The Gatekeepers of Our Digital World

Published 10/15/2024

Spotify logoApple Podcast logoiHeartRadio logoAmazon Music logoYouTube Music logoYouTube logo

View Video

Drew Thomas  0:04  
Fast fact, according to Forbes magazine, as of August 2024, nearly 4 million cybersecurity jobs were vacant worldwide, with 71% of organizations reporting that they had empty cybersecurity roles. I'm Drew Thomas, and you're listening to Bank Chats.

Drew Thomas  0:44  
We are back once again to talk a little bit about cybersecurity on the podcast. With me is my co-host, Jeff Matevish.

Jeff Matevish  0:53  
Hey Drew. 

Drew Thomas  0:53  
And with us are some very, very popular guests. Guests that were actually the most popular guests of any episode that we've ever published to date, and I'm just gonna inflate their egos for just a second.

Kevin Slonka  1:06  
Seriously, yeah.

Drew Thomas  1:08  
 No, we have Kevin Slonka and Mike Zambotti. Really happy to have you guys back with us. Thank you very much.

Kevin Slonka  1:12  
No, no problem. Love being here.

Michael Zambotti  1:14  
Yeah, thanks for having us again.

Drew Thomas  1:15  
We paid them to say that, it's awesome.

Kevin Slonka  1:17  
I'm really interested to see these statistics of how you know we were popular.

Drew Thomas  1:22  
Yeah. In all seriousness, you guys are our most downloaded episode, was the Cybersecurity 101 episode. So, if anybody wants to go back and add to that tally, feel free.

Kevin Slonka  1:31  
Yeah, definitely not, because we told all of our students to go download it.

Jeff Matevish  1:34  
Well, and I checked it today. It's gone up since yesterday.

Drew Thomas  1:37  
Has it really? It has. That's awesome, yeah.

Michael Zambotti  1:39  
Well, it's an assignment for us each semester.

Drew Thomas  1:42  
I'm okay with that. I used to have professors that made me buy their book. I don't see why you can't make people listen to a free podcast. So, yeah, really glad to have you guys back. We're going to talk a little bit today about something a little bit different than what we've talked about before, and that is the information security career path. And I think both of you have a pretty good idea of what is entailed in that, because you work with people that want to get into this correct? I mean, is it an actual major now, like, can you major in information security?

Kevin Slonka  2:09  
It is. So, we actually have one at our university. It's a Saint Francis Cyber Security Administration. So, 20 years ago, maybe there was, like, computer science, information technology, and if you wanted to do security, maybe that was a concentration in computer science. But many universities now are breaking it out into its own bachelor's degree.

Drew Thomas  2:29  
I can imagine that's true, because it is a different avenue than just doing IT work, you know, I would say. I mean, you're not computer science, yeah, yeah, and computer science, that's right. I mean, when I was in college, you could take computer science as a math credit, and I think it's a little bit different these days.

Michael Zambotti  2:46  
There's definitely overlap between the fields, between information technology and cybersecurity. And there's things in each to complement each other, but they're, I think, distinct disciplines and something that requires a lot of investment and investigation by people that want to get into the field.

Kevin Slonka  3:02  
Yeah, we see that a lot with, so with the programs that we have at our school, computer science and cybersecurity, the first year, the first two semesters are pretty similar, no matter which one you take. Students are taking classes from both majors. So, like Mike said, they do complement each other a lot. You'll find the same students in the same classrooms a lot of the time.

Drew Thomas  3:22  
So, are you both in the same field? Like, do you both, like, teach the same thing exactly, or is there something different between what you guys teach?

Kevin Slonka  3:28  
So, technically, my title is computer science and cybersecurity, so I teach in both majors. I think Mike yours is just cybersecurity. Exactly. But I mean, as far as the courses go, like we said, there's so much overlap. You know, Mike teaches a couple computer science courses that happen to fall into the cybersecurity major. So, when it comes to things like programming, writing software, that's strictly a computer science thing, I do more of those classes than Mike would, for instance, okay.

Michael Zambotti  3:55  
Right. I teach a couple of foundational classes on cybersecurity, but also foundational on information technology, which it's so important, and for anybody looking to get into the field, note this fact. In order to protect something, you have to understand how it works. So, you have to understand how computer networks work, how organizations use technology, how your attack surface can expand whenever you add new technologies that might increase functionality, or people. So, it's really that core understanding of networks, computer networks, how they work, and getting that knowledge first.

Drew Thomas  4:24  
I think that's an important distinction. I've used this example with other people, and I apologize if I've used it with you guys too. But I attended a conference a number of years ago, and there was a keynote speaker who is the director of a generational in sort of studies organization. They look at how different generations respond to different things, right, and try to interpret how to market to them and what their interests are, and so forth. And he asked the audience, he said, okay, I want you to finish this sentence. He goes, young people are computer, and most people said, savvy. Right? It's a computer savvy and he's like, actually, that's not true anymore, because young people are not computer savvy. Middle aged people are computer savvy. Young people are computer dependent, or technology dependent. They don't understand how it works. They just know that it does work.

Kevin Slonka  5:14  
That is very true. So, I've been teaching at the collegiate level since, like, 2007, and I definitely, you know, see that change that people in my generation, you know, for those listening who don't know me, I'm 40 years old now, but, uh, you know, people in my generation, we grew up when this stuff was just coming out. So, in order to use it, you had to know how it worked, because you were probably building it yourself. But kids today, they just get a cell phone, and it just magically works. And, yeah, yeah, they don't really understand it.

