90% of cyber security is convincing other people why they shouldn't be dumb. The other 10% is convincing yourself you're not dumb.

I totally agree. I was "influenced" that you need to know kali linux, wireshark, Splunk in order to get into the cyberspace. I literally had blinders on for a year thinking I need to be technical. People say you need to know your OSI model - yes you should know your OSI model, if you're in a department that needs it. I just obtained an Internship, and it is the complete opposite of what influencers envision cybersecurity. Cybersecurity as a whole is the protection of a service or organization which means a lot of meetings, collaborating with different teams, thinking bigger picture, and projecting where your company will go. There are departments like an internal / external SOC, Triager, IR, CTI. These departments do exist - but do not think that these are the only ones. In fact, these are a few of many inner pieces of a company. I just wanted to shed some light. To people getting in, dont limit yourself with the technical stuff. YES they are good passion projects to show companies that you are interested in the field, but don't go thinking that is exactly what you'll be doing for your 1st job. If you've applied for a specific job (i.e SOC) and want to look at network packets all day as your first "entry" job - the chances are slim. Same for certifications - whatever influencer you follow that told you to get sec+, CCNA, A+ are right. However, know that certification does not equal job ready. Maybe (CCNA is), but for the most part HR just put that in as a requirement. I have my Sec+ and so far, I haven't actually implemented the terminology into my workday. Be open, be communicative, and be willing to learn. Thats all I have to say. Keep grinding, keep applying, but know that cybersecurity is more than just technical red teaming. rant over yall

If I could give advice to myself when I joined Tech, I would say 2 things. The first is, every company is different. The way your first company configured a domain controller, or collected logs, ran table top exercises etc: doesn't necessarily mean it was done the best/right way. It was done in a way that solved a problem for them at the time. Rarely in technology departments are systems designed long term, they are usually designed because of an urgent need. Learn to live and die by best practice, but understand there is times when that isn't going to fly. There is never a time to tell someone I told you so. The second lesson I would tell myself, is when in meetings with people who instill confidence, and clearly know what they are talking about, double your focusing on listening. Just don't wait for your turn to talk. Try to understand the concepts, ask questions, and be dialed in. There is a lot of nuances in cyber security that you can only understand if you are really dialed in every single day.

CISO checking in. "Cybersecurity" these days is a very broad term and is more than just hacking which seems to be what most of this video is targeting. There is security risk and compliance, third party risk, security operations, security architecture, security engineering, devops security engineering, just to name a few outside of hacking. It is challenging field but who wants a brainless and easy job? The pay is high and one can often work remotely. There aren't enough people in the industry. It's an excellent field. The threats are always evolving.

Programming is exactly the same. Everyone thinks it's ping-pong tables and free lunch, but there is a huge emphasis on project management and people skills. Those skillsets are more important to your job security than being a great programmer.

Wow, what a disappointment! I thought I'd be dressed in all black, wearing high speed hi-tech comm gear, breaking into a highly secured building in the dead of night to hack the file system of a high value target and then being extracted off the roof via a helicopter. Back to the drawing board for me.... But in all seriousness, I'm glad you addressed this Grant because a lot of what I see presented in the field is the red team "rah rah" attack/pentester side of things. Personally, I'm more intrigued by working in a SOC as a malware analyst. Those video views are far less juxtaposed to the red team content for sure!

As an engineering student in a much different domain but interested in computers and security in his free time I have to say I really appreciate your realistic approach. I’m just sick of flashy overhyped content going after clicks with buzzwords. So thank you for the videos Grant

Trust me when you're in a security consulting company doing all types of assessments, Pentesting, Red Teaming, Purple Teaming, you really won't get much time to research. You mostly get a 50 hours assessment. The only time you get to do some research is during the downtime. If you are good at what you do and you put in effort to learn new stuffs and if you actually manage to break into the industry, you can do most of these things. And yes reporting is one of the most important things when it comes to consulting.

A lot of “cyber security” is just company IT policy and enforcement. It pays well if you work for the DoD and have certificates.

