Brakeing Down Security

February 3, 2016

Podcast Episode: Brakeing Down Security

Welcome to Season 2 and Episode 15 of the Building a Life and Career in Security Podcast.

Today’s guest is the Brakeing Down Security Podcast team of Bryan Brake and Brian Boettcher.

Both met while working at Xerox and became mentor/mentees in helping grow their own security careers. As they were trying to learn security themselves, they realized that by recording their conversations together they could help others. And the Brakeing Down Security Podcast was born. Links Mentioned In This Episode:

Podcast Website
BrakeSec Podcast Twitter: @brakesec
Email: [bds.podcast@gmail.com](mailto = bds.podcast@gmail.com)
Bryan’s Twitter: @bryanbrake
Brian’s Twitter: @boettcherpwned
Podcast on iTunes
Jay on Brakeing Down Security

Bryan Brake: Somebody from Apex, it was one of the recruiting agencies, said “hey, I got this job at Xerox.”

I said, “okay. What’s it about?”

They said, “oh, they do vulnerability management and stuff.”

I said, “okay, I know how to do that.” So I interviewed with … actually, this is where Mr. Boettcher comes in. I actually interviewed with Mr. Boettcher, and we hit it off immediately, because I was like, “oh, hey, his name is Brian,” and I was like, “man, how am I ever remember how to spell his name? I mean, how do you spell that?” And, yeah, they hired me, and I learned as much from Mr. Boettcher as he thinks he did from me.

Intro/Ending: From the JaySchulman.com studio, this is the Building a Life and Career in Security podcast. Now, your host, Jay Schulman.

Jay Schulman: Hey, it’s Jay and welcome to season 2 of the Building a Life and Career in Security podcast, the podcast where you get to hear other information security professionals career journey.

Last week in episode 14, we had Martin Reyes on the podcast talk to you about his journey from manager at a big bank, including being laid off. Great, heartfelt insight from Martin.

If you’d like to keep up-to-date with the podcast, text “security” to 33444 to be added to the podcast mailing list, and just as always, we only capture your email address, and not your phone number. No one is going to texting you.

This week on the podcast, we have an absolute first. We have the [Brake on Security 00 = 01 = 26] podcast team joining us. That is two guests in the same podcast, Bryan Brake, and Brian Boettcher. What I really enjoy talking about both Brians is how you can see them constantly learning from each other, not only in this podcast interview, but in their podcast that we’ll talk about, the [Brake on Security 00 = 01 = 42] podcast, makes for a really interesting conversation. Here are both Brians journeys.

Brian Boettcher: All right, my name is Brian Boettcher. I’ll begin with my college life. I started as, I wanted to be an electrical engineer, because that’s kind of where the money was at the time I was going into college. I was good with technology, and so I was like, “okay, I’m going to be an electrical engineer.” So, I went to a major university, the University of Texas, and I started there. I did pretty well the first couple of years, but I kind of wasn’t really what I really wanted to do. I couldn’t find that passion, right? So, I figured, “if I don’t like to do this, maybe I should really do something that was completely different.”

So, I applied to be an English major, and I was accepted. Here I was, did a total 180, and I was in the English department. I liked being in the college of liberal arts, because it was completely different people that I became friends with. Literature was cool. But then, when I started writing my papers, and my opinions on certain books, the TAs would just totally annihilate my writing. They would say, “no. The author didn’t write this because of what you said. They wrote it because of this, I mean this is the standard.”

And I said, “well, you know that’s your opinion, and this is my opinion.” My grades suffered as a result. I guess I didn’t fall in line with the agenda of their standards at the time, I guess. So, I pretty much quit school at that point, and got a job. I had gotten married. At that point, putting my wife through school.

Then, when she was done, I finally decided that I would get into computer science. Luckily, the university let me back in. I don’t know why. I mean, I didn’t have good grades in the department of English at the time, before I left. So, I probably had about a C average, but hey, they let me in, and I excelled in Computer Science. I did really good at programming, and then I just worked my way through there. I wouldn’t say I aced everything, but I did really well. I took really hard classes, and I got through. I got my degree and got my first job. It seemed like an upgrade for me when I got my first job because my teammates were at my same level or above, and I was like, “this is really awesome. I get to do something that I’m good at, and work with great people.” It was that passion for learning that kept me going to work every day early, staying late, and really excelling at my job.

