Security Awareness Training

Interview: Lessons Learned Training The Next Generation Of Cybersecurity Pros

Expert Insights speaks to Don Pezet, CTO of ACI Learning and Co-Founder and Lead Edutainer at ITProTV, to discuss the cybersecurity skills gap and what you should look for when choosing a cybersecurity training provider.

Don Pezet Interview

Don Pezet is the Co-Founder and Lead Edutainer at ITProTV, a leading IT and cybersecurity training provider. Pezet is an IT expert, working in the industry for over 28 years, as a network engineer in the private sector, in the banking industry and on contracts for the US Navy, and NASA. 

Since 2001, Pezet has focused on IT training and in 2012, Pezet co-founded ITProTV, which was acquired by ACI Learning in 2021. Today, Pezet is Chief Technology Officer for ACI Learning and Lead Edutainer at ITProTV, helping to deliver IT and cybersecurity training to as many people as possible. 

After RSA 2022, Expert Insights spoke with Pezet to discuss the ITProTV training platform, the biggest cybersecurity threats facing organizations today and his tips for what people who want to get into the cybersecurity industry should look for in a training partner. 

Can you give us an introduction to ITProTV and the training courses that you offer?

One of the big challenges that I’ve always dealt with as a classroom trainer was just the sheer expense of training. Going out and taking courses at somewhere like SANS, which are phenomenal courses, is also incredibly expensive. A lot of people just can’t attend that training despite it being extremely valuable. 

At ITProTV, we wanted to create really high-quality training, but not require people to take out a loan to do it—where it’s actually accessible to as many people as possible. IT training is so important, especially cybersecurity training, because if you are connected to the internet, in any form, you are under attack. It’s ubiquitous, everybody is constantly being attacked on the internet. People need to have a base knowledge to protect themselves and to use the technologies we surround ourselves with today. 

So, to create things in an accessible format, we created ITProTV’s training as video-on-demand. That way people could subscribe, just like you might for your favorite streaming services, like Netflix. When you subscribe to Netflix, you pay a monthly fee, and you get access to a whole library. That’s how our training is. ITProTV is part of ACI learning, which stands for audit, cybersecurity, and IT. And when you look at our library, we have content across those three fields, which helps to set people up to be successful in their careers. And they don’t have to worry about the cost of one particular course because they get access to the whole library. 

The other thing is we try to make our content fun and approachable. We always have two people on camera, like a late-night talk show where you’ve got Conan O’Brien interviewing a guest. That’s how we film our content. It’s not a lecture and we don’t use PowerPoint; we’re not going to slide you to death, because people get enough of that already. We just have two people having a conversation about technology, and it comes across really well. The feedback we get from our members is that they love it.

Who are your typical members, who are the people using your training content, and what are your most popular courses? 

Our members usually fall into one of two categories. About half the people that use ITProTV are people looking to break into IT as a profession, who we call career changers. They are working in some other industry, and they want to get into IT, but they don’t necessarily want to do a bachelor’s degree or some long drawn-out program. Maybe they just got out of the military, and they’re looking to get into the private sector. They need some training, they need something on their resume, some certifications. They come to us, and we help them do that. 

The other half of our members are already working in IT. They’re at a company or an enterprise, and they’re either looking to get better at their current job, or to make a plan for future career growth. Maybe they’re a developer that’s starting to do DevOps, and they want to learn a little more about system administration, so they have some better grasp of those concepts. They are enhancing their skills and becoming better at their job. That’s a big part of what we do.

As far as our most popular courses, our number-one course almost always these days is CompTIA Security+. This course is designed to provide the basic knowledge that every IT worker should have when it comes to security. Whether you’re a developer, a system administrator or a project manager, everybody needs a basic level of fundamental knowledge. After that, it starts to branch out based on what your specialization is. 

Thinking of the security side in particular, what are the biggest challenges people face when looking for a training solution?

