SECURED

Cracking Cybersecurity Myths: A Candid Chat with Daniel Grzelak

Daniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:
Does a cybersecurity professional need to know how to code?
Is there a workforce shortage in the industry?
Should pen testers write remediation advice?
1:50 – Does a cybersecurity professional need to know how to code?
5:40 – Is there a workforce shortage in cybersecurity?
9:30 – Questions to ask when interviewing potential cybersecurity hires
12:30 – Are people in cybersecurity bad at promoting their own skills?
17:00 – Should pen testers write remediation advice?
20:20 – Daniel’s career advice: start writing

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security.

Daniel Grzelak:

Again, one of the most underrated ideas in cyber is the skill that you actually need the most, is being able to communicate with people, not the technical skill that you’re hired for.

Cole Cornford:

Today I’m joined by Daniel Grzelak. Daniel is currently the Chief Innovation Officer at Plerion, but has had a storied career at a variety of technology firms around Australia. Daniel brings a lot of sharp insight and has a wealth of experience to draw upon. We focus on just tackling some common myths rather than focusing on his career journey.

I think that even though we ended up agreeing on most of the topics we talked about, there’s a lot of insight for people who are especially struggling to find the next step in their career, whether it’s about presenting yourself and talking about your achievements to having a necessary background in software engineering slash coding if you really want to get ahead regardless of where you are in cyber. So without further ado, here’s Daniel Grzelak.

I’m joined by Daniel Grzelak. Hey, mate. How are you doing?

Daniel Grzelak:

It’s good to see you Cole. I’m excited.

Cole Cornford:

Yes, It’s been probably too long. I would’ve expected you to be an earlier guest, but I don’t know. It just never came into my head.

Daniel Grzelak:

Well, we’re here now. Let’s do it.

Cole Cornford:

That’s it. So today I wanted to go through a bunch of myths that we see in the cybersecurity industry and start just to debate and debunk them a bit, because I guess, I’m just getting a bit sick of all the LinkedIn hot takes telling people that they… All you need is a CISSP and a CISM and then you can get your pathway to six figures immediately, mate. So what do you think is probably the most egregious myth that you see posted on LinkedIn constantly?

Daniel Grzelak:

Oh, wow. I might pick this idea that you don’t need to code, and I think the reality is that to get into cyber, you don’t need to code, but we’ve confused don’t need with don’t. And what I find more and more is that people, instead of saying, you don’t need to code, they’re saying don’t code, just go with what you have. Whereas I think what the reality is, the coding is a superpower in cyber security. If you can code, you can do a lot more things and go a lot further, no matter if you’re going down a technical path or a management path or a communications and awareness path, like coding gives you that superpower.

Cole Cornford:

Who is that, one of these big famous companies, is it Nvidia? One of the CEO came out and said that in the future, artificial intelligence is just going to displace the need for people to do coding. So just don’t go learning, don’t go learn how to code. Go learn how to use AI to code for you or something. And it’s something I constantly tell people as well is that if you have the ability to program, you are going to be able to solve problems that other people can’t. So I don’t know. Why do you think there’s so many people out there who just tell people that you don’t need to? Because I see it a lot, especially when I’m meeting academics, people at entry level organizations, people who have come in for just non-traditional pathways, they just say, no, I’ve never needed to code and I probably won’t.

Daniel Grzelak:

I think it’s a truism that you don’t need to code, but the real pain point here for me is that if you invest the time and learn to code, you’ll have a lot more opportunities. You’ll be able to do a lot more things. You’ll be able to analyze data, you’ll be able to do interesting things than you otherwise couldn’t. But that’s not the message that we get. We get, don’t learn to code, and I’m not sure why that happens.

Cole Cornford:

Maybe there’s a lot of people who’ve previously had a background like network security or something where they haven’t had to code because I guess, traditionally if you’re manually logging into Cisco IOS and configuring stuff, I consider that extremely dated, and I can figure that if you are writing networking appliances, why are you not using software to define what they look like nowadays, right?