I got into management for a little bit. We started an operations group. I was kind of a level 1 developer, software support, at that point. Did a stint at management, and did a few other jobs at the time. I think I guess I became a subject matter expert at that point, because I had been at the job so long. They chose me to be on a SWAT team for PCI because they had failed an audit, or they had been given 90 days to get their act together. So, that’s when I first stepped into security, and I liked it so much, I told my boss, “hey, I may like to do this some more.” So, he gave me the choice, and I took it. At that point, I found a new passion.

My level of knowledge in security just increased, I mean it seemed like it doubled every day. I guess it really took off when we hired Bryan Brake. He came on, and got me involved in the security community at that point, because I really didn’t know anything about going and talking to people like-minded in the community, and networking like that. I think that really changed my approach to security.

Then, we started doing the podcast, and it just accelerated at that point as well. I started doing more and more on my own, on my own time, learning more and more about security. What makes organizations more secure, and compliance, and all the little knick-knacks that come with it. He encouraged me to get a CISSP, so I did that. We went into … took a SANS course, got the SANS certification, and I guess that’s pretty much it. That’s where we are today.

Jay Schulman: So, kind of pick us up Bryan Brake. It’s not only do we have 2 people on the podcast today, but we have two people named Brian. So, pick-up where you’re inserted into that story. Tell your career journey, and kind of connect the dots.

Bryan Brake: Okay. Well, I am very unconventional from where I came from, but from what info said people tell me in the community, it’s pretty much about spot-on. I’m going to start a little further back, in high school. I did not do well in high school. I grew up in a small town in Missouri, and I didn’t fit in. I was the kid who had a group of friends playing Dungeons and Dragons, or Battle Tech, RPGs, during lunchtime. Very much a fan of those kinds of things, and in middle of Missouri, that was not something you did.

I did not apply myself in high school, and ended up graduating only by taking a night course in contemporary issues, because I did not have enough credits to graduate high school. My mother at that point, God bless her, such as it is, told me that the only way I was going to make something of myself was to either go to the Army, or go to the Navy. Because I did not wish to be … I didn’t look good in green. So, I thought maybe I should join the Navy, because I had a friend of mine, he joined. He’s actually Senior Chief up here at [Bremerton. 00 = 08 = 19] He’s just about to retire after about 17 years of active duty.

I joined the Navy in 1997. November 17th, as a matter of fact, and I was … if you’ve ever been in the Navy, you know what a [3-O 00 = 08 = 32] sailor is, and what a [4-O 00 = 08 = 33] sailor is according to your evaluations. I strived to be a [3-O sailor. 00 = 08 = 39] I did not apply myself. I was a square peg in the round hole. I was a free-thinking person who openly questioned orders. I actually went to NJP, non-judicial punishment, a couple of times. Thankfully, I was let off with a warning both times. I did not have any reductions in rate, or any naughty bits happen to me. But, I was trained as a weather observer, an aerographer’s mate, if you will.

I had an aptitude for computers. My mom had got me an IBM clone, and I was running DOS 4, DOS 5, 622, taught myself [besch 00 = 09 = 15] scripting, batch file scripting, and basic programming. My grandfather had given me some games like the Orb of Zot, which is like Amulet of Yendor, and those kinds of things, text-based games that you could play. I had figured out how to go in there, look at the code, and actually hack them so that I could do things like cast the death spell without having to worry about whether or not I had a higher intelligence in the monster, and could defeat the monster. I had the same kind of aptitude.

I remember there was an instructor in my A school, which was down in Keesler Air Force base in Mississippi, who noticed my knowledge of computers. His name was [inaudible Plavnick 00 = 09 = 58], he’s not Chief Plavnick. I believe he’s retired, but he was awesome. He recognized my computer skills, and gave me a shore assignment, and I was not first in my class in AG school. I nearly washed out of that as well. It was one of those things where, depending on Officer Plavnick, if I had not told the truth that I did not apply myself on that level of that part of my A School training, I would have washed out and I would have gone to the fleet un-designated. He was the only vote that saved me from not washing out of A School and going to the fleet un-designated. Which, I would have been swabbing decks and polishing things with rags and god awful stuff, and then I would have struck for rate and that’s a bunch of Navy stuff, you’ll have to look that up.

But, thanks to him, I stayed in. I graduated A School, and went to Monterey, California, where I worked. I sat on a watch floor all day with a Hummingbird Exceed terminal, which now I know what it is, it’s like an emulated [X windows 00 = 10 = 57] system and watching [crazed(?) 00 = 11 = 01] supercomputers crunch numerical weather models. It was boring as all get-out, because that was not what I was trained to do. I was trained to go out every hour, look up in the sky, and tell what the state of the sky was, and encode it into an [inaudible 00 = 11 = 13] transfer, and transmit it back to, ironically enough, Monterey, California, where it would have been crunched into a numerical weather model.