I'm working an internship this summer in InfoSec and I've been shocked at how little college has prepared me for the real world in InfoSec, you learn the basics of all the tools and Linux and all that in school which is all essential and very good to know, but once you get there you end up just using vendors and enterprise level tools that you've never heard of that do a lot of the dirty work for you unless you are a pen tester or red team...even then there are red team tools out there that automate testing your security controls. But one of the big aspects I've never heard of in InfoSec until I got a job in IS, is threat intelligence and threat hunting, before this job I had minimal if any knowledge on what that's all about. Though if I'm being honest it's really intriguing.

Take the CISSP to really understand what a mile wide, inch deep means. Red teaming is 1% of the overall cyber ecosystem.

Yes buddy i even so i was searching for proper content from past 5 years when i was in 10th grade but 80 percent of videos are just focused on hype .

I work in cybersecurity and I have little to no technical skills or knowledge. But I can write, speak well and make problems understood by executives.

Just a few months ago I got a security engineer job and it did also open my eyes to how the day to day really is on a higher level. I agree with every bit and you hit some very good points. SOC work is fun to me with analyzing incidents and even finding ways to automate on a SOC level. But with my engineer role I find it way more fun and pleasing building infrastructure and tools rather than the glorified pen tester side. I believe people need to find there NAC in what they like within the umbrella that cybersecurity is.

I kind of figured that there was a lot of bull with the way some people presented cybersecurity. At my age I am just wanting to do something where I can make a living with what is between my ears a bit more than having a strong back. A back that isn’t so strong anymore. The investigation part is what seems neat to me. Tracking the bad actors to their den that and taking them down is more like what I have done in the past just with a swat team and not a keyboard. That and after being a Paramedic for 30 years I want a desk job.

Agreed. Red team is a very small sector of the cyber landscape. Accurate representation is necessary.

Step 1: Get job in cyber security. Step 2: Watch out for the hype. Step 3: Ride the hype.

"You work with people". I really dont see how this could be used as a disadvantage of cyber security when I can count on my hand the number of jobs where you never interact with people. Classic "water is wet".

This is so true, my masters classes were pretty much Kali Linux all day long and when I got to corporate they told me that's only available up north in DC area and a small part😤. Needless to say I was disappointed. But it's all good. Live and learn

Cybersecurity…where you will be told by an auditor with no experience in Cybersecurity or IT everything you’ve done wrong , and management believes them.

Well said Grant, a good dose of reality to the people who are wanting to get into Cyber.

A few years ago I worked in IT for a small company. A few months in we hired a Cyber security guy and he ended up sitting next to me in our cubicle department so I would witness his daily life. Really great guy but boy, was he stressed out every day. He was up every night getting paged for cyber alerts on our systems. Then he would come into the office and the head of our IT would constantly pull him into meetings with execs, engineers, Dev ops guys. Then he would be slammed throughout the day with tickets for systems needing patches, compliance updates. So much bullshit. He ended up leaving after about 5 months to a better shop but it def made me realize cyber security is not a fun job.

My girl has been in cyber security for years. She's a higher up now makes tons of cash and can't write a single line if code. Coding is not needed for this role in reality.

I've been a software engineer for 12 years now, cutting code from the front-end all the way through to server and DB and understanding everything in between. I considered moving into security but after doing some research into this switch, I realised that being a developer allows me to be my own 'artist' - im as limited as my imagination and can start up my own gig. Being a security analyst or a related role, require you to be employed mostly and you're limited by the set of tools you use. It just doesn't feel as unlimited as being a dev does. Also - im from the UK and earning potential is around £50-100k for most senior dev jobs.

The hype part is the “Hacking”. people have to realize it’s a ton of research & digital forensics behind cybersecurity including risk mitigation/incident response & SIEM monitoring . I love the blue team aspect but the engineering side is where I live & breathe.

I got the idea to make a career out of computers because of cybersecurity, but the more I got into it, the more I realized I didn't like using things in their non-intended way, I enjoyed creating things and fixing things back to their original intention. Have a nice career in IT now and learning little bits of Javascript as well.

You're transparency and humility just earned my subscription. Gracias amigo!

