LIU009: Navigating Cybersecurity Careers

Kevin

This episode is sponsored by Meter. If you're tired of juggling five vendors and six dashboards just to keep the network up, Meter delivers the full networking stack, wired, wireless, and cellular, as one integrated system. Go to meter.com slash liu to book a demo. That's m-e-t-e-r dot com slash liu. Welcome to Life in Uptime, the podcast where we talk with the people behind the technology that keeps our world connected. I'm Kevin, joined by my co-host, Alexis.

In every episode, we sit down with engineers, leaders, and builders in tech to uncover the stories behind their careers, how they started, what they've learned, and where they're headed next. Our goal is simple, to help you see how far tech can take you, no matter where you start from.

Alexis

All right, guys. Today, we've got a very special guest. We're here with Mike, and he's a CISO and security leader who has spent over two decades helping organizations navigate risk, compliance, and modern cybersecurity threats.

From hands-on engineering to leading a global security team, Mike has built his career on translating security from a technical burden into a business enabler. He's so passionate about mentorship, career growth, and showing aspiring technologists that cybersecurity is as much about people and process as it is about tools. So, Mike, welcome to the show.

Mike

Thank you for having me. I really appreciate it. If there's one thing I've learned already, it's that I need to totally redo my intros because, Kevin, I won't be able to match that.

Fantastic. Thank you for asking.

Alexis

He kills it every time. Mike, I know that we have been online friends on LinkedIn for quite some time now, so I'm super excited to have a bit more of an in-depth conversation about what you do. I think a great place to start, because I've had this question for a while, your title on LinkedIn is a virtual CISO or VC CISO.

Yes. Can we talk a little bit about what that actually is? I've seen it floating around, but I was never really sure.

Mike

Yes, absolutely. And you're right. You see it a lot out there.

You see it on profiles. I get that question a ton. So, the difference between a CISO and a VC CISO is that a CISO is typically a person that's in charge of a security posture, the overall posture, the people, processes, things that are happening to protect an organization.

At that one particular organization that they work for. So, you think of any big company, their CISO is protecting that particular company. So, another word for a VC CISO would also be a fractional CISO.

So, VC CISO slash fractional CISO is typically a term that you see in the MSSP world, where that CISO would be working with multiple clients that that MSP or MSSP has. And one client might get five hours a time from you a week. Another client might get eight hours a time from you a week.

So, you're split between you're working for one company, but you're actually doing work for multiple. Does that make sense?

Alexis

Yeah. And I guess my question there, because it seems very similar to consulting, right?

Mike

Yes, absolutely. Yes.

Alexis

As a CISO, if you are the sole CISO, CISO SQL.

Mike

Yep. That's another debate.

Alexis

If you are the sole CISO at an organization, and something happens, you have a breach, your bot's on the line.

Mike

Yep.

Alexis

Right? You're the one that's responsible for the entire security posture.

Mike

Probably going to be.

Alexis

As a VC CISO, is that still the case? What happens if something goes wrong? Do you have a level of responsibility to that organization?

Or is it more similar to being a consultant or working in sales where you're helping them with their security posture, but your bot's not actually on the line?

Mike

Yeah, that's a great question. So, you're right. If you're a CISO for an organization, and something major happens, there's a huge breach, there's a good chance that that CISO is possibly going to be replaced.

And a lot of it's even for ER and things like that, just to remove and put someone else into place. VCISO is a little bit of the opposite. So, what we do is we advise our clients the best we can.

We help them understand their own environment, what their gaps are, where they're strong, where they are weak. And then we advise them. We give them the best consultation, the best advice we can.

But at the end of the day, it is up to them to make those decisions on the gaps that we've shown them. And then for them to put things in place. So, at the end of the day, in many, most cases, VCISO or fractional CISO is kind of clean, right?

Where something were to happen, we've given them all of it. We've tried to enable them with everything that they need. But many times in these roles, you will advise a client and they won't do, maybe budgets are in the way, or maybe they just don't get down the path that you gave them and bad things happen.

Mike

So, yeah, it's kind of quite the opposite between the two.

Kevin

Do you find that people seek your services just to have a checklist of like, we've consulted, we've talked to an expert, we're going to implement these things possibly in the future, but we just want someone else to take a look at it and just to check a box that we attempted that?

Mike

Yes. So, our industry as a whole, and both of you know this, our industry is very compliance driven, right? If it weren't for compliance, there would be many things, many budgets that would not exist and things would not be happening as they do now.