I didn’t do that for the first 2 years of my navel career. I was actually on a watch floor, and helping out with the training department. After that, I had to go to a ship, or I had to take some god awful duty in the middle of nowhere. Seeing as how I didn’t want to go to a ship, I took the god awful duty station of Diego Garcia, which is a tiny, tiny island. It’s an atoll, actually, coral atoll, out in the middle of the Indian Ocean.

It’s a year duty. You’re only really given that if there’s absolutely nothing else to do, but I took it, and I excelled, because at the time I was the only person coming in who actually knew anything about computers. The guy who was doing all the IT stuff for the command, was leaving.

They were like, “well, you’re it.”

I was like, “oh, okay. So, will I take observations and stuff?”

They’re like, “only if somebody’s sick on the watch [bill. 00 = 12 = 14]”

So I was like, “all right.” I ended up maintaining a bunch of microsoft NT boxes, 2000 boxes. [Well, Navy-grade 00 = 12 = 21] 2000, that was the big deal, because USB support was available, it was like, “woo.” I did that for a year, and 4 months, and I had to stay extra because my detailer when I was calling for orders, could give me San Diego, because that’s what I wanted. I wanted to come back to the states, because at that point, I was like, “I need to get out of the Navy. This is definitely not for me. I need to do something with my life;” but trying to get out of the Navy on Diego Garcia is just not something you can do, because I had not learned the valuable lesson of networking.

So, I stayed there for 4 months, and unfortunately I was on the island of Diego Garcia when September 11th occurred. I was actually supposed to leave probably a couple of days after September 11th happened, and I ended up staying another month because everybody was coming in to Diego Garcia to do Operation Enduring Freedom. Nobody was leaving. I actually didn’t leave until October, mid-October.

So, I got back to San Diego. Let’s zoom ahead a little bit. For the next 3 years there, I was doing nothing but N6, which is IT, I was the first web administrator for the command. I was helping build webpages. I wasn’t doing anything fancy because SIPRnet at the time didn’t have a lot of bandwidth, so it was static webpages with the HTML I was learning, vulnerabilty management, we were using EI retina scanner.

We were using gold discs, which were new thing. Vista brought out the gold discs, which was a nightmare, because if you tried to turn it up to 11 on those gold discs, you ended up breaking existing boxes, because we had no concept of building a box securely from the ground up. It was always patch it after you start it. We had no method of patching. Chef and those things did not exist for us at that time. They probably did, but we just didn’t know it, because we’re on a budget.

I was a third class at the time, so I was a E4, just got my crow a little while before that. By that time, I had not ever re-enlisted. I had always extended, so I was trying to find my way to getting out of the Navy. It was … this was something I had agonized about, because you get institutionalized. You get used to … I had been in the Navy for 7 years. I knew all these people.

I knew what I was supposed to do, but the option for my career was, “you’re going to go to C school, and be a forecaster. Or, you’re going to go back out to sea.” You know, the other thing was, “you’re going to be a forecaster, and you’re probably still going to go out to sea.”

So it was like, “well, either way I’m going to end up on a ship at some point. I really don’t want to do that.” So, I started making calls to people, and I managed to get out of the Navy, and got on a help desk over at a place called [Spawar(?) 00 = 15 = 06] C in Space, systems center in San Diego, and I did some hell desk for a while. I got hired back as a GS11 in my existing command, because the lady that I was working for left to go to move to DC, Washington DC. So, they needed somebody and I was like, “well, I’m available.”

And they said, “okay, cool.” So, I went back as a GS11. I got out as a second class, I was an E5, came back as a GS11, which was the equivalent of lieutenant. It was weird, because some people I called chief and sir, I could call Dave, and Bob, and Robert. Obviously I didn’t, but you know, that’s the way that went.

I was in government for about a year and a half, and then decided I wanted to go and make myself better. So, I joined an NMCI program and learned a little bit about software testing, and integration testing for [COT(?) 00 = 15 = 58] stuff. Learned how to install Oracle, god awful thing that is, and build out systems and environments that I could use to test systems, test updates and software.

Then, my wife got a job in Austin, Texas, and that’s where this really … I met Mr. Boettcher a little after this. We moved to Austin, and I didn’t want to leave San Diego because I really love San Diego. I grew up there, my formative years were there. But, I really hated it for a while. For about the first two years, I worked at this government contractor down there, and it was just awful.