Drew Thomas  5:44  
And I think that, so now we're kind of stuck in this thing where the older generations don't understand the technology the way that the middle ground generations do, because they didn't grow up with it, and the younger people, it's become just sort of a tool that has always been there. So, you're still stuck in this weird dynamic where the middle generation is still the only generation that really understands how any of this stuff works.

Michael Zambotti  6:07  
Right. And if you look at the technologies that exist, like Facebook, you know, Facebook started, essentially was for Mark Zuckerberg to find a way to meet girls at his college. And, of course, which it all starts there, right? But then you look at what it was used for. It was used as a Facebook for college students, for you had to have an edu email. You recall, that's who used it was, was people that age now, who uses Facebook? It's not young people. They use TikTok, they use Instagram. They use other apps that I don't even probably know about yet. They haven't told us, because we're a little older, yeah. But, you know, we see that, and it's like, well, how did that evolve? How did it go from something college kids were using to something that now, I guess older people will argue about politics, and that's pretty much the big thing on Facebook or, you know, whatever's happened locally.

Jeff Matevish  6:54  
Yeah, you use what you grew up with, yeah, yeah, yeah.

Drew Thomas  6:56  
Yeah. I mean, if that's true, then we're, I don't know what. I can only imagine what's going to come out 20 years from now, if that, if that's true. So, looking ahead, it says, it says here, information security analysts held about a this is, this is from just so, this is from the US Bureau of Labor Statistics, for those of you that are just knowing the source material. It says, information security analysts held about 180,000 jobs in 2023 the largest employers of security analysts were the computer systems design and related services. That's about 22%, finance and insurance, which would include us as banks, about 15%, and then it kind of goes from there. So, you figure about 10% is information. I don't know what information is as a category, that's everything. And then it was followed closely by management of companies and enterprises, and then management of scientific and technical consulting services. So, you figure more, more than 50% are just in the finance and insurance and computer systems design services. So, if you're looking to get into that field, I guess that's pretty much where you're going to start looking, right? I mean.

Kevin Slonka  8:01  
Yeah. I mean, whether it's the finance field or whether it's any other highly regulated field, like government work, or healthcare, you know, there are a few industries that are very strict with the legal requirements for cybersecurity. So, yeah, those are the ones that definitely have the most job openings.

Kevin Slonka  8:01  
But it's also because I think those are the industries that are protecting the most sensitive data, absolutely, right? I mean, right.

Michael Zambotti  8:23  
That's what it comes down to, is, what are you protecting? You know, that's a question everybody asks. And, you know, you look at banks, you mentioned, the financial services industry, definitely a growing area for cyber security. Companies like JP Morgan spend upwards of a billion dollars a year on cyber and that number is increasing. And you look at, you know, a physical bank, what was your, your biggest concern, 20, 30, 40, years ago, was physical security, right? Yeah, it was, is somebody going to come in and rob this particular bank? Now that's really, I mean, I'm sure banks still get robbed occasionally, but the concern is more that, that information security, it's that's where the investment is going. You're not investing in the newest cameras right now. You're investing in ways to protect your online banking because that's where your customers are going.

Drew Thomas  9:02  
Yeah, and I would say too, you know, just from being in this industry and dealing with that, the frustration sometimes comes from the fact that we can build as many walls around your information as we want to. And that goes for banks, that goes for any organization, wherever you're giving, whether you're giving out your email or your social media or your bank, they can put as many walls around their information as the, as you want. But when, when people give their keys away, it really becomes a moot point, right? I mean, and I think that's what we've talked about in past, is some of these scams and things where people are, they're just giving away their passwords, they're giving away their information. So, those walls are kind of useless when you have the keys to the kingdom.

Kevin Slonka  9:42  
Yeah, the social engineering scams, the one where they just trick you into doing something you wouldn't normally do. But it's kind of funny, because I generally tell people who think that they're safe with their money because they don't use online banking, or they don't shop on Amazon, and I have to tell them, like, well, you have a bank account, right? Like, your money is somewhere. Isn't that bank online? Like, aren't their servers on the Internet, the servers that your money is tallied on and kept on, you know? So, people don't realize that they're still susceptible to all of these things, even if they don't have a computer. Their bank is online, and hackers can get into it. And, you know, they could still get a phone call, like you said, give away the keys, and somebody can get their money through some computer means, even though they did nothing on a computer, right? You know, we think of our grandparents or whatever, people who don't use technology at all, but they could still be a victim of cyber-crime. Yeah.

Michael Zambotti  10:42  
And the, the crimes are getting a lot more focused and effective. I teach a class in Saint Francis called Open-Source Intelligence, okay, or OSINT, and what we do is we learn how to investigate people and companies online and see what information is out there. And I just got a text recently, it was from, I think it was legitimate, I didn't respond to it. But it was from a realtor, and it said, hey, my name is Marcus, and do you still live at my address? And would you want to sell your house right now? So, this person had two pieces of evidence, information. He had my address, and he had my phone number. Very, very clear. Now there are scams, and you've probably heard of phishing scams, sure where you get an email and they're trying to get you to get you to do something that is not in your best interests. So, one of the things now is, let me find, I'm thinking as an attacker, I'm going to come after you, I'm going to look up your home address, and I'm going to find out and get a picture of your home off of, say, Google Maps. I'm going to put that in with the phishing email. So, now you're getting that, you're saying, wow, this this person has a picture of my house. I'm very you know; I better do whatever they're saying. So, you get that fear, uncertainty, and doubt. But it's continued to be more effective.

Jeff Matevish  11:49  
And information is so easily obtained. Yeah.