Daniel Grzelak:

Sure. And I suppose if you don’t code, you might not see the advantages of doing it. You might not see how automating your whole job could help you or you might not see that there is an opportunity even to automate your whole job. But if you are good at programming, then you’ll see those opportunities and you’ll be able to move into a higher level work and do more interesting work, save yourself time and all of that kind of thing.

Cole Cornford:

And I also, it’s something I work over the University of Newcastle and one of the things that kept coming up for the master of cyber security students was that they’re having difficulty being able to find a role post graduation, and my immediate question to them was, well, do you at any point during this degree, by the way, I have fixed this since. They do coding now, but at any point during your degree, are you forced to learn how to do programming? And the answer is no. We learn how to run and map and do different scripting tools. We learn about governance risk and compliance and policies and so on, and in my view, you can use code to make every other part of cyber easier, quicker, and more repeatable.

Daniel Grzelak:

And it helps you understand the problems better. If you can interact with the problem in a programmatic way, you’ll more deeply understand how everything works.

Cole Cornford:

Yeah, nothing like going to a software engineer and telling them that, “Hey, you need to do this kind of thing” and then they say, well, that’s actually not physically possible because you have no idea what you’re talking about. What was it? Malcolm Turnbull, the laws of mathematics don’t apply in Australia and stuff. Yeah, I have to say I don’t want to fight you on that one because I agree wholeheartedly. How about another one? We have a workforce shortage.

Daniel Grzelak:

Wow, that’s very related I think to this one. So in my career, I’ve done a lot of recruiting for a lot of different security roles, technical, not technical, whatever, and the thing I’ve consistently found is that the number of applicants that you get is incredible. So we obviously have, I have not personally seen a shortage of people who want to work in cyber and who believe they have the qualifications to work in cyber. But what I have seen a shortage of is those people actually having the skills necessary to do the roles that I’m recruiting for, and so there’s a huge funnel of people who come in and apply for roles and one, two or three of those applicants, I’m potentially suitable for that role. That’s what I’ve seen. And so I just don’t, yes, there’s a shortage of qualified applicants, but there’s no shortage of applicants.

Cole Cornford:

So why is that message and keep coming about that we completely lack the applicants in the industry. I see it in news articles. It’s always in a financial review. I guess, maybe it’s being peddled by bigger consultancy firms, that just want more work or something.

Daniel Grzelak:

Well, I think it’s because people like me, like us complain that there isn’t qualified candidates, and again, it’s just misconstrued as there aren’t like number of candidates. And I think what I see is when you go to do a technical assessment with someone and you start querying them about the basics, really simple stuff where you’re not trying to trip them up, you’re giving them lots of options to pick things that they’re interested in, they will often won’t be able to explain a topic or won’t be able to read code or whatever the skill that you are looking at is they won’t be able to do it.

Cole Cornford:

I’ve had some humbling experience with interviews over the years and that’s always helped me grow as a person. So one of my interview says, a great friend of mine now, but I won’t put him under the bus, but when they interviewed me, they said to me, “Oh, so can you explain what you could do to mitigate cross-site scripting for this type of web application?”

And I was like, “Oh, that’s easy. It’s output encoding.” And then they were like, “No, you can’t do that. What else are you going to do?” “Oh, input validation.” “No, you can’t do that. What else are you going to do?” Content security policy, no. Rails ERB, no. Starting to run out of answers here. You can, I guess… And then eventually I cracked it like the fifth or sixth option and they were like, okay, that is a reasonable answer. And then it turns out that I spoke to them a few months afterwards and they’re just like, “Oh, most people just don’t even come up with output encoding, let alone six or seven ways to solve the problem in the first place.” So I would never use that technique nowadays, because it just makes candidates feel awful. Awful. It hurts you so bad. It makes you really question your confidence and capability.

But if the baseline is that no one has any of those skill sets to even get to level one, let alone to level six, another humbling experience I had about it was, I got flown to Facebook’s campus in San Francisco in 2019, and they stuck me in a room and then they told me, “Hello, I’d like you to build a parser to parse the entirety of Wikipedia so that we can scrape it for content and then start dosing it, put it on the whiteboard now. And I’m just like, oh, I haven’t had to do this since University degree because I’m in security. So anyway, let’s just say I failed that miserably. And then I went back and then went real damn hard at making sure I learned the technicals instead of just being like, yeah, I need to learn security. And I feel like an incredibly well-rounded security professional at this point.

