This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Welcome to Barcode. I’m your host, Chris Glanden, and joining me today is Derek Fisher, an established cybersecurity and engineering expert with nearly 30 years of experience across financial, healthcare, military, and commercial sectors. Beyond his extensive career, Derek has made a lasting impact through his authorship, teaching, and countless contributions to the security community. Derek, thanks much for stopping by Barcode, my friend.

Derek Fisher: thanks Chris. Thanks for asking me on and really looking forward to the conversation.

Chris: Now it’s good to see you. last time I ran into you was at besides Philly over there at live casino. I believe it was. I love how security conferences are in one of the most highest risk places. If you gamble.

Derek Fisher: Yep. Yep. I was to say, if you gamble, it’s a high risk environment. I always have to go in with a certain amount of money that I’m willing to lose because the house always wins. you’ve got to be willing to just pay for the entertainment for a little bit.

Chris: I’ve learned to to scale back. I always say Vegas was not built. By losers. Or by winners, sorry, Vegas was not built by winners. are you originally from Philly or did you did you migrate here, from from somewhere else? what brought you to the area?

Derek Fisher: I mean, I’ve been in the Southeast Pennsylvania area for most of my life. fact, I was born in and mostly raised in Lancaster. if you’re familiar with Lancaster, it’s the horse and buggy Amish, type of environment, which, I still work with my hands a lot. I love, if I see a pile of wood somewhere, I’m always thinking about how I can put something together with it. And that’s the honest to God And I think part of that is from growing up, maybe part Amish, I don’t know. Fisher it’s entirely possible that I’m part Amish. But I’ve lived in this area for most of my and with the exception of a few stints I spent some time in Florida working as a contractor in hardware engineering but other than that I’ve been in this area and it’s a really good area for tech. There’s a lot of different types of companies in the area, a lot of different that are represented. I think it’s a good area to be in terms of tech and also in terms of universities too. I think the, area is pretty ripe for, for good, good technical expertise and activities. And then of course you have a lot of just natural, beauty in the area too, in terms of being able to go an hour north and be in the Poconos or an hour west and be out in farmland or two hours east and you’re at the beach and there’s a lot of good things to offer in the area.

Chris: it’s definitely a good hub. I think the the security community here specifically is a differentiator. And I’ve I’ve seen other local communities that that aren’t up to the same level. I think that that we are I know that you’re heavily involved in the, security community here in Philly. type, events or meetups do you? do you typically take part in here in this area?

Derek Fisher:  WESIS, Delaware Valley is a good one to go to. B-Size, as you mentioned, is a great one. Secure World in the area is good. There’s always a lot of good stuff in Philly itself, know, downtown, whether it’s IANs or ISACA and some other organizations that will often pull together, experts from the area to, have just even just conversations. It’s not, a lot of it doesn’t have to vendor driven. type of events, a lot of them are geared towards meeting people in the area and making connections. know Chris, you do a lot of happy hours and things that as well that are great events to be able to just meet with other people, talk to them in a space that doesn’t feel stuffy or you’re in a work environment. you get a little bit more interaction, a little bit more back and forth, which I think is good. And you tend to run into the same at these events. The more of these events you go, hey, you see the same people, is great because you get that sense of community that we’re all working towards. it’s good stuff.

Chris: You you definitely see the same people. And I think that you’re you’re starting to see, new people come to because the the words out, there’s these great events and they’re constant to it’s it’s not you have to wait a long time to hit another, event here in the area, which I think is really good, you constantly have that that information being, spread out to the community.

Derek Fisher: Yep. Yep

Chris: Career wise, I’m curious to hear your origin story there, just in terms of, sort of the elements that, you initially interested in security. Talk to me about some of those early, career experiences that helped shape your path to what it is today.