Kevin Slonka  11:51  
Yeah, a couple Google searches, and you can have everything, yeah.

Drew Thomas  11:54  
So, when somebody wants to get into this as a career, whether information security, I would imagine there's a couple of different ways that you can do that. You can be the type of person that tries to keep people out, but I kind of want to sort of ask about because what you just said sort of keyed my head. There's probably people out there whose job is to sort of try to be an ethical hacker, right, to see what they can do to get away with certain things. That is that fair? Is that I mean...

Kevin Slonka  12:20  
Yeah, absolutely. That's definitely a job role.

Drew Thomas  12:23  
So, I mean, I would imagine that, that requires sort of people with, like, a creative thinking. I think if people think of computers and they automatically think they have to be great at math, or they have to be great in the, the sciences and things, and to a degree, I'm sure you do. But I think there's an element of creativity that goes into some of these jobs now as well. Is that fair?

Kevin Slonka  12:40  
Oh yes, thinking outside the box is key.

Michael Zambotti  12:42  
Right. And one of the big questions that I get whenever both Kevin and I meet with students, whenever they're considering what college to come to, and they'll ask us about our programs, and they say, well, do I need to know coding in order to be in cybersecurity? That's a big question I get. Do I need to understand how to program a computer or how to do coding? And you know, the answer is, it depends. It really depends on; cybersecurity is a huge field. It depends on what areas you want to get into. I think, as a rule, understanding coding and logical thinking and things like object-oriented programming is really, really important for anybody you know, regardless of what field they're in, to understand how a computer thinks. And well, the computer doesn't reason through anything, but it follows instructions. But to be purely in cybersecurity, no, you don't have to know coding. I mean, it's helpful, but it's something that, you know, a lot of people will ask.

Kevin Slonka  13:28  
Yeah, I was waiting for this question to come up because I wanted to go on my little rant about what it takes to get into the field. And maybe everybody listening will disagree with me, but it's, it's something that we, we try to tell our students, but we also make sure that we, you know, lift up their spirits immediately after we tell them that cybersecurity is not an entry level field. And you had started talking about this at the top of the show that if you are in the cybersecurity field, what's your job? It's to protect the information, the servers, the network, right? But how do you protect it unless you know how they work? You know, Mike could say, you have to understand the servers. You have to understand the network. So, the majority of the really good cyber professionals, they don't go straight into cyber they started as an IT person. They started as a system administrator. They started as a programmer. You know, I always tell my students, you have to know everything about everything to be a cybersecurity professional, because you're protecting networking, you're protecting servers, you're protecting information, you're protecting software, you're protecting every other field of computing. So, how can you protect it if you don't know how it works? So, you know, I always like to set the expectation of my students that you're not going to graduate and get this super amazing, $200,000 job where you're like the superstar cyber person, you know, you got to work your way up, because if you don't have that background technical knowledge of how these things work, there's very little you can actually do until you gain that knowledge.

Drew Thomas  14:54  
That makes sense to me.

Michael Zambotti  14:56  
Right, and if you think about other fields, you know, we look at our field as sometimes people get laser focused on whatever field they're looking to get into. But look at other ones. Look at the medical field. You don't, all of a sudden graduate med school, and, you know, jump right into doing surgeries on your own. There's a learning process. There's almost an apprenticeship. We don't have an actual apprenticeship but think of that as well. And you know, a lot of people will start, they'll get degrees in cybersecurity, which is a great field to be in, and then they'll start working on an IT help desk, which is an excellent, excellent area. That's a great place to start out whenever you're getting into the industry, because you get to triage a lot of situations. You get to work with a lot of different people and personalities and see how you work with them best, and talk to non-technical people and get used to translating. You know, sometimes our job is not so much technology, but to be translators, language translators from technology to non-technology. So, having jobs like that, you know, that doesn't mean you fail, that means you succeeded. But it's about building yourself up. And you know, I think a lot of people do get into the field, and you know, Kevin probably sees these, and I'm sure has a similar thought, but you know, we see these things. Oh, the average salary is, you know, $120,000 for a cyber security grad. Or take this boot camp and you're going to make $85,000 next week, you know. And those things tend to, tend to sell a bill of goods to people, you know, there's a lot of hard work involved.

Drew Thomas  16:12  
Yeah, you, you sort of mentioned, like, like, pay scale and so forth. But I think if I were younger, and I were looking to get into a different career, or I was going to college for a career, one of the things that I'd be looking at too is the, the sheer number of openings. I think that, that is a big part of it too, is that this is a, this is a field that is growing, and they're going to need more people that can do this stuff. But even if it is starting out at an entry level point of view, I think one of the other things that people tend to see then is how people act when they're around technology, the kinds of, the kinds of things that they will do or say that might give them insight down the road, once they become an analyst or, or move up the ranks to say, yeah, well, that might not be a hardware issue, or that might not be a software issue, that might be a human issue. Because there's, there's all three of those in there, right, as far as protecting data.

Kevin Slonka  17:00  
Yeah, and you mentioned the openings. I'm sure you have some statistics saying, anybody can Google and find them, but yeah, like, just within the federal government alone, hundreds of thousands of openings for, for cyber people. So, you know, across all business sectors, I can't even imagine what the number is, but yeah, that number keeps going up. You know, we always tell students, you will not have a hard time finding a job, if you look. You know, the jobs are out there in the cyber field. You may have to, to move a half hour or an hour, you know, depends on what you want to do. Right? If you want to work for a small company in your hometown, maybe a little harder to find a job. But if you want to work for the federal government, you move to the Virginia, DC area, you're not going to have trouble. You know, there are 1000s of openings around there, and we have students who do both, right? We just had a girl who graduated, she's now working with the FBI. We have, you know, some people who say, I want to stay around Altoona or Johnstown and, and that's fine. You know, there are openings everywhere you just, depends on how hard you want to look.