Because I’ve got a good mix of business acumen, technical background and communication skills that, man, unless you go into these situations and push yourself to interview and fail miserably for these big companies, you won’t know, right?

Daniel Grzelak:

Yeah. I also think it’s important for those companies and us as interviewers not to ask trivia questions, right? Give people the option to talk about something that they know in depth. So in your case, you got asked to talk about various cross-site scripting protections. The way that I would ask the question these days is pick some web application vulnerability that you’re really interested in. Tell me what it is and then tell me how you would protect against it. Okay, if you couldn’t do that, what’s the next option? And I find even with giving such a broad range of options to someone, they will often not be able to find a topic that they’ve got enough depth into to have a proper discussion.

Cole Cornford:

I like scenarios. That’s my favorite interview technique. And because it’s open-ended, and it lets people solve in so many different ways, especially when I look at hiring people at Galah, like I’ll say, Hey, you’re looking to be a senior or a principal. What I’m really looking to hire for, is your ability to understand what the business is trying to achieve and then choose suitable options within the application security, just all the domain, and then justify why you choose these options, and what ends up happening is most candidates say, cool, all right, regardless of what the business is, we need static analysis, dynamic scanning, composition analysis, I would recommend x, y, z, and we’re good, and then I’m just sitting there thinking to myself, well, you’ve taken literally no time to actually assess what the customer needs at that point in time and why, because all of these activities introduce friction and can cause problems and opportunity costs for actually building features. So that’s the world, right?

Daniel Grzelak:

Do you think those are the types of things you learn later in your career versus earlier?

Cole Cornford:

I feel like I’m pretty young to have learned those lessons, but maybe I’ve had, I guess, I’ve always really, really focused on my own career, really, really heavily at these [inaudible 00:11:35] and a lot of other things, and I think I grew a lot in a very short period of time. I think that there is a tremendous overweight to learning tools and technologies rather than learning about how to be effective with those, or even more broadly about other disciplines outside of technology itself.

Daniel Grzelak:

Yeah. I agree.

Cole Cornford:

Cool. All right. So probably the next question that’s really good, promoting yourself. So on LinkedIn, we always see the stories about, “Hey, I went to the interview and the dog was the interviewer that I gave a cookie to in the morning, and then look at me, I’ve got a job” how great’s everything, right? And I think in cybersecurity, we’re really good at focusing on technical brilliance, on facts and logic, and I don’t think we’re very good at promoting that. We’re good people to work with, we’re good at communicating, we are solving problems, and we’ve actually accomplished quite a lot. So why do you think the industry as a whole shies away from, because in other disciplines, people are very happy to talk about what they’ve been able to achieve.

Daniel Grzelak:

Yeah, I’m not sure. I’m not sure if that’s true. So one of the things I’ve seen in my career internally working at big companies is, there’ll be a small group of people who talk about what the work that they’re doing and share their insights with everyone else, and then there’ll be a much bigger group of people who go about their work and just assume that their work is enough.

And then it comes to promotion time or pay review time, and it’s the people that talk about their work and that promote the things that they’ve done that end up getting the promotion, and the bigger group ends up feeling like they’ve been left out because they’ve done the good work, but they haven’t got the rewards. And I think just in general, it’s really important for all of us, especially in tech, is to just realize that hey, talking about your work and raising awareness about what you’ve done is just part of the job, and if you don’t do that, it’s far less likely that you’ll get the things that you really want, like the promotion, like the pay raise, whatever it is, and you’ll end up being disillusioned with the place that you work and try and find something somewhere else.

Cole Cornford:

I’ve seen that so many times in my career where someone’s like, I don’t understand why this person was able to get to that level, and it’s like, did you tell your manager that you did all of their work for them?

Daniel Grzelak:

Yeah.