I finally was [riffed(?) 00 = 16 = 36] because of one of the government shutdowns. I got picked up by a HIPAA consulting firm down there, CynergisTek. They still work there. Mac McMillian is a friend of mine, and he hooked me up with a consulting gig; and I told him. I said, “I didn’t know anything about compliance. We did [NIS 00 = 16 = 54] stuff and all that.” I was like, “I didn’t know it,” because I was like, telling the truth once worked. Maybe telling the truth again will work. So, I was like, “I don’t know anything about HIPAA.”

He’s like, “oh don’t worry, we’ll teach you.” So, I did that for about 6 months, and one thing … so, I was not good at writing reports. Not good at writing reports, and that’s one thing I probably would have done differently.

I would have tried to figure out a better way of explaining that to my boss, because Mac did not realize that I was not doing a good job on my reports until I went to a client and said, “okay, I did the … I went and interviewed all these people, and here’s the unveiling of your report. You don’t have XYZ,” and the CCO was there, and the CIO was there.

He was like, “hey Bob,” and Bob was the guy I had been working with. “Didn’t we just spend $300,000 to get XY and Z?”

And I was like, “aw crap. I mixed you up with another report.” So, that damaged a little bit of the reputation of the company. We managed to smooth it over, but I should have realized at that point I was going to have to move along. I was let go. I’m not ashamed to admit that. I was let go after 6 months there, and I was kind of flailing, because I didn’t know I was going to do.

Somebody from APEX, it was one of the recruiting agencies, temp-to-hire kind of things, said “hey, I got this job at Xerox.”

I said, “okay. What’s it about?”

They said, “oh, they do vulnerability management and stuff.”

I said, “okay, I know how to do that.” So I interviewed with … actually, this is where Mr. Boettcher comes in. I actually interviewed with Mr. Boettcher, and we hit it off immediately, because I was like, “oh, hey, his name is Brian,” and I was like, “man, how am I ever remember how to spell his name? I mean, how do you spell that?” And, actually it was Jim. Brian, you remember Jim? He’s no longer working for Xerox, but yeah, he’s a good guy; and yeah, they hired me.

I learned as much from Mr. Boettcher as he thinks he did from me. Obviously it was on the other side here. I learned how to interact with people and be better, get tenacious at my work, learn to love my work, because for a while there, I was like … “we don’t make, I don’t make anything. I don’t do anything.” It’s not like … I actually envied the guys who are mowing lawns on the side of the road, because at the end, they can actually see a finished product. We didn’t make anything.

During that time in Austin when I was learning these things that Mr. Boettcher was learning, I was actually learning how to network with people, which was something I didn’t know how to do. So, I joined ISSA, which in Austin is about 125 strong on a normal month, got to meet people, shaking hands. I’m not normally an outgoing person in real life. I’m kind of a, my hands are sweaty, I’d rather go talk to the fern in the corner. I have a face for podcast. Obviously I podcast quite a bit. Creating relationships was weird and new for me.

For me, being in information security, I loved tinkering with things. I’m always … when I’m not working, I’m always on board games, or I’m on CTFs, I’m constantly trying to prove myself. It’s been a long road. I mean, I didn’t get here, and I’m still … I’m always looking up the ladder, and I’m seeing these other people above me, and I’m like, “man, I want to be where that guy is.” You know, and I look down, and I still think I’m on the bottom rung in many cases for things.

Actually, me and Mr. Boettcher started the podcast because we were being selfish. We wanted to try to market ourselves out there. This was like a body of knowledge thing we were going to use it for like, “hey, you know if we’re getting a better job. Hey, I do a podcast. You know you can go and listen to what we do.” We’re kind of selfish in that respect.

But, we have a drive to educate people and infosec, that’s so very important to educate people. I’ve never been worried about somebody taking my job, because if they did take my job, it’s either because I’ve recognized the talent and they probably can do a better job than me. Ultimately, if I can help my company find good talent like that, then I think I’ve done a good job.

Jay Schulman: So, would you guys consider yourselves mentor, mentee? Is that kind of the relationship, at least at some point, that you guys have?

Brian Boettcher: It’s like a cyclical thing, right?

Bryan Brake: It is! Very much so. Yeah. I mean, I did come in a CISSP only because I was required to have one by the government contractor. When I got my CISSP, I was like, “man, I’ve arrived. So many doors are going to open for me.” And you know, Mr. Boettcher actually went to a decent school. I went to University of Phoenix, and got my degree while I was working. That was back when the University of Phoenix was kind of still okay, not like today. There’s so many more options online for people who want degrees. I know our friend Megan Woo [Tutancaugh(?) 00 = 21 = 43] on Twitter, is looking at going to WGU. Martin Fisher also did WGU for his Masters, I think. So, if you’re looking for some kind of online courses like that, WGU is a great one for that. I would have done those had I know about them.