So, to answer your question, it's split there too. We have clients that come to us that truly want to have a proactive take on their cybersecurity posture. So, they're looking for things that are wrong.

They're looking for advice. They truly want to get better. Also, we have clients that come to us last minute because they need a compliance box check.

So, it's split there as well. Compliance is definitely an enabler for this industry. I think it always will be.

People hate compliance, but at the end of the day, it's when things trickle down, it's compliance and frameworks and things like that that are feeding.

Kevin

I mean, it sounds like a great job. You get the benefit of being a CISO, depending on how you pronounce it, without any risk. That's the best of both worlds, right?

Mike

Yeah. Here's the bad thing though, right? So, you take something like, what happened this morning with AWS?

Well, now, if you're working with 5, 10, 15 clients, when there is something major that happens, now all of a sudden you have not one organization that you have to work and deal with, but now you have a team. But yes, you're right. As far as the risk side of it, yeah.

Personally, I like the be CISO side of it better than the CISO side of it, just because at the end of the day, I know that as a VCISO, I can give them the best enablement I can, but it's their decision.

Mike

This is my hot take.

Alexis

I think if you actually work in cybersecurity, it's CISO. And I think if you don't work in cybersecurity, it's CISO.

Mike

That's not my opinion.

Mike

Yeah, I know. I say CISO. CISO makes me think a little bit, but I think you're right.

I think you might be right.

Kevin

I've heard of CISO. I've never heard CISO, but I don't work in that side of the house at all. So, it makes sense.

Mike

Where my theory came from. And you go to different things.

Alexis

So, Mike, we connected over LinkedIn. I post a lot about making network engineering cool and learning the fundamentals. And I'm pretty sure that's what we connected over first was talking about how fundamental networking is.

And I believe you started off your career in helpdesk.

Mike

I did. Prior to that, I was riding the back of a garbage truck. I didn't know what my future was going to be.

Were you really? Yeah, I absolutely was. For a very, very, very short time.

But yeah, I didn't know what I was going to do. I didn't really have a plan. I was probably a C to a C minus student in high school.

We didn't have internet when I was in high school. So, showing my age. But I just hadn't found my calling or my interest yet.

Yeah, I started at a dial-up ISP back when we had to dial into the internet. And they gave me a book. And I would read answers out of the book when the customers would call in.

And for me, that was the start of my tech career.

Alexis

Did you feel that having... So, something that I feel always helped me learn was when people were asking me questions and I was responsible for going and getting the answer. Because then I had to go do my own research.

I had to put out my own words. I had to teach it to them or deliver the answer to them. And then if they had more questions, it would just repeat the process.

Did you feel that having that book and being on the hook for getting people answers was one of your big building blocks?

Mike

Yeah, I think so. I think the pressure of the job too. I don't think back then we even had hold buttons right on our cheap phone system.

Anyone asking a question, they could hear me flipping pages and trying to find the answer. And so, I was on the spot. I was learning that way.

I was teaching them what to do. But at the same time, over time, as customers are calling with questions, I might not have to flip the page 53 because I remember that answer. Over time, it started just resonating with me.

And then it gave me just... I'm like, you know what? I think I can do this.

I think I can do this tech thing. And then I just started diving deep.

Kevin

Now, at this point, did you have a passion for technology where you're like, I like this thing? Or is it more like, I can do this thing?

Mike

I think at first it was, I like this thing. I think where the passion for me came in, I started watching over the shoulders of the systems admins who were maintaining or building and maintaining the systems that kept our ISP running. And the things that they were doing looked just so cool.

And I'm like, this is just way over my head. And I started just digging in and asking questions, like Alexis said. And over time, I really grew an interest and a passion for just technology.

Because I had no tech background at that point at all. I'm like, this is a whole new world that I had no clue about.

Kevin

I'm curious, the things that the engineers were doing that you were looking over their shoulder, was it like terminal screens? You can't get so excited about terminal screens.

Mike

Back then, I'm going to show my age here again. Back then, our ISP ran off of NT4 RAS server. We had AD back then, Active Directory, put the users in, configure in the RAS servers.

Back then, we had to configure. This was pre-plug and play. Back then, when you were dialing into the internet, if your IRQ was the same as what your sound card was on, when you dial into the internet, your sound quits.