Cole Cornford:

No, he should have just known. It’s self-evident, come on, look at the Git commits and it’s like…

Daniel Grzelak:

And I think there’s a sort of like, “Oh, I don’t want to talk about how awesome I am. That’s so wrong to do.” But I think there are nice ways of going about it. You don’t have to go and tell your manager, “Hey, did you know how awesome I am?” Or you don’t have to stand up in a meeting and tell everyone how brilliant you are, but you can say, for example, in an update, this is what’s been done. This is what’s been accomplished in a very objective way, and not even talk about yourself or when people are discussing what’s going on in the company, you can tell them, Hey, the team’s just done x, y, and z.

By sort of continually discussing the things that you’ve been involved in, but in a sort of objective way, people will start to know that these things are happening and that you are achieving all of those things, but otherwise, how is a busy manager meant to know everything that you’ve done over the last year? Some are really good and they’ll keep track and tabs of everything, but I just think you sort of sell yourself short by not taking the time to promote it.

Cole Cornford:

Yeah, and that can be a really hard, I guess maybe it’s sales, right? It’s the way they look at it as sales, and I see this a lot when people try to move from being an internal staff member into being a consultant or running a business, is that they suddenly need to start selling and unless you’ve had the experience of selling internally, then selling externally is far harder because you don’t have friendships and advocates and people wanting to help you.

You have to go out to people, often called, and then say, “I’m worthwhile to listen to and please listen to me. Please give me money.” Maybe not like that, but hey, they will, right? They’ll give you a shot, if you’re competent, you’re objective and you’re friendly.

Daniel Grzelak:

But one of the things that you do very well Cole, for example, is you don’t go out and tell people, “Hey, buy my stuff.” But you’re constantly out there talking about things that your company’s worked on, things that you’ve worked on, things you find interesting and other people can learn from. And just by doing that, people become interested in you and your company and then you end up sort of selling in this really soft kind of way, which is what I think we all can be and should be doing.

Cole Cornford:

That’s it. See, everyone is a salesperson. You need to learn to do sales and if you don’t think that you’re doing sales at this point in your career, then you need to flip that mirror around and start saying, hello, maybe I should learn about how to do sales, because otherwise, if you are not influencing the direction that how you want people to perceive you and how you want people to interact with you, if you are not even considering any of these kinds of things, you are just relying on other people to make decisions about your own future, and generally people are self-interested in their own future, not yours.

Daniel Grzelak:

I agree. It feels like we’re not arguing enough Cole, let’s do something spicy.

Cole Cornford:

Well, okay, we need a fight, something spicy. So okay, I got one for you. Pen testers should never write remediation advice. What do you think about that?

Daniel Grzelak:

I haven’t thought about this one. I think writing some remediation advice is important, just to have something there for someone who doesn’t know where to start. But I think that often gets missed when you do that is that, that is just an option. And I’ve been a security tester in the past and we have this very focused view of the world. We see only the bit of code or only the basis of the application that we’ve worked with and we don’t see the bigger picture and so, okay, we can write some remediation advice, but I definitely think like on the other side, someone’s got this huge context about how the business works, where the application fits, how much time they have for everything, what tooling they have in place and so they’ve got to make a much more complicated decision than the pen tester has to make.

Cole Cornford:

Yeah, and that’s what I’m basically trying to get at is that I think that almost every time I read penetration testing reports, it’s just like ChatGPT generated high-level guidance that’s copied from an OWASP cheat sheet five years out of date and then when it ends up in the report, it does a few things. It overwhelms the engineering functions because I find if I’m given a 60-page document about my company finances or I’m given a six-page one, I know which one I’m going to go read it. It’s the six-page one. And I think it’s exactly the same when providing penetration testing advice, focus on the things that are really high value for the business users and you can give them some advice about remediation, but otherwise you are never going to have the context. And that’s why I’m happy to take this fight to the grave, basically. I want customers to have good outlay experiences and good outcomes from getting an assurance activity. I don’t want the assurer to feel like they’re covering their own ass.

Daniel Grzelak:

And I think maybe one thing we all can do a bit better is provide options or provide outs, right? This is what I’m recommending you can do, but these are the other ways that you could approach this problem as long as you get this specific outcome which is fixing this issue.

Cole Cornford:

I’ve got another one for you. What do you think is more valuable, writing blog posts or public speaking?

Daniel Grzelak:

What do you think?

