like, bro, what, what am I doing?

[Jim Schultz]

Yeah. It happens to all of us.

[Kyser Clark]

So going back into your academic period of when you're as an instructor. So you've taught hundreds of students and you did mention that you thought academia had like lacked hands-on skills. Yeah.

I would agree with that. Someone who is, who has two degrees and I'm actually pursuing a third degree.

[Jim Schultz]

Yeah. And some of these programs that cost like a hundred thousand dollars. It's like, Oh my gosh, like how are you going to make, get a job that pays you enough to even pay off that debt?

Right.

[Kyser Clark]

And you've had just so many of like, Oh, right. So the lack of hands-on skill aside, what do you think the academic world gets right when it comes to preparing people for cybersecurity? And what's your take on how necessary is a degree to get your first cybersecurity job?

Sure.

[Jim Schultz]

So what is, what is higher ed? What does education do really well? I think, especially for you know, people that are kind of nerds like I am, right.

They for sure kind of push you out of like your safe zone and kind of put you in uncomfortable situations. Right. I think about, you know, a traditional university, we have to go live in a interact with new peers.

And then beyond that too, like when I was teaching classes in person, like I'd really harp on, like we need to do group work, right. This is like practice for when you have a team meeting in the real world. Right.

So it really helps build those soft skills. I think that is super important. It teaches you how to communicate with different stakeholders as well.

You know, you have, you have your advisors, your deans, your instructors, your classmates, and you kind of figure out like, okay, like these different stakeholders, I need to talk with them in different ways and with different types of responsiveness and all that stuff that goes into it. So I think, you know, like, like college really kind of prepares you for how to interact as an adult in the real world for sure. Like that's like one of the best things that being in an environment like that is.

And then beyond that too, you're surrounding yourself with other kind of like probably mostly like-minded people, right. You're going to make a lot of friends that you will see and interact with for the rest of your career. It's like, it's insane.

People that I went to school with, I'm still friends with, we still chat, they're still in the industry. So it's a really good way to make friends and you can help each other out, right, for opportunities or when things get tough to bounce ideas off of, you name it. So those are some things that college does really well.

And there's opportunities as well, as I mentioned, those competitions to really kind of show your motivation. And it kind of gives you a pass to really take on opportunities without experience, like internships, you know, winning a CTF or placing really well in CCDC or National Cyber League. That kind of gives you some real exposure, so it can open up a lot of possibility in terms of where you can go.

[Kyser Clark]

Yeah, that makes a lot of sense. The second part of that question, I'm going to ask it again, like on a scale of 1 to 10, how important do you think that a degree is?

[Jim Schultz]

Yeah, so how important do I think a degree is? I think it totally depends on the individual. I think if you're like 18, 19, 20, and you're still kind of figuring things out, I wouldn't go to an expensive university.

Like, I really love Waukesha County Technical College because the classes were like $500 a piece, right? Like, it is a very safe place to fail. Like, you can go to a school like that, spend a couple hundred bucks, and then decide, like, is IT or cybersecurity the right path for you?

And if it is, great, right? Hopefully, you have some real hands-on technical classes and hands-on extracurriculars like Cybersecurity Club. But if not, you've just figured that out, very low cost, and you can sort of put together your own game plan.

And on the flip side, if you're like, hey, like, okay, like, this is not for me. Like, this is not my jam. It's okay, right?

It's a small stakes risk, and you can move on. So for those that are younger, I think it's a good thing to definitely consider. But if you're like in your late 20s, early 30s, and you've had a lot of life experience, and you know how to learn, and you kind of know what you're already going to enjoy, then I think it's cool to, like, self-study and figure things out and use those soft skills that you've developed over life to figure out those communities that you can network with and find, you know, the side door to a job rather than just, like, blindly applying without any experience to an opportunity.

[Kyser Clark]

Great response. I'm not going to throw my opinion there because I have a few more questions, and we're running out of time. So the next question I have for you here, you talked about in your introduction how GRC and instant response, like, it helps you be a better pen tester.

And I'm wondering, does it hurt you in any way to have that broad experience and not have, not have, like, a laser focus on pen testing at times? Because sometimes I feel like as a, because I do web apps and network pen tests, sometimes I feel like I'm at a disadvantage because I'm, like, spreading myself in two different disciplines within pen testing, and I can't become a web app expert or a network expert because I'm, like, doing these things at the same time. So how do you manage that?

How do you balance that? And, yeah, how does it hurt you if at all?

[Jim Schultz]

Yeah, you know, that's a really good point. But honestly, I think it really depends on, like, the individual, right? Like, I like seeing different things.

I like learning different things. I like learning something in a different domain and applying it to something else, right? So if you're, like, I really want to specialize and do, like, solely web apps, like, that's great.

You can become, like, a really, like, you know, elite level web app tester. But you also have to think about, like, okay, then what is my next step, right? Am I going to do this until I retire?