Derek Fisher: I’ve been around tech for a very long time. Dad used to work at Commodore computers, which for those that don’t know, this was around the same time that Apple was born as well. In fact, the two of them were pretty much head-to-head competitors for a while. And we had stacks of VIC-20s, Commodore 64s, and Amiga machines around the house. of them were prototypes, not, know for primetime type of stuff. I think that really brought my interest into tech, which then led for me to get into the hardware aspects. That’s where I got my start was in the electrical and mechanical directing and design work. I did printed circuit board design and being able to, for me, the great part about that was being able to physically touch something that you designed. sit down in a CAD tool and you develop this circuit board based on a schematic and you send it off and a couple of weeks later you have it shipped back to you and you look at it, I remember laying this out. I think, again, that being able to touch and feel the technology that you created was also kind of very empowering and driving me further into the technology. space. And that shifted into software engineering and design where I started working in C to develop RTOS real real time operating systems for hardware. And that then led to me getting into full software engineering role in in dot net with a health care company. And at that point, that’s where things started kind of clicking with with security. I sat on the other side of the wall from the security team. just being in that ecosystem and being able to see the things that they were working on, uh, really intrigued me, and I think, especially in the healthcare space where, you don’t have healthcare organizations. I don’t mean the company I worked for at the time with Siemens. they had deep pockets, the

Derek Fisher: people that we served in the companies and facilities that we serve did not have deep pockets. Their core competency wasn’t IT, their core competency was keeping people alive and servicing patients. you often had IT departments hospital with an IT department of one or two people. seeing how security overlaid with the criticality of what it is that those facilities are doing really to me kind of spoke to what it is that we do in security, It’s that we’re here to develop systems, in such a way that we’re really servicing that that’s not what they care about, They don’t necessarily, it’s not that they don’t care about it, it’s just that’s not what their core competency is. And I think to me that really spoke to it is again that we do in security and as they say the rest is kind of history I’ve moved through a lot of different whether it was healthcare space and then into the financial space. And that really just, each day is a new challenge. As we know with, when I first got into security, we started the cloud migration, and, or, a lot of cloud initiatives. And that was just a fundamental shift in the way that we design and engineer our infrastructure and the way we deliver services to customers. And now you’re seeing things related to AI and how that’s just creating a massive shift in the way that we not just develop our systems, but the people and aspects of what are the impacts of AI and how security is evolving to tackle those challenges. I think in a couple of years, we’re going to see things change in relation to quantum and robotics and stuff that, where that’s going to, again, I think, create a huge shift in the way we secure. the security industry, much technology, is constantly changing and I think that’s exciting.

Chris: you said that, day by day, it’s a new challenge, but you’ve been in this industry for a long time. would you say that AI is probably the most significant shift that that you’ve personally have seen?

Derek Fisher: I mean, the introduction of cloud really caught everybody by storm. And it was a, don’t know what a bigger shift or not. To me, it seems we still don’t know what the true impacts of AI are going to be.

Derek Fisher: And I think that’s part of problem with cloud. was, it hit us a ton of bricks. And I always tell the story that, where I used to work at Siemens, I could look across the parking lot and see the data center. that’s where all of our services ran out of, know, and it’s, you could look across the parking lot. could see it, cloud just blew that up now. It’s you don’t look, you don’t see anything across the parking lot, but a bunch of cars. And, but we kind of.

Derek Fisher: got understood it pretty quickly. it’s, you this is the deployment, new deployment model. Here’s the services. We’re going to release new services and you you can take it or leave it. With AI, I don’t, I think we’re in the middle of it now that I don’t know if we really know what the true impacts are. And then when you start combining, the things that are going to be coming down the pipe, whether it’s again, as I mentioned, robotics, what is, what’s the combination of AI and robotics going to look?

Derek Fisher: those types of applications of artificial intelligence, I think are still unknown. And we might be able to think about them in the sense, well, this might happen or that might happen. But and we know this in technology that you never really realize what how somebody is going to use a technology until it gets in their hands. We can we can say, OK, A.I. is going to revolutionize

Derek Fisher: the way we do XYZ and then a consumer gets a hold of it and says, well, I’m to think about doing it this way. And they do something completely different that the developers or the engineers that created that particular AI model or whatever is not, they weren’t thinking about it that way. I think once something gets in the hands of the consumer, we’re then kind of reactive to how it’s being used. And I think a couple of years from now even shorter, year or two from now, we’re going to see completely different applications of AI that we’re just not even thinking about now. I think to that extent, the explosion of AI probably is a more revolution in technology.

Chris: that makes complete sense. It’s unpredictable. It’s unpredictable. And I think the aggressiveness of AI just seems to be much faster than than cloud was.