Cole Cornford:

I got to say blog posts, and I think that the reason is, it’s straightforward. I believe that if you are writing, you have to find a way to compress some generally super, it helps you really, really understand what you’re trying to say and convey to another person and structure it in a way that’s really clear, and I also think the blog posts are significantly more reached than a conference presentation does and what I find from conference presentations is that people will give you the benefit of the doubt if you’re on the stage. So even if you give a bad presentation, no one wants to afterwards walk up to you and say, “Your presentation sucked.” Whereas on the internet, they don’t care. So it’s a lot nicer to get criticism from people about writing because it’s, an audience that there’s no repercussions for them socially to just write that, I don’t agree with this content and it’s bad.

Daniel Grzelak:

Yeah. Look, I don’t think we’re going to disagree on anything Cole.

Cole Cornford:

I’m trying to fight you mate, why’re we doing this?

Daniel Grzelak:

So the number one piece of advice I give to everyone, whether you are early, mid, or late stage career, is start writing. Whether it’s blog posts or LinkedIn paragraphs, hot takes, like you do whatever it is, just start writing. It just has so many benefits and I’ve seen it, and it doesn’t matter what you write about, like whatever you are interested in, whatever’s important to you, and I’ve seen it pay dividends throughout my whole career.

So the writing that I did one day, a few years later, someone will come talk to me about it. I became an advisor for a cloud security company because I wrote something a long time ago and someone found out and came to talk to me. And like you said, the organization of your ideas is really important and all of your communication gets better if your writing gets better, your presentations will get better, your reporting will get better, your day-to-day interactions with someone will get better. All of these, writing just has so many benefits and you learn because in order to write something really well, you’ve got to know the thing you’re writing about, and when it’s just you and I having a conversation, we can sort of, there’s details that we omit. There’s fuzzy stuff that goes in between what we say, and you don’t necessarily need to know something well, but when you write it down, you do.

The other thing I love to say is if you start writing publicly on the internet, like a blog post, there’s this amazing thing, is if you write something shit, most of the time no one cares. No one sees your failures when you write on the internet, and if they do, it’s extremely fleeting. There’s basically no cost except your time. But if you start to write well and you write really interesting thought-provoking stuff that everyone wants to read, people start reading it, and now you have this personal brand that’s associated with this great writing, and now people think you know what you’re talking about, now they want to hire you, they want to make you an advisor for their business and all sorts of other things.

Cole Cornford:

Well, I hope that they all want to hire me and make me advisors and do all that fun stuff in the future, but in the meantime, I’m just going to keep posting hot takes on LinkedIn about CVs or whatever.

Daniel Grzelak:

Sounds like it’s working for you.

Cole Cornford:

It’s going all right. Galah’s doing pretty damn well. So we’re getting close to the end. What book would you give to someone who’s starting out cybersecurity and why?

Daniel Grzelak:

It’d probably be a book like On Writing Well. It’s no surprise.

Cole Cornford:

Oh, Zinsser, right?

Daniel Grzelak:

Exactly. Something like that. Again, just to structure your ideas and start communicating. I think again, one of the most underrated ideas in cyber is the skill that you actually need the most is being able to communicate with people, not the technical skill that you’re hired for.

Cole Cornford:

Yeah. I filled in a survey earlier today from Acer, now I probably shouldn’t say on the podcast or whatever, and they put in a list of 60 different types of skill sets going from digital forensics and stuff, and they’re like, which of these is the most valuable for you for hiring? I just said, none of the above, and I just wrote in the comment box, I want people who are kind human beings who have some idea about how businesses work and have very explicit and clear writing. They can learn all the other stuff. The person got back to me and they’re like, that’s very unique and weird, and I’m like, well, I work in professional services, so maybe that’s why.

Daniel Grzelak:

We must both be unique and weird then.

Cole Cornford:

Daniel, thank you so much for coming onto to Secured. It’s been absolute pleasure. I’ve loved having a bunch of short, sharp takes. It’s a bit different from just going deep and nitty into all sorts of different parts of cybersecurity. I really appreciate you coming onto the show and hope to have you again on the future.

Daniel Grzelak:

Thanks for having me, and I look forward to more of your hot takes on LinkedIn.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.