Jay Schulman: Yeah, I’m a big advocate of mentor, mentee. How have you guys helped each other over the years?

Bryan Brake: Well, a lot of mine was just trying to kick Mr. Boettcher out of the current job he was in. He had been there for 7 years, and you’re not supposed to talk about things like pay where you work; but when I found out that I came in and I was making way more money than he was, I was very unhappy. I told my boss that. I told our respective bosses that. I was like, “he’s been here for that long.” The minute I found out, I was like, “dude, you got to get out of here. You got to get a job.”

So, I was trying to … I sent him job requests when the opportunity for more training for the SANS stuff, when we got our [GWAPS(?) 00 = 22 = 37], I said, “we need to go to that because it’s going to be good for us.” He’s actually seated me. He’s doing an application now. I wish I could do programming and stuff. I don’t have the programming background that he has, so that’s something that’s inspired me to want to get in and learn python, ruby, and the lower level languages. So, yeah, it’s … he’s inspiring.

Jay Schulman: So you guys walked into a really interesting question, here. So, Mr. Boettcher, you actually started off as an English major, and Mr. Brake, you are kind of a self-professed very poor at report writing. Normally, I’d just ask the question, how has your English major helped you over the years? Kind of compare and contrast here … communication, to me, is so important. Mr. Brake, do you think it’s hindered your career? And, Mr. Boettcher, do you think it’s been an asset to your career?

Brian Boettcher: I think it’s been an asset to my career because I can construct an email and feel relatively confident that my point would come across. While at the same time, writing policy documents and things, it … When I graduated, they told me that the average computer science graduate has an 8th grade writing level. I was like, “how can that be? That’s ridiculous.” Until I got into the industry, and I realized that that was true. So, I think it has helped me because people look at my colleagues and how they write, and they see how I write, and they see the difference. I think that helps a little bit. Certainly not a requirement, but it’s just another quality.

Bryan Brake: Yeah, and with me, not having that English background, I agonize over sending emails because I have sent enough emails where the tone could go either way. So, I have to really agonize over what I do to make sure that my communication … My communication skills, surprisingly, I don’t like talking to people, but it’s my most effective method of communication … I’m cool with Skype, because I can see you, such as it is. I can see your eye contact, I can see Mr. Boettcher when he has his webcam on, which works for me. Face works good because I can read the body language, I can tell if they’re actually listening to me, but in email, it’s like, “am I saying this right so they know that I’m trying to be funny.”

In the Navy, I was told I had a lack of tact, and it’s kind of followed me through my career, that sometimes I tend to get to the point a little too much, a little too direct. Maybe that’s a European thing, I don’t know. I don’t know how that became a thing for me, but I’ve been told it’s a very European thing to be just direct, but yeah.

I’d love to go back to school and get like an English degree, or a writing degree, because I understand that writing reports is something that nobody likes to do. I don’t know if it’s because it’s not sexy, it’s not cool. But yeah, communicating, for instance, findings. I find different mediums for me, like making videos and showing how I’ve recreated those steps is a lot easier than me going, “okay, you right click on this box and dah, dah, dah, dah, dah.” I find it’s a lot easier for me to do videos, which people find refreshing in my office.

Jay Schulman: So, I’m going to ask probably a tough question here for you guys. You guys created the podcast, self professing to be self serving for you guys. How as that worked out? Would you also then recommend that other people use this type of medium, whether it’s a podcast or a website, or a blog, or what have you, has it been good for your career?

Brian Boettcher: I think it has. I mean, it’s certainly almost forces us to network with people, because we’ll go to a conference specifically to meet people to have on the podcast, so we have some good content, right?

Bryan Brake: Yeah.

Brian Boettcher: So, it forces that networking. Then, the people that we do interview, largely, we have a lasting relationship with, all right? And then, it gets our name out there, so that when we do meet people in the security community, they’re like, “oh, okay. I know you.”

Bryan Brake: Yeah.

Brian Boettcher: And, it tells potential hiring managers, “these people are passionate about security, and I’m looking for people who are passionate about security.” So, it shines the spotlight on you. There’s no question that we’re passionate about security, right? Because, we do a podcast every week, and we learn about different topics. Yeah, it is a little bit self-serving, but it kind of forces me to at least get the basics on a particular topic. We do a wide range of topics, so the breadth of our security knowledge expands.