Chris: I think that if we’re not involved directly with threat modeling in an organization, I think we all realize that, security teams should be doing threat modeling. understand the principle of it. off for those that aren’t, threat modeling day to day, if you don’t mind, just give me the quick, Derek definition of threat modeling.

Derek Fisher: threat modeling is the identification of threats within your design or architecture. And there’s formal processes for that. There’s the building out a secure engineering or secure architecture diagram. You can create a tack flows, can create a tack trees. There’s a whole bunch of different ways that you can sort of visualize and create a threat model. But the end goal is that you want to identify the threats that are particular to that design. But, when we’re doing threat modeling, there’s basic questions that, you we ask, what are we building? What can go wrong? What are we going to do about it?

Derek Fisher: And did we do a good job? And those four questions, you can bring those down into a user story level, You don’t have to wait for a C4 diagram to be generated for you to take that diagram, break it apart, create a formal threat model. It’s asking those basic questions. What are we building? What can go wrong? What are we going to do about it? And did we do a good job? And, I often when I’m teaching a threat model is that often describe that we do this on a daily basis. We may not be thinking about it, but we walk outside of our house and we may be thinking about the weather. it going to rain? Is it going to be hot, cold? what am I going to do about it? Am I parking my car in a bad neighborhood? What am I going to do about it? Those kind of things, that’s threat modeling. We’re not really thinking about it as we’re doing a formal threat model. more of that mindset of, what are we doing? What are we building? What can go wrong? What are we going to do about it? And the, we do a good job part about that last part is really, did we do a good job of identifying not just the threats, but the scope of our design, the scope of what we’re actually trying to think about. Do we do a good job of capturing all that? did we do a good job of capturing all the threats that are posted? did we do a good job of capturing

Derek Fisher: the controls that are mitigating the potential threats. modeling can be a, again, a formal type of activity where you get a group of people together, you get on a whiteboard, you draw out the architecture, you start talking about the threats. You could do it in an app, a design diagram and then do the same thing. There’s tools out there for it, but it basically boils down to, asking those fundamental questions and you could do that again at the user story level.

Threat modeling boils down to four key questions: What are we building? What can go wrong? What are we going to do about it? And did we do a good job? Share on X

Chris: I’ve never thought of it as a subconscious mental threat modeling situation. That’s that’s an interesting way to to phrase it. I did.

Derek Fisher: did you go to the Eagles parade? I, were you doing the threat modeling mentally when you buy?

Chris: I did. I did. No, it was a mental whiteboard, but I did do threat modeling for sure.

Derek Fisher: I mean it’s those types of activities again that you’re not really, know, it’s not you’re sitting there drawing it out, I’m going to be on Broad Street at this time and, I’m going to get hit in the head with a hoagie or something that. it’s just, but mentally, that you’re stepping into an environment that you probably need to make sure you have your wits about you.

Chris: You and it’s a possibility to happen. all. you have teams that perform these threat modeling tasks. A lot of it, you say, could be a white boarding session in a conference room, But taking it from that conference room to reality, as a task. and, there’s certain tasks involved. from your experience, what, what approach is the most effective way to take that and then apply it within the enterprise?

Derek Fisher: that’s where I think I see a lot of organizations kind of stumble with it because you mentioned, mean, a lot of organizations say we got to do threat modeling, And oftentimes the same way that we treat any type of scanning activity or, assessment activity, what are we doing it for? Number one, why, why are we doing this? Number two, do you have the bandwidth and the capability of actually doing something with the output from that? for those of us that have been, around, I got my start in application security and that was a lot of, static analysis, scanning, dynamic analysis that would just turn up hundreds or thousands of results and everyone just throws their hands up. well, what am I going to do with this? And, know, threat modeling is just adding an additional layer of here’s more, problems that we found with your design that need to be fixed. the first step is really to understand, one, do we have the staffing, the workflows, the processes in place to really manage the potential work that’s coming out of, a threat model? Because again, if a security architect or engineer sits down and looks at of design, they’re going to find stuff. And, it’s then up to the development team or the engineering team with the assistance of the security team to develop those mitigations and security controls. What I think the real output from that is not, here’s some vulnerabilities, or some tasks for you to go fix. It’s really about developing and designing a secure reference architecture or secure controls that are then able to be used. throughout the organization. if you’re a small organization with two or three applications that you’re managing, that’s a little bit easier. You can generate or create a secure architecture, secure reference architecture, secure design that you can then use in your other applications. But if you’re a much larger organization, that becomes a little more complex and that really will depend upon your processes and the people in place to drive those changes. But the goal is to create a secure design out of that threat model to solve the broader problems. Because as opposed to static analysis or dynamic analysis where you’re scanning an application and you’re scanning code and you’re of a given application, you’re saying, here’s the vulnerabilities that were found in that. When you do threat modeling, you’re really looking at the bigger picture, the design, the architecture. those changes aren’t going to be those tactics. Here’s 10 vulnerabilities that we found. It’s more, here’s the issues with the design that we need to solve more holistically. That’s going to get you a bigger bang for your buck.