If I had to pick like the number-one challenge for cybersecurity training, it’s timeliness. This stuff changes so incredibly fast. If you take a college course, that textbook that you use was probably written three to four years ago and underwent numerous studies and tests before it was approved to be used in the classroom. That doesn’t fly when it comes to cybersecurity. Zero-day exploits are not called one-day exploits, it’s a zero day; it came out today and you’ve got to be prepared. 

So, when you look at a training provider, that’s a question you need to be asking them. How often do you update your material? When I watch your training, when was it filmed? And how quickly can you film something new? 

For example, when a really high-visibility exploit happens, like Log4j, you need to be able to create training around that quickly. How do you know if you’re using Log4j? How do you update it? How can you verify the update is done? How can you scan your network to look and see if you’ve got vulnerabilities based around this? Those are questions people have. 

At ITProTV, we designed our studios to be efficient to the point that we can write up an outline for content, jump in the studio and film it with minimal post-production. It’s all designed to be done practically live so we can have it on our website the next day or have it out on YouTube quickly. Speed is super important, and we have eight studios right here in Gainesville, Florida, and several other locations, so we can constantly be creating content that’s fresh and current for our students.

What are the big changes that you’ve seen across the IT and cybersecurity landscape over the past couple of years?

The world has definitely changed in the last two years, and a lot of it really quickly. In the cybersecurity world, we don’t like to do things fast. When a new encryption algorithm comes out, you don’t adopt that day one, you want to wait a few years, make sure it is field-tested and battle-ready before putting data at risk. You take your time. But with the pandemic, you didn’t have that choice, it was just overnight. You might not want a remote workforce, but now you have one. It just happened. 

And there were pros and cons to it. You know, we can think of the negatives, those are really easy. Now, instead of just securing your business premises, you’ve got to secure all of your employee’s homes, too. That’s a challenge. But I can think of some positives too, that people don’t talk about. Take ransomware attacks. Ransomware hits one machine and then it spreads and infects all the other machines. Well, that doesn’t happen when everybody’s at home. One person’s home machine gets hit with ransomware, but it can’t jump because all the homes aren’t connected that way. So, there are some positives to what we have right now. 

But from a cybersecurity perspective, it’s a nightmare. We’re having to reevaluate a lot of our policies and procedures and how we handle those things, and basically telling our employees: you have to go digital, because that’s the only way we can control assets. It is pushing us in that direction faster than ever before. And I personally think that’s a good thing. Take the adoption of DocuSign, a lot of people didn’t like DocuSign just three years ago. But today, they use it, and they don’t even think twice about it. So those technologies are now moving more rapidly and that’s a positive in my opinion.

Has there been an increase in people looking to get into the cybersecurity industry in recent years as a result of these changes?

There has been an increase of people pursuing cybersecurity careers in recent years, but I wouldn’t credit that to the global pandemic. I would credit that shift to how cybersecurity incidents are presented in the news media. We hear about data breaches every single day, we hear about the talent shortage, how there are jobs out there that they don’t have enough people to fill, we hear about the US government recruiting for cyber defence, and a lot of people are out there with jobs that they aren’t necessarily happy with. They’re working in retail or food services and they’re thinking, “wouldn’t it be nice to sit at a desk and, you know, be able to do cool hacker-y things?”

I think people would be surprised at how attainable it is to get into a cybersecurity career—it just takes dedication, learning and creative thinking. That’s really the biggest skill, which is hard to learn: creative thinking, figuring out ways to look at a system that aren’t the normal way. And a lot of people really resonate with that, it certainly has a coolness factor to it. 

The barrier of entry for cybersecurity is a lot lower than other fields. If I woke up tomorrow and said, I want to be an architect, I’m going to have to go and get a bachelor’s degree, it’s going to take me at least four years, and I’d probably have to get a masters to really be an architect. Otherwise, you’re just a craftsman. But if I want to get into cybersecurity, I can get a couple of certifications under my belt and, and in three months, I can be ready for an entry-level cybersecurity career and get trained on the job. And I know that job is not going away because cybersecurity is here to stay. 