2 main areas: Defensive and offensive. Like an R6S game. Attacking an area (offensive) while being like a server. Defensive, penetration testing to test your defensive. The also in defensive, building your DNS or strengthening your proxy to prevent people penetrating into your servers or what ever you are protecting.

How to get a job in cyber security in the US: 1) Have a basic understanding of network administration. 2) Have a family that passes the NSA profile check three generations deep.

It's hilarious that Collin's youtube page wallpaper is him doing "ls" on his duo monitor.

I got my first security job about a year ago and it is a lot different than what I thought it was going to be but I do enjoy it but I'm mainly doing patch management fun lol

12 hour a day entry level Cyber employee here. Spot on

Video stopped moving @1:22 Hacked.

The sad thing is, a lot of ppl that fall for the hype don't want to know or care about the fundamentals. They just want to be a hacker because it's "cool" or hype and hack their friends social networks (or at least that's what my commenters want...)

You're probably the only youtuber that uses the most realistic video thumbnails.

sir, when you read this comment, I totally agree with your view of how cybersecurity is so totally overhyped. Report writing, working with people, knowing the fundamentals sir. You nailed it. See through the hype sir. Good job

this is why i am not interested in the "hacking side"/pentest roles like over burnout/stress , no flexibility , can be boring , always being paranoid staying 24/7 on the latest cyber news even on off days not if this just for hacking or its just cyber sec as a whole and all the other things/subfields ???? .This is why i am switching to or want to do cloud sec engineering or software engineering seems less stressful

I agree. Behind the glamor is a lot of hard work and frustration. Many days that have nothing exciting at all.

if cybersecurity is about experience and hands on then it's cheaper to recruit ex hackers from prison than from university.

I mean you say this but my first job was web vulnerability assessment where I was effectively literally hacking all day. Currently I'm a red teamer and do the whole shebang - penetration tests, physical security, social engineering. It is effectively hacking all day except for of course report writing etc which can't be helped. So yes not all of cyber security is about offensive side and hacking, but the way you present it makes it sound like that's not a thing that happens - indeed you put in your title "it's not reality as a career". For me it absolutely is reality, I do spend most of the day sending malware, searching for and exploiting vulnerabilities and misconfiguration s, poking round file systems etc. It absolutely can be reality as a career provided you go down the right path. If you pick SOC or security engineer etc then yeah that won't be happening but do an offensive type job and it will

Not sure if it is just a coincidence, but the few videos I have seen of you, I just listen to complaints about the career. It is discouraging for people wanting to learn and get tools and advices to move in this profession. I am not saying that everything is perfect in cybersecurity, but I have seen a dozen of others KZbinrs motivating others to get into the profession. Words like "worthless, hard, burnout, regret, myth, etc" are common to find in the titles of your videos. It is good to listen to others saying how hard it could be to face any specialization of the career, but too much pessimism is really boring in my opinion.

Great content all around! My favorite part of this video is you taking accountability for "almost" falling into the false marketing approach as well. I agree with everything you said. Some "known" content creators are not doing a good enough job of properly guiding individuals that wish to enter the space. And those that are - lack the viewership they deserve.

so do you NOT recommend getting into cybersecurity?

Cybersecurity is what you make of it, I love it.

As a new security engineer, I fully agree with the points in this video individually. You should not expect to be red teaming, unless you’re specifically hired to do so, which I understand is fairly uncommon, unless you’re hired to a assessment/pentest vendor. Most of my job is meetings for learning tools, project updates, and interfacing on behalf of the less technical/security oriented people. There are tickets and alerts that I deal with, but those do not involve much beyond basic reconnaissance, if that. As I see it, I was hired because I understand data security fundamentals, I can understand tools we need to secure our assets, and I can communicate the important information that comes from those tools in a way that is understandable to whoever needs to understand it. Sure, as you climb higher, you are more responsible and focused on one aspect of the org. However, as a 2nd year security engineer doing sec ops stuff, this video is pretty close to how I’d describe my job.