AI will eventually perform threat modeling, but security architects will still be needed to build secure designs. Share on X

Chris: Got it. I was going to ask you how you how you measure the success of a threat modeling exercise. And because I obviously if you I guess there’s a testing phase, correct, once you’re going through that development lifecycle or implementation lifecycle where you are. detecting architecture flaws and you’re fixing them. Is there, is there, guess, a post threat modeling testing process that can really say, look, we can check this off. We’re good. move on.

Derek Fisher: I think that comes down to the adoption of those secure patterns. if you have, let’s say you’re building a brand new application and you’re a mid-sized organization, you’re building a brand new application, are you starting from floor of that application, is it starting from those secure design patterns? Here’s your secure design pattern for authentication, here’s your secure pattern for data encryption.

Derek Fisher: and storage, here’s how you, and those again should just be puzzle pieces, That’s the design or the kind of the maturity of that design, secure design is are you putting those puzzle pieces together of known good puzzle, secure puzzle pieces? And to create that application. And I think that’s how you measure is how much of your application is being net new untested architecture design as opposed to using the vetted secure patterns that have been created for this particular organization or this particular set of applications. I know that’s a little bit more, it’s not the same as saying, let’s run our DAST tool in a lower environment and you found 10 vulnerabilities, but we run it in pre-prod.

Chris: I see.

Derek Fisher: And we found zero vulnerabilities, That’s kind of a good measure of, you fixed your issues, but we’re talking about vulnerabilities as opposed to secure design. That’s a little bit different approach. I hope that makes sense.

Chris: secure design is that meant more for in-house developed apps or do you take threat modeling to applications or programs that are built by third parties that you’re bringing into the environment?

Derek Fisher: you want to include those third party, whether they’re, SaaS, APIs that you’re using, or whether it’s a third party app that you’re bringing in or product or library that you’re bringing into your own design, those still need to be included with the threat model. The challenge with that is that, and I often fall back to this type of position is that if you can’t change the code then you can include that in the scope of your threat model, but you don’t necessarily have the ability to modify the behavior of that third party component. what is in your control is the way that you

Chris: That’s not in your control.

Derek Fisher: are able to respond to potential threats coming from that component. for instance, if you’re, and we’re seeing a lot of this, especially related to supply chain type of attacks, but if your design is tightly coupled to a component that you’re pulling in from an outside source, that if you find out that that third party has some vulnerability and it’s critical vulnerability, are you able to cut yourself off from that? replace that rapidly with something different. those are the type of things that you need to think about in your threat model is that what happens if this third party suddenly becomes malicious or, given the environment that we’re in now, what if we can no longer do business with that third party because of something, occurring more at the global or national level. And those are the type of things that need to be built into your, your threat model. You can’t necessarily change the code, but you can change your reaction to it.

Chris: Got it. with AI becoming more incorporated into security operations and workflows these days, do you think that it will ever replace human driven or human based? threat modeling or do you see it as always being more of an augmentation tool with a human needed in the loop?