So it was learning to configure all of these things. Back then, the internet was just coming about. But that whole, wow, I'm sitting on a website that exists in California, and I'm in Pennsylvania.

That whole thing of being able to talk to anybody across the world was just fascinating. I wasn't just getting to live the end product of that. I was getting to be a person who was helping build that as well, which is just pretty cool.

Kevin

And at this point, you're at the ISP, and you think that this might be a career for you. Did you want to stay in the ISP, or did you want to venture out into the normal world, I would say, because ISP is completely different?

Mike

It is. Great question. I have, I would say, self-diagnosed ADHD, right?

I've never been self-diagnosed that. I get bored easily. Well, would I have that, Mike?

So I started with the systems admin role. I had no preference to answer your question on staying in the ISP realm. I wanted to learn how things work.

So I went from systems admin role, working with servers, to, okay, now we're talking. I'm going to know how this computer talks to that computer. So I started learning things like packet analysis, learning to read PCAPs, using tools like Wireshark and so on, and understanding what a packet was and how computers talk to each other and so on.

So then I got into a network admin role. I started working with firewalls, routers, things like switches, hubs, back then all those things. Back then it would have been Cat5 cable and so on.

So yeah, I got into that end of it. So for me, it was more, I didn't really have a plan. I was learning technology.

I was following what interests me the most, and then whatever come out of that, come out of that. I let my curiosity... This was true my whole career.

I've let my curiosity drive me. I never really had a plan, but whatever came out of it worked. So it worked.

When you find something that you're interested in and passionate about, you don't always have to have that super long vision or that five-year plan. Just enjoy the moment, enjoy learning, and just go where those doors open.

Kevin

Yeah. I find back in the day, we didn't know what we didn't know. There wasn't a plethora of information like we have now.

So you just discover it as you go along, compared to now, where you can Google, what do I need to do to become an architect? It will tell you all the information you need, all the steps, all the certifications. But back then, we didn't have that.

We had no idea. So you just meandered and, hey, this is cool. Let me explore this thing.

Oh, this is cool. Yeah, exactly.

Mike

It was less chaotic back then too, because you didn't have Indeed and Dice and all those. You were in tech and you knew something. You could find a job pretty darn easy.

Alexis

I was going to say, Mike, what I like about your story and what I think is super interesting, we get questions all the time, and it's, I want to be a CISO one day. So I am going to first do this, and then I'm going to do this, and then I'm going to take the certification, and then I'm going to move there, and then I'm going to do this. And it's like, you can't map your entire career out from day one.

I think it's good to have a good idea of what direction you want to go in. But we have people that hit us up and they're like, I want to be a staff developer at AWS, and here's how I'm going to get there. And it's great.

But can you repeat? If you're following someone else's journey, are all of those steps repeatable the exact same way? Probably not.

So really having the faith that you can go into something, see what you like, see what you don't like, and just see where it goes.

Mike

Yep. It's like taking a vacation, unplanned vacation. You don't know where you're going to go.

You're going to enjoy the journey. And the journey for me has always been almost as fun or sometimes more fun than the destination. So as you're going through this career and you're learning things, you see a door that opens or a road and you go down that road, and you might find, well, I was going to be, I wanted to be a CISO, but you know what?

This looks super cool. So now I want to get there.

Kevin

I think there's something to say about not being so focused on a singular goal or single technology or topic that you lose everything else. You have to play around. You have to explore, even if it's just in your free time.

You're like, oh, I wonder how networking works. Or I wonder, let me spin up a server and just play around with Linux. I'm going to see if I like it or not.

That is really important, I think, in figuring out your ultimate destination.

Mike

I think for me too, and I realized this probably early in the game, was that you can have that path laid out for you if you want, but at the end of the day, like I said, you don't know what doors are going to open. And for me, it's been about the relationships. It's been about shaking hands.

I don't know what I'm going to be in five years from now. I have no clue. But I keep shaking hands.

I keep meeting people and opportunities arise. And so for me, it has been the people that I've known and the relationships that I've grown. Almost every move I've made in my career has come from an existing relationship that has been created, not from an Indeed application.

So to the people that have the perfect resume, the perfect plan, the five of the best industry certifications, and they come to me for the same types of things, like, can I land a role? I've got experience, I've got the search. I'm like, no, tell me about your network.

Tell me about, you're not the TCP IP kind. Stop focusing on that as much as you can.

Kevin

The people network. Mike, are you a people person? Would you consider yourself an outgoing people person?