Jeff Matevish  18:00  
What kind of programs would give you the best chance of getting a good paying job in cybersecurity? Do you have to go for a bachelor's degree? Or if there's all of these job openings out there, can you go for an associate's degree or certifications? What kind of certifications would benefit you?

Kevin Slonka  18:16  
Yeah, I think Mike started down that route a little bit, mentioning boot camps and things and, I mean, there are a lot of different ways to get into it. Depending on the way that you get into it, you may limit your future growth. You know, because a lot of companies, you're not going to get promoted unless you have the bachelor's degree or the master's degree, you know, whatever, or if you have certain certifications. Generally, what I will tell people is, start with the bachelor's degree. That's going to get you the most well rounded that you can get that IT help desk job you can get that entry job that may not be exactly what you want, but it gets your feet in the door, versus things like a boot camp where they only teach you one thing. And if you can't find a job in that one thing, well you're out of luck. Yeah, hope you can find that job. But then also certifications, you know, we always tell people don't go overboard, because you don't want to graduate with 12 certifications, because companies will look at that and say, you don't know any of this. You just studied and took tests and that was it. Yeah, but pick a couple that makes sense for what you want to do. Show them you're willing to put in the extra effort.

Michael Zambotti  19:16  
And I think it's also important to really understand the field of cybersecurity. We have a lot of people that come to it, and they'll say, well, I want to get into cybersecurity. And then you break down what that means, I always push back and say, well, what do you like about the field? What part of cybersecurity? It's almost like if somebody said, I want to get into sports. Which is great, you know, there's and you look, okay, I'm pretty athletic, I can get into sports, I like to train. Okay, well, what sport? Let's see. Because if you think about the skills for, say, golf, which is a sport, although some people say it's not, but it is.

Kevin Slonka  19:46  
It is definitely a sport.

Drew Thomas  19:48  
I think it's sport.

Michael Zambotti  19:49  
Or football or basketball, each one has very discrete set of skills that you want to work towards. So, I would say in any particular set of skill, oh, exactly right. If you want to become a hitman, don't, don't do that. No. We do not certify that, but.

Drew Thomas  20:02  
My Liam Neeson isn't as good as it used to be.

Michael Zambotti  20:04  
But whatever you decide that you know, you can learn as much as you can about the industry. Do the reconnaissance and say, well, I you know, we talked about earlier, a little bit touched on penetration testing or ethical hacking, which we call the Red Team, Red Team exercises, which is people that are doing offensive security, breaking into computers. Sounds awesome, right? It is. Kevin teaches a couple classes on offensive security and ethical hacking, which are really, really cool. And then we look at defensive. Defense is the Blue Team. Okay? Incident response. How do we respond whenever the people that Kevin teaches break into our computer system? You know, we have the Blue Team. We, so we have incident response. Digital forensics. Kevin mentioned a student that works for the FBI now. Her quote was, whenever I got into Saint Francis, I didn't know what digital forensics was. And now she's working at it, because she studied very, very hard and did great work over the four-year period, and found that field and said, this is what I want to be. So, she had a disposition towards law enforcement, so that was her path.

Drew Thomas  21:01  
So, so what, what is digital forensics? Since you brought it up, and she didn't know, is it, is it kind of the idea of a digital version of CSI? I mean, you're, you're sort of gathering evidence and then trying to figure, you sort of put together how things were done? Yeah, absolutely.

Michael Zambotti  21:17  
There's a couple TV shows. I think there was a, was there a cyber-CSI at one point, possibly or CS, one of those. There's so many spin-offs, but I'm gonna say, if I would, Digital Forensics two words, find evil. It's, hey, we have a suspect's laptop and cell phone. I need you to find some evidence, and it gets turned over to the digital forensics professional and analyzes that piece of hardware or that storage media to try to find evidence to maybe support a prosecution of a crime.

Kevin Slonka  21:42  
And to think about, you know, how somebody does that. That's one of those cases where you really have to understand how things work. Yeah, you know, if you're a forensic analyst and you're analyzing somebody's Windows laptop, if you don't know how the Windows operating system functions, how it stores files, where it stores files, how the hard drive is built and how the bits are stored, you're gonna have a hard time finding the real evidence. Because, I mean, I'm sure there are many criminals out there who are just awful at hiding their steps, but there are some who are really good, and if you don't know how these things work at a very technical level, you're gonna have a hard time finding that evidence.

Drew Thomas  22:19  
So, it's not as simple as just going into your file explorer and saying, hide files, and then you just do good.

Kevin Slonka  22:23  
I mean, those are the ones who get caught.

Michael Zambotti  22:25  
Well, even if a file is deleted, somebody could say, well, hey, you know what? I'm going to delete this file and I'm going to empty the recycle bin on my computer, and you're not going to see it. A good digital forensics professional can find that even though it's been quote, unquote deleted off of the hard drive or the storage media, it can still be found. It can still be discovered.

Kevin Slonka  22:44  
Yeah. Note to listeners who ever want to do evil, nothing is ever deleted.

Michael Zambotti  22:49  
Same goes for web searches. There's been several high-profile crimes where looking at browser histories was used in the, in the prosecution, and the person thought, hey, I deleted the browser history, well, it still existed somewhere on that computer.