Like, what's going to come after that, right? So I don't think it's bad, but have a plan of, like, okay, how are you going to use this skill set in the future? And if you love doing web apps or whatever it might be you want to specialize, that's great.

But for me, right, I try to use the opportunities that I see, like, doing the IRGRC work as opportunities to learn and think about, like, think about incident response. Like, how do our adversaries actually damage these organizations? How do they get in?

What are their tactics and techniques? And I can apply that to my testing work. And then from a GRC perspective, I think, okay, now how can I communicate this to leadership?

What does this mean from a compliance standpoint? So it is difficult, but then also, like, doing, for me, one thing for eight hours is a lot. I like that I get to break it up, right?

Do some testing in the morning, maybe do some IR work in the afternoon, put together something for some, you know, a client's thing for a client. I enjoy that variety. And so, again, it comes down to the individual.

[Kyser Clark]

Yeah, I like a variety, too. I mean, there's a reason why I have some non-contesting cybersecurity search. And one thing that I'm really highly interested in are these AI security search that are, there's a couple of them that are in beta.

There's one from Contia that's AI, Sec AI plus. And then there's another one from ISACA that's in beta. And it's all about AI risk management.

And like, I want to learn this stuff because I'm very bullish on AI. I don't think it's going away anytime soon. And I just, I'm like obsessed with AI right now, because I know that's where the future's heading.

And I know it's going to be a huge problem in terms of cybersecurity and risk for many organizations. And I just want to be on the forefront of that. So that's like one thing, like, yeah, I want to be a great expert web app pen tester.

I want to be a great expert network pen tester. But I mean, I take time out to like go learn this AI stuff. But I think at the end of the day, it's going to help me give value to my clients more because it gives you the context.

Like you said, like you can, seeing things from different sides perspective, it does come back to your testing. And there's nothing wrong with specializing if the people are listening and watching. Like if you want to specialize, that's great too.

Like I said, there's advantages to that too. And like, you're able to get like an expert level certification, like faster than someone like me who, she's branched out on all these different domains. So there's probably the cons of both.

And it's really, it comes down to, you know, what kind of person you are. Like me and Jim here, we like the broad general.

[Jim Schultz]

Yeah, I don't want to get bored or burned out, right? This keeps my mind busy in the right place.

[Kyser Clark]

Right. Yeah, totally agree. All right, Jim.

So we're running out of time. So I want to ask you the final question here. Okay.

Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?

[Jim Schultz]

Yeah. Okay. If you are a student or someone that's trying to break in the field, if you know this is what you want to do, don't give up, keep learning, work with your community.

And I'd highly recommend like reach out to like your local meetup groups. Like here in the Milwaukee area, we have MilSec, MedSec, we have DC608. You will find those groups, go to your local conferences, meet people face to face.

Everybody that I know that has gotten jobs as consultants, pen testers, you name it. At least in my circle, none of us have applied blindly to a job or we've made friends. And when those opportunities come about, they get pulled in.

So don't give up, keep learning, network, make friends, and eventually you will find success.

[Kyser Clark]

And I have a follow up question. Do you think, this is going to be a hot take. I want to inject a hot take here because we got a little bit of time here.

I know here's the final wisdom, but we do have time. My hot take is this, and I want to see if you agree with it. And if you disagree, let me know.

I think networking is a little overrated if you don't have some kind of skill. The reason why I say that is because I found it easier to connect with people when you have a certain skill set. After you get a few certifications, it feels hard to take notice.

I feel like it's harder to network when you have nothing to show for. You haven't done any projects, you haven't done any search, you haven't cracked open a computer. You know what I mean?

So what do you think about that?

[Jim Schultz]

I don't think it's a waste of time at all because let's say you're 18, 19, 20 year old. You're like, hey, I think I want to go and do IT. You could go to those events, talk to people like, do I need a degree?

Should I spend $100,000 here or should I spend $200 on Hack the Box Academy, right? You can talk with people, get those opinions, and you will find people that want to help mentor you. And mentorship can start at level zero.

That's where we all start when we're learning this stuff. And again, because again, in IT, we're all kind of awkward and introverted. It's good to put your foot out there.

Yeah, it's difficult to make those connections, but everybody's been in that same spot before. So I would say do it anyways. Go network.

[Kyser Clark]

Great. Well, thanks for the wisdom, Jim. And thanks for being on the show.

Where can the audience get ahold of you if they want to connect with you?

[Jim Schultz]

Yeah, find me on LinkedIn. That's going to be the best spot. Feel free to connect with me, send me a message.

It may take me a bit to get back to you, but I will get back to you, especially if you're persistent.

[Kyser Clark]

And audience, best place for you to reach me is in the YouTube comments. Audience, thanks for watching. Thanks for listening.

Hope I see you in the next episode. Share the show with your friends. That's the way to network, by the way.

Hope to see you in the next episode. Peace out. Take care.

Have a good one. This is Kyser and Jim signing off.