Mike

I think so. Yeah. I mean, I'm an extrovert.

I used to say I was an extreme extrovert. I think as I'm getting older, that put me down a little bit. But yeah, I mean, I just, for me, I thrive when I'm in a crowd of people and just having great conversations.

Kevin

I find it's a unique combination of technology, mixing technology with extrovertism. I guess it's a special skill set of people that are not the typical. So I like asking that question because I do see a lot of introverted people in our industry and them trying to network with people, them trying to connect with people is a whole different challenge.

Mike

You know, I think I wrote a chapter about introverts, and I put a book out a couple of years ago. It's on Amazon. And I wrote a chapter in there about being introverted in this industry.

And at the end of the day, I have a ton of respect for introverts. I think they have the ability to be much more successful than us extroverts because introverts have that skill of sometimes being the quietest one in the room. But when people are talking, they're not just hearing, they're listening, they're analyzing what people are saying.

And when they speak up, guess what happens? Everyone stops and listens to them because when they speak, it's normally something that means something versus me just spouting stuff out. And I think what extroverts don't have is, or it's rare, is that ability to kind of not be the person to be able to listen.

I think introverts have a huge advantage there.

Mike

They can relate.

Alexis

I mean, there's definitely a lot we could learn from each other.

Mike

Absolutely. Absolutely.

Alexis

I wanted to ask also about not skipping the basics and being really intentional about going through the fundamentals or taking necessary steps to support you later on in your career. In a lot of ways, I'm in a more senior role now. I mean, at 28, I'm a technical evangelist.

I work with all these different companies. And I don't feel like I personally really got a solid understanding of the fundamentals. I came from aerospace engineering.

I took my certifications. I went to Cisco. I skipped a couple steps.

I've landed in sales, which typically when you're a sales engineer, a solutions engineer, you've worked in industry for five or 10 years before you even get that role. And Cisco had this accelerator program. I was super blessed to get into it.

I skipped some steps, right? I can't really go back and get them. I can try, but it's not the same.

And so how did the fundamentals help you or how do you see them still helping you later on in your career? Because there's a lot of people that they just want to get straight into cyber. And it's hard to go back in time, right?

Mike

Yeah, absolutely. So I would say the first fundamental that I learned because I had to was people's skills, right? So when I was on the phone at that ISP and people were calling me, not everybody's friendly.

So you had to learn patience. You had to learn to defuse situations. You had to learn to always be the same person, no matter how a person's kind of treating you, right?

So that was the first fundamental that I learned, was that people's skill. And I'm still learning, right? I think we're all working progress there.

From there, I would say it was learning operating systems. It's hard to be a security engineer if you don't understand how Windows actually works or how Mac works or Linux, whatever. And then from there, it was learning the backend of the servers.

How does Active Directory work? And back then, it was like network shares and so on. And so how is all this working behind the scenes?

So it was the operating systems, that. And then for me, it was also learning how networks are talking and packet analysis and so on. And you're right, people, they do try to skip.

There are rare cases where you're successful. That comes down to how well you can market yourself and having the right connections and the right opportunity. Lexis, you've done well in this field and you've marketed yourself well and you've been very blessed there.

You're a rare case, right?

Alexis

But what I'm saying, the point I'm trying to make is just because you do that doesn't mean you should do that. I'm in a situation now where people assume I know a lot of things and I do know a lot of things, but they're like trivia, like Swiss cheese. There are large holes.

Mike

Yeah. I think you have to pay attention to the basics because you're right, it's hard to go back. Normally there's a cost and a lot of time to go and back.

And so if you're going to get into cybersecurity, understand operating systems, understand servers, understand cloud services, understand networking, how networks talk. One thing that when I'm doing interviews, one thing that I always do is just for that baseline of knowledge, I'll start asking ports and services. What's port 80?

What's port 53? What's port 23, 22? And you would be shocked at people that have a college degree in IT or even cybersecurity that don't know what 53 or 21.

And not that everyone has to know those, but for me, that's always been a good way to kind of see what their baseline knowledge is. Being able to understand, at least you don't have to understand those, you know, totally, but being able to rattle off, you know, some of the most common ports, it's going to, that's going to help you because you're probably, I don't know if I've ever done the ones that I've done myself, right? Interview in four positions.

I don't think I got through many tech interviews where they did not ask me some of those questions. So you have to have that baseline.