Drew Thomas  23:03  
Well, not only that, but there was a story not that long ago, depending on when you're listening to this, where people thought that if they were using incognito mode in their Google Chrome browser, that somehow it was never, it was untrackable. And that's not entirely true. Google, Google knows where you went. You know, just because your computer, your particular browser, might not necessarily store that information, Google still knows where you are.

Kevin Slonka  23:29  
Was that an actual lawsuit, or was that just like a slap on the wrist type thing that this came out?

Drew Thomas  23:34  
Yeah, I'm not sure if that was, I don't even know if it's completely resolved at this point. I just know that there was some notifications that went out from Google that basically said, just, just because you're using incognito mode does not mean that your browsing history is untrackable, you know.

Kevin Slonka  23:48  
And that brings up a whole thing that we did touch on a previous episode. You got to trust the companies that make the things you're using. So, if you're using Google Chrome, do you trust Google to know things about you and to be good with your data. You know, maybe some people wouldn't. They would think Google's evil now. You know, 20 years ago, you would think Google was the best company ever, yeah, but now a lot of people may have changed.

Jeff Matevish  24:13  
So, say you're in high school and you're not ready to talk to a professor yet in a college level to ask, you know, hey, where can you get good information about, you know, other than the TV shows and movies, about cybersecurity, you know, and kind of what the field is like?

Kevin Slonka  24:27  
Maybe don't go to TV shows and movies.

Speaker 1  24:30  
Hey well, you know, you just said that it was pretty accurate.

Kevin Slonka  24:33  
There, there are a couple. There are a couple, oh Mr. Robot. We always tell people, oh, a good one. But yeah, if you're looking at like, CSI, I forget what it was. Was it Bob's Burgers or some TV show? They were making fun of CSI because they had a picture up on the screen. They're like, enhance, enhance. Like, there is no enhance. That's not how this works.

Drew Thomas  24:52  
There's only so many pixels. Doesn't go that deep.

Kevin Slonka  24:55  
Yeah, so I mean, YouTube is a great place. There are so many cybersecurity professionals that make short videos on YouTube of, you know, digging into a virus, showing how this works, showing what a day in the life of is like. So, and of course, you can also find bad things on YouTube and people who are just lying and, you know, sensationalizing everything. But there are a lot of very legitimate cyber professionals on YouTube that show you what they do. So, if there's one way, if you don't actually want to speak to a person in real life, I would say that's a very good way to learn about the different fields.

Michael Zambotti  25:28  
We're at a very fortunate time. We have more data available to us than anybody in human history. We're also at a very challenging time, because we have more data available to us than anyone in human history. It's a two-edged sword. Like Kevin said, there's a lot of information on YouTube, a lot of good information, a lot of bad and sometimes it's hard to develop that filter, especially maybe for a high school student. How do you develop that filter between, how do I know what is good and what is bad? Great place to start, I would say, start with any kind of free resources you can find. Also, I'm a big proponent of, you know, we talked about computer networking. It's a fundamental concept of getting into technology, get into cybersecurity. Absolutely, Computer Networking is essential. Human networking, okay? Human networking is also essential. And I think people can start whenever they're in high school. I'm a big proponent of having students set up LinkedIn accounts, okay, as soon as possible, and just start to follow, start to follow people who do a job that you might think is interesting, okay? And if you're in high school, you can do that. You can see can set up a LinkedIn account. It's free. You don't need to ever post anything. You can do two things on LinkedIn. You can connect with somebody, in which case, if I send drew a connection request, he has to approve it and then we're a connection. Or I could follow Drew and I can just see his posts. He doesn't have to approve anything. I just follow whatever he posts. You can go on and maybe find a job like a SOC analyst, a security operations center analyst, which is a great starting point for students in getting into the field in their first job, and maybe follow people who do that job and just see what they're talking about. Just kind of go in read only mode. Just try to be a sponge in the very beginning.

Drew Thomas  26:59  
Yeah, I think that's a good point. And I think another point to try to make, and it kind of piggybacks off the idea of not necessarily basing your career decisions off of what you see on, on TV shows. These kinds of things are not resolved in an hour. There's a lot of very mundane work that goes into things like this, that is not just pounding away at keyboard and five minutes later, you have the answer. So, you know, I think sometimes younger people, I'm not trying to generalize, but I guess I am about to, even though I say I'm not, they seem to have a much shorter attention span than some older people may have had in the past. They want things to be resolved much more quickly. And if you're following CSI, I mean, even getting out of the cybersecurity realm, you know, they'll say, oh, we're going to do a DNA analysis, and then 45 minutes later they have it. It doesn't work that way, right? So, I think that following real people in the real world like that gives you may be a better flavor of what it's really like to do that job.

Kevin Slonka  27:59  
Yeah, absolutely. I mean, that's probably one of the biggest misconceptions of our field. Students don't realize how tedious certain things are. And, you know, Mike had mentioned a SOC analyst. You know, a lot of people don't know what a SOC analyst is. The majority of your job is going to be staring at log files on a computer screen and watching for something that looks bad or malicious, like eight hours a day staring at lines of text on a computer screen. That's your job. Yeah. So, I mean, there are certain things that are very mundane, even in the computer science field, writing code. You know, I've had some students tell me that the assignment I gave them, they stayed up for 24 hours straight just to write this one portion of code, and then it didn't work. And, you know, bash their head off a wall like these, these things aren't easy, so patience is a virtue, right? Yeah, it's been a saying for how long, right? You have to have patience to work in our field, because nothing is fast.