Bryan Brake: Yeah. When we first started doing the podcast, it was based on stuff that happened during our week at the office. Because me and him, we were both information security professionals, both named Bryan, working for the same guy, in the same office. So, when he would come in, he would just say, “hey Bryan,” and we’d look up.

Our first podcast was based on hashing, because we had these developers who were like, “oh yeah, don’t worry. Our passwords are MD5 encrypted, and we’re cool with that.”

We’re like, “I’m sorry?”

“No, no, no. No, no. MD5 is not an encryption. It’s a hashing mechanism, and we shouldn’t be using MD5 anyway.” So, you know it was kind of … our podcast almost started off as ranting because it was like, “okay, this is what MD5 is. It’s a hashing algorithm. Here’s what AES is, that’s an encryption algorithm, and then here’s MP3, which is an encoding mechanism for audio and stuff.”

We started doing it like that, and it was like, “well, I need to understand how to do [BSIM 00 = 28 = 18], so let’s do research on [BSIM 00 = 28 = 19] and do a 30 minute podcast on that.” Or, and you know some of it’s we’ve had authors on, we’ve had people who do podcast themselves, including you, you’re not our first people we’ve had on who does podcasting, but we look for people who are … we broke a rule this year, because I was like, “we don’t want the Dave Kennedys, and the HD Moores of the world, because those people have already got … they’ve already got it made. They already know where they’re at in their careers.”

We’re looking for those folks that would never dream of being on a podcast, or giving a talk, because those people, they’re kind of like us. They don’t think they’re important, but everything they do is just as important as the Dave Kennedys, and the HD Moores, and the Dan Kaminskys of the world. They’re helping their own companies that are helping companies be secure to do … you know, they all have their passion. They just keep it a little … their candle’s not as bright as the other ones.

Jay Schulman: Thank you. That is a phenomenal point, and certainly, as much as I try to help people grow their career, you guys have built a platform to do the same thing for others. So, you said it yourself, it was self-serving, but in fact, you are serving a whole lot of other people. So, I ask everybody the same two questions, I’ll ask you guys the same questions as well. As you guys thought through your career, can you think of a time where you really agonized about a decision career-wise, but it really turned out well for you?

Brian Boettcher: Definitely. So, my manager like right after I told you about how we had a SWAT team to get us through PCI, and he met with me, and he basically said “we want.”

I thought about it, I said “I’ll come back tomorrow.” So, I slept on it, and I said, “I either want to be in security, or I’ll take over that team,” which was my first job there, level 1 development, software support; and “I’ll turn those guys around, but it’s going to cost you $10,000.” I just told him, “I want a $10,000 raise,” right there, because it’s going to take a lot of work.

He said, “okay, starting right now, you’re our new security guy.” I guess, he didn’t have the budget, or whatever. So, that was … they say ‘success is a lot talent and luck.’ Well, that was a little bit of luck on my part that I gave him … I put the decision on him, and he chose correctly for me, all right? So, that was a decision point that worked out.

Bryan Brake: So, something I’ve agonized over, I think, honestly I think my last job switch was my most agonizing trait, because it was … I had been reached out to by my current boss and said, “hey, I saw your profile on LinkedIn. I think you would be a good fit for this job.”

It was a part vulnerability management engineer, which I knew I could do well, and penetration tester, and I was like “(breath noise), you know, I don’t do a lot of pen testing.” I had given up a long time ago trying to fluff up my resume as much as possible, because I was like, I got to get to a point where I’m not leading the team, but I was part of the team who was doing something to make myself look better. Who doesn’t do that, you know? Honestly.

So, I told him. I met him at a Starbucks. I said, “listen, I love the job, and it looks great, and I understand you guys,” and I mentioned the company, my name. And I was like, “I’ve heard your people on other podcasts, and you guys are doing some really great stuff, and I worry that I can’t do the caliber job you’re wanting me to do.” I said, “I can do 70% of the stuff on this resume that you’re wanting. The other 30%, the pen testing stuff, if you’re wanting pen testing like I think you want pen testing, I ain’t the person you want.”

He was like, “well, we’ll work on that. You’ve got plenty of time to learn that stuff.”

I was like, “okay, but I want you to understand up front that my pen testing is light. Light pen testing, application testing, that kind of stuff. It’s not heavy stuff you’re going to spend $50,000 for a week engagement on.”

So, I agonized after he had given me … He said, “yeah, we want you. You’re going to come in, and you’re going to do this.”