Kevin

All right, quick pause because this episode is sponsored by Meter. If you've ever managed a network built from five vendors, six dashboards, and a bunch of contracts that no one fully understands, you know how fast that turns into chaos.

Alexis

What usually gets overlooked is the pressure that puts on the people running it. IT leaders need predictability, engineers need control and visibility, and most stacks just weren't designed for that.

Kevin

That's where Meter's model is different. They deliver the entire networking stack, wired, wireless, and cellular as one integrated system. They design the hardware, write the firmware, build the software, manage deployment, and run support.

One platform, one partner.

Alexis

And that means fewer handoffs, fewer tools, and clearer ownership. It scales from branch offices and warehouses all the way to large campuses and data centers without turning network operations into full-time vendor management.

Kevin

If you care about uptime, accountability, and not being the middleman when things break, this is worth a look.

Alexis

Thanks to Meter for sponsoring this episode. You can go to meter.com slash liu to book a demo now.

Kevin

That's m-e-t-e-r dot com slash l-i-u to book a demo. Now back to the episode. Now was all this self-taught on the job learning or did you do certifications?

Mike

Good question. I was never, okay, I'm not a search chaser now. I held my MCSE back in the day.

Word on the street is it doesn't expire. I sold my NT4 and my MCSE. I think I threw those cards out recently.

I was a search chaser then because I was in the beginning of my career. Then later on, I realized that your search are great. It's a great way to show that you've done work.

But I've also seen a ton of people with those certifications that if you start asking them questions, they don't really have an understanding because they study well, they test very well. But when you start asking them how this works or how that works, that's when they break down into that conversation. It starts to slow a little bit.

I think certifications are great, but at the same time, I don't think you can just rely on them. Now you have systems like TriHackMe, Hack the Box, doing your own VM. We have the ability to do that now at almost almost no cost.

In fact, I didn't have that. I had to buy servers and things like that and use decommissioned stuff to learn.

Mike

It's so much easier now to have those resources.

Kevin

Now as a CISO, would you recommend someone who's interested in cybersecurity to do TriHackMe or do some of those simulations instead of in lieu of getting a more advanced cybersecurity certification?

Mike

Well, I think it depends on the situation. Everyone has a different budget. Everyone has their own personal life.

Maybe you can't commit to a nine-month bootcamp. Maybe you can't commit to a four-year degree. Maybe TriHackMe or Hack the Box in the evenings after you're done working and you have some time at midnight.

Maybe that's a great choice. I think it's different for everybody. To me, at the end of the day, it's about having the knowledge.

Whatever it takes to obtain that knowledge, I learn better myself by messing with stuff and learning. I have a hard time learning when I have someone lecturing to me or someone on stage trying to teach me. I can't learn that way, never could.

For me, it's being able to push those buttons and building that muscle memory more than hearing about the theory.

Alexis

Mike, you said you took a couple of different certifications. I believe you told us before the show that you maxed out your credit card.

Mike

Yeah. I called the credit card company off my limit. I knew what it was going to take.

I took some SANS courses. I took three or four. At the time, they were five or six grand apiece.

I think they're much more than that now. I remember I called over the phone to sign up for these classes. I didn't even do it over the internet.

I slammed three or four classes on my card and maxed out. You can imagine that credit card payment, but it's kind of terrifying. I took a huge chance on myself, but for me, putting something on a calendar doesn't always make me commit.

When I'm putting my own money and life on the line with a credit card, now I'm committed. This has to work or I'm going to go back and ride a garbage truck again. I took SANS courses.

At the time, I didn't even have the money or room on my credit card to pay for the certifications at the end of each one of those, which were, I think, $500 at the time. I just wanted the knowledge because at the time, this is not a plug for SANS, but at the time, they had great courses. I could go through step by step.

I was doing the things to learn them. I didn't care about the certification, so I just didn't chase it. That never helped.

I've never been held back.

Alexis

Can we talk a little bit about your mindset while you were going through that? That's kind of scary, right? This was your first venture going into something structured with cyber, outside of networking, outside of your server background you had.

How did you cope with the fear that this is going to work out or else? I feel like a lot of Gen Z or newer students, they almost want a guaranteed result. If I'm going to put this effort in, I want to know that I am going to get this job.

If I take the certification, I want to know that I can do X. A lot of times, there's no guarantees.

Mike

Yeah, you're exactly right. When I did this, and disclaimer, I don't recommend to any of the listeners to go slam down a bunch of costs on your credit card. It probably wasn't the best choice, but for me, I knew.