Michael Zambotti  28:57  
Absolutely, it's like the crockpot versus the microwave. I think we're all of the generation, whenever you saw a commercial and something was advertised for $19.95 always, $19.95 always, and what was the delivery was, please allow four to six weeks for shipping. Yeah, it's like, brand into my brain every commercial $19.95 and four to six weeks for shipping. Now, if you order something online, you're like, if it got there in two days, you're like, what took so long. What do you mean, that's true. I've ordered stuff, and it's come same day. I really can't figure that one out. It's like, wow, did they know what I was gonna order? Maybe they did, yeah, but it is. It's that kind of compressing how things should occur and how things should play out. Experience is something that is important, and it's not something you can just get, you can't just, like fast-track experience. You have to get it over years. And, yeah, patience is key that concept.

Drew Thomas  29:47  
Yeah, you see all of these Home and Garden TV, like HDTV shows and things like that, where they renovate an entire house in an hour. And, you know, then people go out to the hardware store, and they buy a claw hammer and some nails and a couple of, like, you know, pieces of plywood, and they think I'm gonna completely redo my house with it. It doesn't work that way. It's made for entertainment.

Kevin Slonka  30:06  
I can attest to that firsthand, because everything my wife asked me to do, it seems like it's simple, like, hang a picture on the wall, yeah? Like, okay, that's five minutes. And then I learned that behind the wall was like a metal sheet that I can't put a nail through, and then I gotta go do, it takes three hours to hang a picture, yeah.

Drew Thomas  30:21  
And you're making several trips back and forth to the, to the store and, and your wife's usually looking at you like, you're the one that's wrong. And it's like, you don't understand what I'm running into here, you know?

Michael Zambotti  30:31  
Or you watch a YouTube video, and somebody did this in like, three minutes, and you're like, why is it taking me so long? There should be, like, a translator, how many minutes in the YouTube tutorial translate to real life, yeah, okay.

Kevin Slonka  30:41  
Normal person minutes, right? Yeah, that's...

Michael Zambotti  30:44  
Three hours.

Drew Thomas  30:44  
That's absolutely true. No, I really think that this is a good conversation to have for younger people. We just had a conversation with, with another guest about whether to go to college, whether to go to trade school, that sort of thing, and some of the pitfalls that come with, with both of those and paying for things and stuff, but it really is more important than ever, I think, especially considering the cost of higher education and things to know at least something about what it is you plan to get involved in before you start spending four years on a path that you then turn around and say, yeah, I just really don't want to do this. And to Mike's point, having as much information out there as is available to learn about what jobs and what careers look like in the real world is really invaluable.

Kevin Slonka  31:32  
Yeah, we had one student who just this past semester, graduated as a cybersecurity major, so four years in college, and then he realized, I really like healthcare. I want to go become a physician. So, now he's working on taking prerequisite classes to be able to get into med school. So, you know, there's another 10 years of his life, yeah, that he has to put forward because he made the wrong move. Right? Four years ago, he chose the wrong thing, yeah. So, yeah, you definitely want to put in the time. And you know, Mike had said human networking. We gave all those things that you can do, LinkedIn, YouTube, without actually speaking to people, but you got to speak to people. I mean, I know nobody wants to, right? Nobody likes talking to another human in person, especially whenever you're in high school, right? Yeah, you're very much an introvert, and most people are in high school, but you got to try to make those connections. You know, do your parents know people who work in this industry? Go talk to them, see if you can job shadow. You know, even though internships aren't really a thing in high school, high schools let you do job shadowing. You know, they'll let you get out of class for a day to go job shadow. Go do that as many times as your high school lets you do it. But you got to talk to people. That's the only way you're going to figure out what things really are.

Drew Thomas  32:46  
Ironically, I think that we are more connected in some ways and less connected than ever in other ways, because of social media, because of texting. Most younger people don't even like to talk on the phone. They would rather text you, and we look at that from a marketing point of view. There are people that would never want to text about a bank account question or something along those lines, and then there are younger people that that's all they want to do. And that presents a whole set of unique challenges for places like banks, because we don't want to put your information somewhere where someone else can read it, but yet you as a customer, that's how you want to receive that information, is via some sort of a technological medium. So, trying to strike that balance between giving people what they want, as far as convenience, while protecting their information from a cybersecurity point of view, is a really unique challenge as well.

Michael Zambotti  33:38  
Right. I think Kevin made an awesome point as far as if you're in high school, if you're in college, and you say, well, regardless if it's cybersecurity, whatever field it is, reach out, look and find what you can learn online. But reach out to somebody who does that job. Email them say, hey, do you mind if I come and spend a half a day with you? I'll buy lunch, you know, and try to give back to them. I'm sure they'll pick up lunch anyways. But ask, what can I learn about this field? Talk to people and having those conversations, you will learn so much. Often, we talk about security conventions is a great place to go and, and gather information about the security field. But one of the best parts of security conferences is what's called the hallway-con, where whenever people talk to other people, and it kind of strips away all the technology and just takes us back to that human interaction, you see in their body language, interacting with them and building relationships. And that's, you're never going to be upset because you built good relationships professionally, that you have too many people in your professional network. You're never going to say, oh, no, I just know too many people who do this job, yeah.

Kevin Slonka  34:36  
And a lot of times, that's how people get jobs, is just because you know somebody, it's because of the relationship. You know that that never really struck home with me until my wife got a different job in the medical field. And once you get to a certain level in the medical field, you basically don't get interviewed. Like, there's no job interviews. There's just, like, a five-minute chat with, you know, a doctor, if they like you, alright, you're hired. It's like who you know, and you know in other fields, it's the same way. You may still have to go through a job interview in the cyber field but getting to that job interview if you have a few connections, it's going to make life a lot easier.