I literally love the thought of sitting all day doing tedious work. I'm weird but it's what I'm looking forward to and hoping for. I am stating to feel better that my chances of getting that type of work in the beginning are good

I will talk from my personal experience. I'm from Spain and I'm 27 years old at the moment. I've studied a Computer Science Engineering degree (with a computer major) for around 6 years, and right now I'm doing a Cybersecurity master's degree that lasts one year (I'm close to finish it with a mean of 9,2 in my grades). Currently I'm doing internship in a semi-known enterprise in my country for 3 months, and before I ended it they already had an interview with me and offered an undefined job agreement with them (a salary of 24k~, which is pretty much fine for an unexperienced person in the sector as I am). I don't have certificates, but I'm studying Certified Red Team Proffesional (CRTP) and CompTIA Security+. How did I do it? I worked extremely hard for it, and I showed that I had a good mood with everybody in the team and interest in learning and growing as a proffesional. They would command me to do stuff that I had absolutetly no idea of what the terms were or how could I solve them. At the end of the journey, I was happy leaving because I self-taught new and actual stuff that could be found in the cybersecurity world and not just some extremely rare stuff that you could find in a PPT slide. Even if I couldn't find info of something, I would ask to a senior that could answer or teach me if he had the time to do it (later in the interview, I would know that this was actually something positive from a proffesional perspective, because I was interested in acquiring knowledge the right way, and not just doing the work ASAP). What I mean with all this block of text is that not overthink it too much. Show that you're a competent and interested guy. Don't make lies about your CV and don't tell that you know skills that you actually can't manage. Summarizing, have passion for what you are working on, never stop self-teaching new methodologies/technologies. You must not see it as an obligation because that will make all the process as something extremely infuriating, frustrating and boring. Enjoy the journey, because every second you are investing in this, it's time that you put in yourself, and in no one else.

I knew your channel was worth subscribing to, thank you for your honesty, time, and effort.

Ofc blue teaming doesn't get as much hype as red teaming, because hacking systems is way more exciting and fun than reading and filtering log files with your SIEM, lol.

If I hack into fortune 500 companies, why would I want a high salary? The logistics here, just don't add up.

Please anybody tell me what is the starting point of this field?if someone is not in IT field previously..

Totally agree with you, today there's plenty of areas within cybersecurity where people can work in without knowing it all. Also agreeing on the BS, I'm super tired of companies trying to sell me another snake oil solution, while you have amazing FOSS projects that do the same for free. I love two statements in your video: security is also a culture issue and is hard work, that's sums it well. As someone who works on protecting, you need to make sure everything is safe, while attackers must find one meaningful vulnerability, is tiresome.

Hahahaahha the thumbnail had me dying. I often get called out on my perplexed faces when troubleshooting some stuff, this is so accurate it hurts 😂

Just found your channel through YT suggestion...glad it did. So, I've been doing IT stuff for the better part of 20 years and I can see the 'overhypeness' of CyberSecurity for sure. I cannot count how many times I've heard people complain about not understanding why they even need to understand fundamentals and when can they start hacking all the things. Everyone wants to hack everything, no one wants to spend the many hours writing SOPs. 😆 Love the work.

found your channel 1 video ago, this is my 2nd and I'm so happy that I found you :D I love the quality of your video content and your philosophy or approach to things, especially the perspectives.

I am intererested in getting into Cybersecurity. But feel I need more info regarding this potential career. One thing I learned is that, there are no easy jobs in this world. Even sales related work is highly stressful dealing with people everyday. Probably will need to really enjoy the work to thrive.

I'm a software engineer and I work in enterprise and I see "old guard" style of cyber security being the biggest problem especially when it comes down to innovation. Having cyber security as its own team, in their own silo is a huge problem IMHO. As lots of product teams are in their own "start up" style small teams, the obvious bottle neck when it comes to speed to market with product development is cyber security telling you no all the damn time. What we need is security specialists integrated with the rest of the enterprise, at least one per team, that can work alongside the team and make sure we are not creating vulnerabilities and are implementing best practices concerning security. While of course, SWEs are versed in cyber security, they do not specialize in it so having someone who specializes with it working along side us would be of great help. "old guard" just likes to implement strict rules that on paper make sense but just cause people to circumvent the rules doing stupid things.