As far as my mindset, I've always been a semi-confident person. I knew that I wasn't betting on anybody else. I knew that I was betting on myself.

I knew that I had the work ethic to go through it, but even more than that, I had the curiosity to go through it and really want it to work. I knew that the only way I would fail was if I just quit. It might take me a year.

It might take me two years, maybe three years to land that perfect job or to land that next role, but for me, I was betting on myself. For those that are transitioning to this field or trying to level up in this field, you have to remember that things aren't always going to work out the way that you plan them. There are no shortcuts.

The only people you can really bet on is yourself. If you have the confidence to do that and you have the work ethic, the other thing, too, is having that support network, having those friends or people in the space. We talked about shaking hands and building those relationships, creating that environment around of other people that are doing the type of work that you dream of doing.

I was doing that at the same time, so I felt like I had a good support network.

Kevin

I'm curious because you said you don't deal well with it, but you don't learn the best through classes and being lectured to, and you didn't get the actual certification for spending all this money on these courses. Was this something that you could not learn yourself or self-study, that you spent a ton of money to not get a certification and to learn something through a method that you admitted is not your best method?

Mike

I needed some type of structure, so these particular courses were self-driven where they were lapsed. I was using the tools. This was pre-TryHackMe, Hack the Box, and so on.

I was using NMAP. I was learning Kali, OpenBoz, Metasploit. I was getting to play with all of those tools, but instead of reading on the internet how to do it, this kind of gave me that walkthrough, and it was very structured.

I had a timeline to go through it, and for me, that seemed to work very well. It did match my style of learning, but I definitely had to have the discipline to maybe instead of going to shoot hoops that evening, I'm going to sit down and mess with Metasploit, and I come out of it with some pretty cool knowledge.

Kevin

Now, was that something easy for you to do, to give up your free time at night to do this stuff, or was it a struggle?

Mike

Not all the time. I wrestled through high school, but my favorite sport is just pick up hoops, right? At the age I did all this, I was, oh yeah, I love hoops, and I'm 5'4".

What does that tell you about my skill? Yeah, I mean, I lived in a very small town. There was really nothing to do except go shoot hoops with your high school buddies, and so yeah, I gave up a lot of that time, and of course, you have that peer pressure.

I'm like, I'm building something for myself, and so it paid off.

Kevin

All right, Mike, you have said that you take risks, you invest in yourself. You currently work for yourself. Is that right?

Mike

So I started a company about 12, 15 years ago. I was acquiring about four years ago. Okay, got you.

About four years ago, I was acquired, but it was a great company, and they made me a really nice offer to stay on board with them, so I stayed on board with them, but I decided not too long after I took these SANS courses, I got into red teaming, penetration testing, and so on, and I did. I decided to kind of spawn off on my own, and started from scratch, and took that chance, and landed a deal or two here or there, and started building that side of the business, and over time, I think we maxed out at about probably 12 to 15 employees. It wasn't a multi-billion dollar business, but I was feeding something that I started.

I was feeding multiple families, and it was so much fun, and it grew, and about four years ago, I had no plan to sell, but I had moved to Missouri, and had some life changes, and an offer came on the table. They found me through the LinkedIn platform, and made me an offer, and I thought about it for a while, and I thought, you know what? Sometimes these offers don't come by too often, so I took it, but I wasn't done.

I still think I'm young, and so I thought a lot of time, and so they made me an offer to stay on in a vCISO-type role, but also because of the experience that I had, and this is like those opportunities that you don't think about as you're going through your career. They'd also put me kind of attached to their business development, marketing side, and so on. So I started as a vCISO, but I also serve on the business development side, and so on, so it's just a great role.

We've got a great symbiotic relationship with the things that I do online, things that they do, and it's worked out extremely well.

Kevin

Well, walk me back through. So you're just the certifications, you got all this new knowledge, and what was the thinking to venture out and create your own company? What was the presses for that?

Mike

Yeah, absolutely. So I've always been a person that I've always had that entrepreneurial blood, I guess, and I always wanted to just spawn off on my own just to see what I could do. And I knew that I could create something in the pen testing side, that sector was really starting to blow up about that time, and I knew that there was demand there, and I thought, you know, I could fight to get jobs in penetration testing and so on, or I can just spawn off on my own and talk to clients.