Michael Zambotti  35:11  
Right, once you prove that you know your stuff, which you know you do through experience, a lot of companies will go to the airport test. Would I mind being stuck in the airport with this individual for four hours. And if they say yes, they're gonna hire you on. If not, you know, maybe look for other opportunities. But that human side of things, I think, is just so paramount and so important. And, you know, hopefully not fading away with technology, but maybe, hopefully we can use it to, you know, technology to enhance that. Absolutely. You know, one other thing that I would mention, we talked a lot about technical skills, we talked a lot about human networking, to me, and something that's emerging in the field is also having a good essence of or a good knowledge of the business that you're working for. How does it make money? One of the things that Saint Francis has done that I just am over the moon excited about, is we have added what's called a four plus one program with cybersecurity and our comp. sci. undergrad degrees with an MBA, where students can leave Saint Francis, graduate with their cybersecurity degree. In the next year, get their MBA, complete their MBA online, so they can be working and complete their MBA, and then they're kind of a double threat. They have the technical and they also have the business understanding. And, you know, I've seen a lot of people in the field. They're great, some of the most technical people I've known or have ever seen, just wizards. And they kind of cap themselves in progression career wise, because they don't understand the business side of things. And if you can combine those two, you know, something like a, you know, MBA program after your undergrad, you really do look to move up into the maybe the senior management positions of a company, which is a lot of goal for a lot of people.

Kevin Slonka  36:48  
And that's a really good point that I can't believe we didn't hit on earlier, is the business side of things. There are a lot of jobs that you go to school, you get your degree, and you go work in that field, and that's all you have to worry about, is that field. That's not the case for our degrees, like computer science, cybersecurity, that is not the case for us, unless you go work for like, you know, Google or Microsoft, a big tech company. But most people who we graduate are going to work for doctor's offices and manufacturing companies and who knows what, right? So, yeah. I mean, you could be the most technical person, but if you can't talk to people, learn manufacturing, learn healthcare, learn finance, whatever business you're going to work for, you're not going to get promoted, right? I mean, yeah, you may be stuck at a certain level. I've known people who have been entry level helped desk type people their entire careers, because that's, I mean, they're happy there, but they don't want to learn the business side of, you know, where they're working, so they just are stuck at that entry level job. Most people probably don't want to be stuck at a low salary for their entire career. So, you got to be able to learn more than one thing in our field. It's cyber plus, you know, whatever that plus is, whatever company you're going to work for, sure.

Michael Zambotti  38:04  
And also learn how to learn. You know, in the cybersecurity field, it is rapidly changing. We're talking about things now that didn't exist three, four, five years ago, and in three, four, five years from now, we'll be talking about things that don't exist now or have really changed. So, learning how to learn. You know, if you figure every two or three years, half of what you know is becoming obsolete, you can't just you know, learn, learn what you know and then forget it.

Drew Thomas  38:27  
Yeah, well, that's a really good point about even getting a degree like you have to start like your degree is your starting point at that point in this kind of a field, in my mind. You know, you're getting the basics, you're learning everything that you can learn, and you're getting that degree. But if you don't continue your education independently beyond that, you're right, you're going to get left behind very quickly when it comes to stuff like this. I mean, we're not, it would be an entire other episode to talk about this, but, you know, talking about even things like AI and some of the things that are going to be coming along the line with that. People five years ago that graduated, weren't being schooled very much in the in the concept of generative AI, or anything along those lines that is available now and growing, and nobody really understands how half of it works.

Kevin Slonka  39:13  
Okay, it was science fiction movies five years ago for AI.

Drew Thomas  39:17  
Yeah. And now you got, you know, the people at Amazon saying that their goal is to make their voice assistant be like the, the computer on Star Trek. You know that you can just have a casual conversation with it, and it's just going to know what you want. And that's, that's great, as long as you don't mind it knowing everything you want.

Michael Zambotti  39:33  
Well, and, you know, my thought about AI, you know, what is it? It's where artificial intelligence, which is run by what? Computer CPUs and GPUs, graphic processing units and computer processing units, and we think about what they're made of as silicon, right? So, essentially, with AI, we've taught sand how to think, as a society, you know, that's really if you can abstract away all the technology, we taught sand how to think. And we're in the infancy now. In five years, it'll be completely different. There's security issues, there's user implications as well, but we'll continue to discover them. But that's why you have to learn how to learn about stuff, because it's like changing the tires on a bus as it's rolling down the street. You know, we don't stop innovation so people can learn about it. We have to learn as we go.

Kevin Slonka  40:17  
Yeah, that's a, that's a very key thing there. You know, changing the tires as the busses go. And I've done similar things in my career numerous times. The people who have worked with me can, can tell some stories of, you know, moving a server across a comm room while it was on in the middle of the day. So, yeah, those things happen. But, uh, there's something that, you know, everybody should go look up, called the Dunning-Kruger effect. Have you guys ever heard of that? I have not, no. So, it is this uh, interesting study that was done that makes you look at a person's confidence in something versus their actual knowledge in that something. And that at the very beginning of that curve, your confidence is super high. You think you know everything, but you really know nothing. As that curve goes, as you start learning more and more, you start realizing how stupid you really are. You know, how little you know, until you get to this point, the point of despair, when it's just like, I know nothing. And then all of a sudden, you keep learning, and you start realizing, okay, I get this, and you start going back up the curve. But we see that with so many people. You know, the overconfidence, but then, you know, the more they learn, they realize, oh, man, there is so much more to this, and that's exactly what our field is. You could graduate with your cyber degree and think I got A's in all my classes. I am good. I can do this. But then once you get into the real world, you quickly realize how little you know, and you have to keep learning.