Cybersecurity Engineer work or the DoD type Information Systems Security Officer is mostly administration. It is NOT what I had pictured. I wanna just go back to networking now.

blue teaming gets plenty of traction but also is more about the business and best practice side of things which generally inst as interesting. Some of the sources you put out who talk about red teaming also talk blue teaming. The thing is what you say is the number one issue we have: The focus on trying to make the money without even having the general interest.

I been using Ghostery for years now. I have not dug to far into it, in fact it is pretty easy just to set it up and forget about it, but it seems to work good actually.

Not sure why I didn't get to see this video a long time ago. I could at least send this to people who were desperately trying to get into this field. I've been in this industry for over 12 years and people actually do not believe that half my job is negotiating stuff with people for all the controls which I've to design and implement. The only saving grace and your sanity holding by a thread is a regulatory body. Without them, people would be scream and kick and ensure that there are no process or tech involved in solving any security problems. A lot of the useless "techfluencers" have messed up security for everyone. Keep doing the good stuff.

Such an important message. Thank you!

The other issue I have with this field is that the job market is HORRENDOUS. So many big wig company's posting "entry-level" positions that require 10 years of experience in IT and between 2 and 5 expensive af certifications. I have a love/hat relationship with cyber security.

...this is good content...I work for a DoD agency as a project engineer....each major section of the organization has adopted a cyber group...you're right...it's a lot of hype...talk, talk, talk...sometimes I feel like I'm listening to Alan Greenspan..."I know you think you understand what you thought I said..." Policy-driven...inserting requirements into every project...the main thing I hear is "who is the owner"...basically, it's driven around obtaining mutual consent that when something breaks, who's to blame, and who's going to pay for it...Thanks Much...;-)

I think a lot of what people think Cybersecurity is, boils down to marketing.

Cybersecurity isnt supposed to be flashy, as a matter of fact, its one of 6 spaces where the United States is unfortunately 3rd compared to Russia And China. Nothing is cool about finding out vulnerabilities, nothing is cool about being hacked, nothing is enjoyable when the bad guys are the ones having fun. So Grant, in one way, I feel like your message is that, not everybody is going to love this job, there are things that you don’t like to do but you gotta do it because its part of the job that you chose to pursue. Its always been a dream of mine to do vigilante work and in one way, being the Ludacris of Fast and Furious or the Interceptor comes in when your working in a senior level. You gotta start from the bottom up, if you gotta do what you gotta do, do it. Expose yourself now, read and research as much as possible, be more efficient with your time and with what you ACTUALLY need to learn and how to learn it as simple as you can. Everything is at its time, 5 years ago, you were probably jacking off, playing video games ; 5 years later , you are an amateur cyber security analyst. In the next 5 years, you’ll be a professional, whether you have the certs or a degree to prove it or if you’re self taught and can program code as fast as George Hotz, you still gotta chase that person ahead of you. So yeah cybersecurity is worth it, can be boring at times.

3m8s perfectly sums up my average day in Sec-Ops. That is until some idiot does something stupid like download malware. I've often noted its 95% boredom, 5% adrenalin rush \ panic.

It’s technical and Analytical by nature! You must do the research to provide cyber Aid, yet sometimes it’s just setting up layers on security apps and config settings to mitigate potential Or inevitable Threats! This is not a shock it’s always been much more than red team hacking and cracking that you see on TV.

Thank you soo much this video helped me making a big choice in my future job

I know this isnt everything in a job... buuuut pay is not to bad especially out of college

I agree with everything in this video! People these days look like something but they lack substance, smh.

Ok, alot of truth in this - but it really depends on where you are in the biz. I've been in this for 25 years, and there *was* no "hype" when I started, because there was no real industry yet. But at this stage I spend about half my time breaking sh*t (usually proprietary apps), validating things analysts have escalated, and doing write-ups about threats, remediations, etc. But is it a scene from The Matrix? No obviously not. But it's not spreadsheet engineering either. It really depends, but you're not gonna get there unless you really do know your sh*t. A CISSP does not represent what Real Cyber Nerds respect.

I have two questions on the subject: 1- In 10 years, can AIs replace or take over many vacancies in cybersecurity? 2- Do you think doing comptia+, NDE, DFE, cloud+ would already be enough certifications to enter the market as a junior? what salary to expect?