And so that's what I did. I spawned off on my own. And besides those credit cards, I didn't have a ton of debt, because I started this from scratch, and out of my house, and then eventually had a nice office and so on.

But I guess it was just wanting to see what I could actually do with it. And being a people person, you know, just, you know, it allowed me to spend more time with clients, you know, bring people on board, have my own teams, and so on. And it's just a great, it was a great experience.

And it also allowed me to teach some of the things that I learned, as well.

Kevin

Did you feel ready to do that? Like, that's the like, being in tech, you know, pretty much any of us can consult, right? We could all break out and do our own businesses and consult, but I never feel like I'm ready to do that.

I need the jump. How do you get there?

Mike

Well, the thing is, there's never a perfect time. The perfect time is now. So I didn't know if I was going to be successful.

But again, I knew I was betting on myself. I had experience at this point. So if it didn't work out, I put my fallback obviously was to go get a job and start paying down that credit card debt that I had.

But, but no, I just decided that the times now and I jumped out on my own and you know, you're living from contract that back then I was living from pen test pen test, you know, I didn't know much about pricing and so on. And so I was looking at competitors and I was trying to give them a better product than what other competitors would give them but for much less cost. And for me that worked.

I also over the years did a lot of like SEO marketing and stuff like that. So over time, I was able to get the website in the top 10 when people were searching for certain things. And so that was that was huge for me.

And so yeah, I wore a lot of hats. For me, it's been, you know, like the team I work with now and so on. They're like they're experts at the top of their game, right?

And I would say back then, I was average at everything. I wasn't like, superstar pen tester, I wasn't a superstar anything. But my, the key to work for me back then was I knew a little bit about a lot of things.

And that really helped me I could sit and talk to marketing team, I could write so W's, I could talk to the end client, I could build teams out. So I knew a little bit about a lot of things, but I wasn't an expert in anything. But I think that really helped me in my career instead of siloing myself into being a world class pen tester, right?

Mike

So I had to have all of those pieces.

Kevin

Now, there's all sorry, like, was all what are all those skills you had ahead of time? Or do you have to learn this as you went and just kind of like figure it out?

Mike

Yeah, so good question. So the you know, going back to the basics, right, I had the people skills or somewhat, you know, I understood networking understood systems, I understood ad, I understood operating systems. And I will say those four sands classes, like it took me about a year to get through them all.

I didn't rush through them. So I had a year of building some friendships, getting to know people talking to people doing some volunteer stuff, and doing these sands classes at the same time. So I felt like when I was done with my sands classes, I felt like I was ready to at least get started.

And so I also knew my limits. You know, if I saw an engagement that was going to be way over my head, I wouldn't take it. But if I saw an engagement that was in my wheelhouse, I, you know, create an SOW and put a bit out there and see if I can land it.

I was good at using my resources to I knew other people in the field. So if I ran into something that I wasn't familiar with, I would call in resources. And, and then slowly, I would call in those resources if they did a great job.

So over time, I hired him as an FTE. And so that's just kind of how that started. But no, I wasn't a, it certainly wasn't a pen testing pro.

And I decided to start that branch of business.

Alexis

And how did was there any parallels, right? Working when you're customer facing in a more of a consulting business owner role, and what you were doing on help desk?

Mike

Yeah, people. It comes back to people being able to communication so huge in this field. And it's cliche, because everybody says it, you have to know how to communicate, right?

So it's a world class, soft skill to have. But at the end of the day, it comes down to being able to look people in the eye and communicate. So whether it's over the phone, supporting someone trying to get their desktop fixed, to talking to an end client about a $30,000 penetration test, it's being able to hear what they really want, being able to kind of analyze that, and then provide them a solution that can give them the result that they want.

When I read a book, long time, it wasn't a long time ago, actually, recently, but it's by Donald Miller. The title of the book just left me, but the book talks about, you know, speaking in a problem solution results, or thinking with that mentality, anytime you're communicating with someone, talk as if you're addressing their problem, by giving them a solution that's going to help them reach their end result. And that's kind of how I've structured my whole career in communication at this point, even going back through my life, just come to people with solutions to their problems and give them the result they want.

Alexis

Because they need to feel like you're on their team. Absolutely. You are on their team, and you are here to help.

Even if you don't know the answer, you're going to do everything you can.

Mike

Better try. Absolutely.

Alexis

Amazing.

Mike

Marketing made simple. That's the name of the book. That's it.

Just don't.