I was like, “man… (breath noise), I don’t know” Again, it was the institutionalization. I had only been at Xerox for 2 and a half years, almost 3 years. I was like, “man, I don’t like what I’m doing currently at Xerox,” because at the time, it was just like firewall audit, firewall audit, trying to delete rules that weren’t … ten years worth of work that was in there.” I was like, “you know, it’s a comfortable position. I can do it with my eyes closed. Everybody seems to like me still, even though I’m not working in the office anymore.” I had already moved up to Seattle by then. I was like, “do I want to take that chance of it not working out with this company? It was just kind of a throw it against the wall, see if it sticks.

I’ve been here a little over a year now. They seem to be okay with what I’m doing, so I made a good choice for me and one of their caveats was, I still need to be able to do the podcasts, and they were fine with that. So, that was one of the requirements, the only real requirement I had.

Yeah, I mean sometimes I’ve learned that job descriptions aren’t always going to be the job that you’re going to do. I am doing way more than what that job description says, and it ain’t all pen testing, so. If that job description looks like you can only do about 50% of that, just go ahead and put your resume in anyway, because they may not even need what they’re asking for.

Jay Schulman: I also believe that’s a great point. I also believe a lot of people are hiring for potential as well as job description. So, it’s your point, they knew you could do it, it’s just a matter of getting you trained up. So, last question that you’re normally Mr. Brake, you’ve talked quite eloquently about a lot of the struggles that you’ve had so, I thank you for that so far.

Bryan Brake: Sure.

Jay Schulman: Thinking back for both of you, what’s a do-over? What’s something that, if you had it all to do over again, you’d do it a little bit differently?

Brian Boettcher: I hate to say that I wish I had known about security when I got into college, but it was almost like I wasted probably 4 or 5 years trying to find out what I wanted to do. Yeah, I learned stuff, but if I would have known what my passion was at that time, after high school, I would have been in the security industry a lot earlier, you know? Things would have been a lot different. Maybe I would have … see, I’ve only been doing security for what, 3 years? 4 years, max? I can only imagine if I’d been in 14 years, you know? 15 years, where I’d be right now.

Jay Schulman: Much more jaded.

Bryan Brake: That’s the truth. So, I think the only thing that I would have done differently is I would have probably been a better IT person. There was about 3 years there when I was in San Diego where I was just kind of breezing through. I was doing just the minimum. I don’t know why I did that. People think that being in the military, you’ve got this work hard attitude, and you’re like all gung-ho, and you’re focused on something. I am so scatterbrained sometimes. Unless I’ve got a decent amount of caffeine in me, I can’t stay on one top any one time. I’m always bouncing around to CTF, learning python here, or I’m hacking on my little TP link routers for those kinds of things.

I probably would have liked to have been a better IT person, had learned a little more system administration Windows-wise, a bit more testing processes and how project management works. When I was working at Xerox … When I was working at HP on the NMCI project there, for about 3 years, I was just right click, following the instructions from an engineer, and I don’t understand a lot of project management, and that’s really hurt me in some careers. Like, I had a job at a fairly well known software company up here in Redmond, and I didn’t get that job because I didn’t have enough PM experience. If I had, I wouldn’t be working where I am now. So, that’s probably a good thing, but it really hurts me because I don’t understand the whole underlying SDLC as well as I should. That’s something I’ve been working on as well where I’m at right now, but I’m always seem to be behind the 8 ball on that.

Jay Schulman: No, that’s great insight. I appreciate that. So, guys, thanks so much. This has been a lot of fun to have you both here and I especially like the comparison and contrast with that mentor, mentee relationship. So, if this were a Law and Order episode, this would be the crossover episode between the spin-off of a series. So, I recently appeared on your podcast, and you guys are returning the favor here on mine. If you want to talk a little bit about the podcast, what it’s about, and where people can find it?

Bryan Brake: Go ahead, Mr. Boettcher.

Brian Boettcher: No, you go ahead. I mean, you’re the guy, the namesake, right?

Bryan Brake: Well, yeah. My last name is Brake, like on a car, B-R-A-K-E. So, I figured I had to use that somewhere in the podcast. So, it’s the Braking Down Security podcast, B-R-A-K-I-N-G. If you ever follow me on LinkedIn, there’s a lot of people who keep trying to tell me that I’ve spelled the word “breaking” wrong. What they don’t understand is that it’s a play on words.

I had agonized over a podcast. I’d been listening to podcasts for, I don’t know … First podcast I listened to was Risky Business, with Patrick Gray. Really great podcast if you are a CISSP, or somebody looking for CPEs, or CUs. Great podcast for the industry. Also, was listening to Paul’s Security Weekly. You know, and I listened to them for a long time, and 2014, I was like, “man, I gotta do something with myself. I’m a CISSP that really doesn’t do much for the industry, doesn’t give back. I need to start a podcast.”