Companies need those professionals, just like the government needs a military, it’s a universal thing. So, people recognize that IT and cybersecurity is a great career field to be in. And especially with the younger generation, it’s a chance to get in and work with IT. And let’s be honest, it sounds cool, which has really driven a lot of people into the industry.

Do you think these positive changes are helping to close the IT skills gap, or is that less of an issue at the entry level, and more of an issue when it comes to those highly trained, highly experienced roles?

A big part of the skills gap in the past with my generation was that a lot of us grew up without a computer. I didn’t really get to use a computer until I was in high school and even then, it was a computer that I purchased myself at home. I never used a computer in school until I got to college, it was ridiculous. Today’s kids are growing up with technology! Babies are watching their parents use tablets and devices from the day they are born, are given these technologies to use at a very young age, and then when they’re in elementary school they’re using computers very, very frequently.

I think that’s really going to help to reduce the skills gap we hear about. These students‚ whether they intend on getting into IT or not—by the time they get out of high school, they’ve already got a proficiency in computers that is well beyond what people in my generation had. That helps a lot. 

But then there’s still that next step. Getting into cybersecurity, you’ve got to understand encryption algorithms and protocols and network communication patterns and how those ports can act. There’s a lot of stuff that’s invisible to a normal end user that you’ve got to learn, and you can’t necessarily learn it by accident. 

Well, you know, I’ll take that back! My son plays Fortnite online, like a lot of people. And he understands about firewalls and ports and connecting, because he’s trying to figure out why that Fortnite server is lagging. I’ve caught him running a ping to look at how many milliseconds it takes to communicate to a server, and I didn’t teach him that! Those are skills that they’re learning, just through the regular activities they do. 

At the end of the day, we can train people up pretty quickly. There’s a lot of programs that are in place, a lot of government grants that are available to train people, to help them get involved in cloud security and all the other technologies, and really fill that career field.

Finally, what is your advice for those who are looking for a cybersecurity training provider, and those looking to get into the cybersecurity industry more generally?

There are a few of things you want to look for in a training provider. First off, I mentioned it earlier: How current is their training? How often are they refreshing? Training being up to date is really important. If you’re studying old material, you are not setting yourself up for success in today’s world. That’s the first thing. 

The second thing: Is the training mapping to an actual career? Shows like Mr. Robot are really cool, and being a pen tester is a neat thing. But being a pen tester is not a job you can just step into day one. Nobody is going to let somebody for their very first job, jump in and attack a network, that’s just not going to happen, especially on a sensitive network. So, you usually need to start on the defensive side, defending a network—basically a sysadmin, that type of role. You need to advocate for yourself and find out whether the courses you’re taking are mapped to a career that’s actually entry level, that you can step into without prior experience.

The third thing is, are you getting practical hands-on training? Are you actually learning how to run certain commands? Knowing what a network map, or a scan, or a ping sweep is, knowing what those things are, that’s one thing. But actually, doing one and interpreting the results, is another. You want to know how to perform certain actions so that when you go into day one of your new job, you actually have things you can do. You want to actually have those skills. This is important for any training, but especially for cybersecurity. 

The other thing I would encourage anyone to do, especially with cybersecurity, is not to pigeonhole yourself on a single technology. You want to make sure you stay broad—especially early in your career. Later on, you can specialize, but early on, you need to be a bit of a jack of all trades. You need to be able to understand Windows, MacOS, and Linux. You need to know all the platforms because that’s what’s used out there. Especially Microsoft Windows. I know, it’s not considered cool anymore, but it’s what’s used out there in the real world.

You also need to be familiar with cloud technologies. People stand up web applications every single day. That’s the way people design their interfaces now, and they’re almost always deploying on Microsoft Azure, or Amazon Web Services, so, you need to be familiar with those. They all have free usage tiers, so, you can set up a free account with AWS, start experimenting with it, learn it today, and get a basic proficiency in those platforms. It’s really, really valuable.


You can find out more about ITProTV here: https://itpro.tv