Alexis

I'm drawing a blank. Mike, is there anything else we haven't talked about? Any stories?

Mike

Yeah, you're going to have bad days. This is a tough industry. For those that are either aspiring to get into this field, or you feel like you are at a ceiling.

You're all valuable. You all have your own unique story. There's no shortcuts in this field, and you're going to have bad days.

You're going to have days that you're like, man, I'd rather be a farmer because cybersecurity sucks.

Kevin

Every day, what are you talking about?

Alexis

Everyone goes out to the woods.

Mike

I'm like, go pick strawberries or apples or something. Not deal with anybody. You're going to have bad days.

The opportunity that this field provides people with is amazing. I think all of us here work behind our laptops for the most part. It gives us the ability to have opportunity from anywhere in the world.

Have a balance too. As people are looking for jobs, as they're trying to transition through this career, they kill themselves 60 hours a week at trying to do the search, reading, studying, their VMs, whatever it is. You have to have a balance because if you don't, you're going to deconstruct before you ever see any of those goals.

You have to have that balance. You have to understand not every day is going to be good. And what you're going through now is a very short season of life.

When I was going through all those SANS classes, I felt like forever. It was just the right move. But looking back, there was a very short season of life that changed my life forever.

Anyone who is trying to push forward, realize that the struggles you're going through now, it's a very short season.

Alexis

Well, and sometimes it's hard when you're in the thick of it.

Mike

You don't see it.

Alexis

You're in the day-to-day. You've got your nose to the grindstone. When really, like you said, it could be just one small decision or meeting someone, one new introduction, one LinkedIn post, which can be anything.

Mike

And everyone thinks when a system goes down, it's the end of the world. Well, guess what? Systems are going to go down, but 4 or 5 o'clock comes every day.

And by the end of the day, you're going to have it figured out. And tomorrow, you're going to have another problem. So that used to get me through.

Back when I was in charge of hard drives failing and systems going down, which I'm not really in charge of now. I can't tell you how many Christmases I worked through, how many Thanksgiving dinners I worked through. But that's all just part of the journey.

You just have to realize you're going to have days like, it's just life.

Alexis

Mike, I'm laughing because you're like, not every day is going to be like that, but you're going to wake up and tomorrow, there's going to be a new problem. It gets better. And then you're like, tomorrow, it's just going to be something else.

Mike

But that's where having a passion for what you do really comes in. You really have to enjoy what you do, because if you don't enjoy those things, you've got to do something else.

Alexis

I've got one question to ask at the end of every show. If you had one piece of advice that you could give your 18-year-old self when you first started on this journey, what would that be?

Mike

I think it goes back to some of the things we talked about earlier. Don't sit there and write down your entire life plan and think that it's going to go the way that you want it to go. Nine out of 10 times, where you're going to end up isn't going to be what you have a plan for, but it's going to be a much better place.

It's going to be something that you've learned about, that you have really grown to love, and you're going to get down that path. So that's the first thing. Second thing I would say is this is a people-first business.

We're all in tech. This is a people-first business. Don't burn bridges.

Make as many friends as you can. Surround yourself with good influences, because they are going to be the ones. Find people that inspire you, and then try to learn from them.

So that's the advice.

Kevin

I love we get lost a lot of times that we are a service industry. At the end of the day, we provide a service to customers. People forget that all the time.

They think they focus on the tech, but at the end of the day, we're all just service.

Mike

Yeah, absolutely. And the sooner you figure that out, the sooner you're going to see success. Great advice.

Alexis

Well, Mike, thanks so much for chatting today. If people want to keep up with you after this show, where can they find you? I know you post frequently on LinkedIn.

Mike

Yes, I would say that's the number one place to find me. Just jump on LinkedIn, type in Mike Miller. I got a blue sports coat on.

That's probably the easiest place. I'm on the X platform. Just look up Mike Miller Cyber there as well.

And if you can't find me there, just Google Mike Miller Cyber. You'll find something about me. But yes, anyone who needs anything, feel free to reach out.

I'm always happy for a new deal.

Alexis

Amazing. Well, thank you, Mike. That is it for this episode of Life in Uptime.

Huge thank you for coming on. And thank you to our audience for listening. If you guys enjoyed this conversation, be sure to follow the show so you never miss an episode.

And if Mike's story today gave you something to think about, please share it with a friend or a colleague who might eat it. And until next time, keep learning, keep building and keep your uptime high.