I had agonized, I don’t know, 6 months, on this thing, because I was like, “ooh! I want to do this.” What had happened was, I was on a podcast with some friends of mine. They were like … it was like a geek podcast, and they were doing Tech of the Week, and geeky stuff, and talking about online games and stuff.

I was like, “hey guys, let me do some security stuff.”

They were like, “that’s not cool.”

I’m like, “great, okay. All right, fine,” and I was like, “well screw it. I’m just going to do my own, then.” I agonized for about 6 months on it, and I was like, “you know, I can’t just be a one man show.” I mean, Patrick does it good because he’s got Metal Storm doing the news, and then he gives really great interviews, but I can’t do it by myself. I was like, “man, I wonder who could help me … Oh, yeah! Mr. Boettcher,” and I agonized asking him. I was like, “okay, I’m going to go ahead and do my podcast in the next couple weeks.”

He was like, “you want a co-host, or something?”

I was like, “oh, thank God. Thank God he asked me. Oh, goodness;” because I was like agonizing, trying to figure out how to ask him if I could be on and everything. So, it was like January 10th of 2014, we sat down and did the hashing podcast.

We actually did 2 takes. We did one in the office, and then we were like, “well, if we do this at business hours, is that going to be a Xerox product if they accidentally find out we’re doing it?” Because, we were doing it on the down low until both of us left. So, yeah, that’s how we started it, because we were like, “well, we need to educate ourselves and this would be a great way to educate ourselves.” Obviously somebody’s listening to it and downloading it, because we just crossed 100,000 downloads in December, so in less than 2 years, we had 100,000 downloads of our product. I think it’s probably Boettcher’s python script downloading it every 2 minutes or so, but I could be wrong, I don’t know.

Jay Schulman: And where do people actually find it and download it?

Brian Boettcher: BrakeingSecurity.com, right?

Bryan Brake: Yup, yup. That’s B-R-A-K-E-I-N-Gsecurity.com

Brian Boettcher: B-R-A.

Jay Schulman: What about personally? Where are you guys on the internets, if people like what they heard today and want to connect with you?

Brian Boettcher: Well, I’m primarily on Twitter. You can reach me at @Boettcherpwned. B-O-E-T-T-C-H-E-R-P-W-N-E-D.

Bryan Brake: I can be found on Twitter as well, @BryanBrake, which is B-R-Y-A-N-B-R-A-K-E. I’m on Facebook. We have a fan page on Facebook, so if you want to hook up on Facebook that way, it’s Facebook.com/BrakeingDownSec and you know the podcast twitter is @BrakeSec, B-R-A-K-E-S-E-C.

Jay Schulman: And it sounds like you guys are open to having new and fresh talent on the podcast to talk about things as well. I assume they can reach out to in any of those medium for a chance to be on the podcast.

Brian Boettcher: Oh yeah!

Bryan Brake: Yeah, you know just have an interesting topic. If you want to talk, we do everything from … We want to talk about reverse engineering binaries. If you want to talk about software, if you’ve got a piece of software you’ve built like Mr. Boettcher’s got one for analyzing Windows log files he’s just started creating. All the way down to compliance and regulatory stuff. We do BSIM, we’ve done the SANS top 20 controls, which we can’t do all the way down to 1 because they went up to version 6, we were using an old version.

But, we do everything in the middle. As long as it’s an interesting, and we can spin it, we even did ITIL, which I didn’t even realize had infosec properties into it. But, Tim Wood, whose an Austinite with Mr. Boettcher, we had him on, and I wasn’t expecting a lot out of it. Great infosec podcast on how integrate ITIL into your information security strategies.

Jay Schulman: Well, we’ll put the podcast, all of your Twitter handles if I can remember them all, and that particular ITIL episode in the show notes so that everybody can find them. Hey guys, thanks for doing this today.

Bryan Brake: All right, thanks Jay.

Brian Boettcher: Thanks, Jay.

Bryan Brake: Thank you, Bryans. Definitely give their podcast a listen to. That was Brake on Security. The first episode of 2016 featured me, and I had an absolutely fantastic time being on their show. So, please show them your support. Thank you for listening. If you’d like to keep up-to-date with the podcast, text “security” to 33444 to be added to the podcast mailing list and just as a reminder, we are not going to text you in the middle of the night. Thank you, and talk to you next week.

Intro/Ending: Thank you for listening to the Building a Life and Career in Security podcast with Jay Schulman. For more information, and to subscribe, go to JaySchulman.com.

[/content_toggle]