Drew Thomas  41:43  
Do you see, kind of what we were talking about before, as far as you know, truly understanding what goes into stuff like this, the sort of the, the monotony at times and things. Do you see that in students like, do you see freshmen coming in thinking that they're going to be the next, you know, Mission Impossible, you know, hacker or something like, they're gonna be changing the streetlights or, and then they realize it's not that? Like, do you see that with students?

Kevin Slonka  42:05  
All the time, yeah.

Michael Zambotti  42:06  
Yeah. Occasionally, there's, there's all types, though, and that's the great thing about the field. All types in the field. There's people with that attitude, there's other ones that, you know, say, well, I just don't know anything, and I want to, I want to learn everything I can. I want to learn the entire field of cybersecurity. But I love Kevin's example, and it's kind of like whenever we think about driving. You know, everybody's an expert, right? Everybody is above average at driving. Everybody that drives faster than you, is a maniac. If somebody's driving slower than you, they're a slow poke.

Drew Thomas  42:33  
Yeah, that's a good point. That's a very good point.

Kevin Slonka  42:37  
Yeah, there's, every so often I'll have a student, in some of my classes, I give students a lot of freedom on how they use their time. If they want to not show up to class because they think they know what they're doing, sure. You know, I'm not going to dock attendance points for that. You do you. But, uh, for some students, it takes getting an F in a class to realize, oh, I should have shown up for the semester. I should have done my work. Yeah, yeah, so you'll generally have those. I think we are lucky; a lot of our students really want to learn. But you always have the people who are just overconfident. There's nothing you can say to them, yeah, so bring them back down. They have to learn it on their own.

Michael Zambotti  43:13  
Self-discovery is the best teacher. Yeah.

Drew Thomas  43:16  
Well guys, this has been a very good conversation about this, and I think that for anybody that might be considering this as a career, while there is a lot of potential to earn a high income, while there is a lot of potential for getting into, you know, finding open positions, right? You know, there's not as much call for blacksmiths as there used to be. There's a lot more call for stuff like this these days. But just understanding that there's a lot more to it than what you might necessarily think if you're a sophomore or a junior in high school and taking some of the advice to sort of learn about it and get in, get involved in, following people online, following people on LinkedIn, YouTube, that sort of thing. I think those are all really, really great pieces of advice that really don't cost anything other than some of your own time to investigate.

Michael Zambotti  44:03  
Yeah, and I would say also, for anybody that's in high school or in early stages of college, don't pick a career based on money. Because eventually, no matter what the money it's, if you're not passionate and excited about it, it's going to become a grind. It's going to become something that you don't like to do. You have to do it for the next X number of years, right? And if you do want to pick a career based on money, work on your three pointers. Those basketball players make a lot of money.

Drew Thomas  44:29  
Not as many openings, though, right?

Michael Zambotti  44:31  
Yeah, exactly, but yeah, if you're solely focused on money, you're going to really, I think, disappoint yourself. You know, future you will not be happy that you made decisions based on only money. You know, think about your passion, think about your purpose in life.

Drew Thomas  44:43  
Agreed.

Jeff Matevish  44:44  
Very well said, yeah.

Drew Thomas  44:45  
Thank you very much, guys. Appreciate your time.

Michael Zambotti  44:47  
All right, thank you.

Kevin Slonka  44:48  
Love being here.

Drew Thomas  44:58  
This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts with the goal of helping to take some of the mystery out of financial and related topics, as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast, and any resources available for download from our website or other resources relating to Bank Chats is not intended and should not be understood or interpreted to be financial advice. The host, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation.

Drew Thomas  46:00  
While choosing a career solely on the basis of availability is not recommended as the ideal way to be happy, healthy, and fulfilled in your professional life, information Security is certainly worth a look if you have a passion for technology and strong attention to detail. Even entry level positions typically offer above average salaries, and the potential for upward mobility is enormous. Plus, it's a great way to help people by being a digital protector. Maybe that should be the next Marvel or DC comic superhero. In any case, we want to thank Kevin Slonka and Mike Zambotti for joining us today, they've really become good friends of the show, and we appreciate them. I also, as always, want to thank Jeff Matevish for his skills in producing the show. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial Incorporated. Music by Rattlesnake, Millo, and Andrey Kalitkin. If you aren't yet a subscriber, you can find us on all of your favorite podcast services or on our website at ameriserv.com/bankchats. For now, I'm Drew Thomas, so long you.

Comment via Text Message

Leave a Comment on Our Website

They’re back! October is National Cybersecurity Awareness Month, so, we invited our friends from Saint Francis University, Kevin Slonka and Mike Zambotti, to chat about careers in Information Security. With technology ever evolving, and the digital world growing exponentially, the need for Information Security experts is also rising at an incredible rate. Join us to learn what it takes to protect our digital world, in this episode of Bank Chats.

Credits:
An AmeriServ Financial, Inc. Production
Music by Rattlesnake, Millo, and Andrey Kalitkin
Hosted by Drew Thomas

Saint Francis University: https://www.francis.edu/

The Gatekeepers of Our Digital World

View Video
      • Please enter a valid phone number
      • Comment/Question is a required field
      • reCAPTCHA is a required field

      DISCLAIMER

      This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts, with the goal of helping to take some of the mystery out of financial and related topics; as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast, and any resources available for download from our website or other resources relating to Bank Chats is not intended, and should not be understood or interpreted to be, financial advice. The host, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial, Incorporated.