Adam Jensen... 'Deus Ex Guy' is the job we are looking for

thank you for finally being honest, not like one of those generic Insta posers that just want an audience!

I don't know when it became red team / blue team. It was always White Hat / Black Hat. :)

Very good video it has been a long time since i saw your video

These cyber security "influencers" had a real impact on people getting into cyber security. But in reality, they fail to tell people getting a job in cyber security is not as easy as they made it out to be. Employers are more concerned about experience than certifications.

This doesn't apply to just cyber security but programming in all industry. You won't be writing or creating complicated and elaborate apps or programs that will change the world. As a java developer that was working in an ETL team for citi Bank, my first job was to write a couple of loggers or add a couple of fields in

It’s very boring sifting through tons of logs

I have been waiting on someone to call those turds out for A WHILE 🪬🤔💯 NICE Grant 🚫🧢

"It's not reality as a career"

I work cybersecurity but I’m not a hacker so very true but I’m doing really well financially and working from home, yes some people are pompous but I’m pretty happy, I’m sure people have those days but more for me

This is a good message for people. Thanks

Good points, decided to create my channel after I saw some crap youtube influencers who clearly have less than 18 months selling bs courses and spewing crap.

Not to mention that as a cybersecurity Analyst, you will need some degree within software development.

Finally, someone being truthful

Great video, Grant! I was part of the hype, in a way, but I kind of knew we weren't going to be wearing masks, dressed in black, etc.. to this day it is funny to see adverts to cybersec courses or hacking courses with the typical guy dressed in a black hoodie, typing those enigmatics green letters into a black screen, being all mysterious. haha anyway, your video is pretty necessary still.

Red teaming is a hobby, blue teaming is a job. That's my limited experience in cybersecurity.

My only question is Does it pay well? Yes? Im in

As a ISSO that wants to lean more to pentesting I assure you RMF/GCRC is boring and complicated. Alot times dealing with project management and other stakeholders a lot of compliance and auditing.

1:55 , wait, people actually think that is what cybersecurity is?

Great video 👍

cyber security people suppose to work themself out of the job , by that I mean focus on removing resolving the need of cybersecurity instead of firefighting mitigations. Yet, we see the booming of cybersecurity just like our modern medical system where the amount of dr and patients go skyrocket. Cybersecurity should never be about 'I can do 1337 hack and you cant. So you better listen to me...' that sort of thing.

I work for a big global company. And I have no idea that why nobody is willing to talk about the Ethnic and Racial bias in IT Security industry. For example I have yet to meet a Black IT Security expert. Similary I have met many Arab sales representatives, but other than that they will get difficulty finding a job as IT Sec Consultant (outside of Middle east). This industry is dominated by Whites and Indians. Then at 3rd spot come Israeiis. If you are a Black guy or a person from Arab or Muslim countries then simply dont choose this profession (do it if you are a Female) as the odds are heavily stacked against you.

IMO 'cybersecurity' became a hype-thing when government and VCs found a new shiny object to dump money on, that was really a collection of tasks that 'normal' system administrators did as a matter of routine. Systems have become more complex (often not for the better, for some definition of 'better') which has led to overspecialization, buzzwordism, and credentialism, for work that is in the main still bookkeeping, verification, accreditation, and soft management, that your average mainframe system operator from the '60s moving magtapes around would recognize. There really aren't that many kewl operator "Red Team" type or basic research (i.e. not 'exploit finders' but new technology) groups around, fewer still that are actually competent, and none of them wear black except to pose at DEFCON with fake four tube night vision goggles & LCDs attached to the optics. This isn't to say the 'standardization' of buzzwords and process isn't all bad, but with the buzzwordology has come legal- (and profit-) motivated bureaucracy that infects much of the work, as with any safety, HR, & financial compliance work that corporations have to perform to do business.

I’m been a controller/finance and want to switch over to cyber security. I’m 56 years old. I know anything is possible but interested in your thoughts.

Man you’ve been staring at the screen to long. Those crazy eyes are coming out

thank you so much for being real

Thank you soo much , highly appreciated