Derek Fisher: I think threat modeling will eventually be done by artificial I think we’re almost there now. if you you can go to a chat GPT or Claude or whatever, AI chat, client you’re using, but you can go ask it, here’s some thoughts around, or here’s some specifics around the design that I’m working on. What are some of the threats I should consider? And it’ll spit out, a response to you. That’s only going to get better as time goes. And I think when you couple that with the ability to be able to do character recognition and image rendering within AI to basically feed it a design diagram and say, here’s a design diagram that shows what my services look and my deployment. Tell me what’s wrong with this design or what could go wrong with this design. and it’s going to generate a response. I think, that that’s where we are today. We could do that today. As we get more into architecture as code and threat modeling as code, which exists today. those pieces being put together is just not far off. what I would envision is that you get to a point where the code that you write, when you start a build in your CI loop, you create a build, it’s going to take that code and generate a YAML file that says, here’s what your architecture looks. That YAML file gets put into something a ThreadJive. or some other type of threat modeling scanning tool that looks at the YAML file and spits out a report that says here’s all your potential threats. Again, those pieces kind of exist independently and I think it’s just a matter time before they get put together. And to be honest, what’s the difference between that and running a SAS tool?

Derek Fisher: that just scans your code and says, here’s all your findings. You don’t need, if you really boil it down, SAS tools replace the need for secure code reviews because you have a secure code review basically on a SAS tool. Now we can argue about how good the output from those SAS tools are, but you get something. And with AI, I think you’re going to see that can constantly get better.

Chris: That’s true.

Derek Fisher: smarter to the point where, you’re going to have threat modeling done by AI with no human in loop.

Chris: for the security professionals that are doing threat modeling or doing or have other positions that could potentially be replaced by AI, what advice would you give them in terms of job security? Is it it more about learning the tools? Are there are there paths that they should pivot to now before that that time hits?

Derek Fisher: To me the job of, and I’ll say in the sense of application security, product security, that the job of the security architect or security engineer still in building secure design. And, as of now that, we can talk about what, what that’s going to look years from now, but as of now, that’s still the, what to me, the security architecture, individuals should be focusing on is how do we take the output from those threat models and turn that into, actual secure Because, the threat modeling is a tool. It’s a means to an end. It’s a means to identify threats that are posed to a specific design. Again, similar to any of the scanning tools that we use when we introduce SAST and DAST and SCA and all the other tools, it didn’t necessarily replace, a lot of people. It just altered the way that we did, work and it shifted more to, we got this information about what is wrong with our product and our design. let’s focus on what we can do to make it. equation hasn’t changed. That’s still going to be needed. that’s where I would see, at least in the next couple of years.

Chris: there’s hope then

Derek Fisher: It again it’s it’s one of those things where We don’t know. we just don’t years ago, the only I mean obviously AI has been around for a long time But ten years ago if you mentioned AI in Philly you were talking about Alan Armisen, now it’s now everybody knows what it’s talking

Chris: It’s unpredictable. Exactly. you The answer. All, I want to transition off of threat modeling and let’s just talk quickly about a trend. I think that has been. It’s been. Very prevalent lately, which is the. security hiring process and job seekers navigating new security careers. And I know that you’ve been on both sides of that with the hiring of security professionals and then also with training future security leaders. curious in your opinion, what is one of the biggest mistakes that organizations make when hiring security professionals?

Derek Fisher: and I’m actually giving a talk about this at RSA, which should be fun, but the biggest challenge with hiring comes around creating a job description that actually meets the role. And I think for, for many of us that have been on either side, whether it’s on the hiring side or, or being hired side, you, you look at the job description, it’s generic and, and I’ll admit I’ve done this myself as a, as a hiring manager where, I need to hire a secure, security engineer. and it’s, all, well, I’m not going to write this job description, from scratch. I’m to go start with a template, whether it’s the HR template or whether it’s something, off of Google.

Derek Fisher: might modify a little bit, add some color, add some additional details that are specific to your role. But in general, the job description and what the hiring manager is actually requiring for that job there’s a misalignment there. And to be honest, I was having this conversation last night, think to be honest, this may not be popular, but I think HR gets in the way as well, because there’s, there’s certain, there’s certain criteria that HR just layers on top of that job description or that job posting that has nothing to do, with, with a particular role. And sometimes, the person I was having a conversation with said, they asked HR

Derek Fisher: Well, why do you need a CISSP for a project management role? And the HR, they said, don’t know. I don’t even know what a CISSP is. And it’s, well, why is it on the job description then? And those kinds of things where I think it’s just, it’s very disjointed in the sense that

Derek Fisher: What is being put out into the ether in terms of, Hey, I got a secure engineering security engineering role that I need to fill. And you look at the job description and it’s, I don’t know, maybe I can, maybe I fit this role, maybe I don’t. And, what’s all of these certificates or certifications I need. And, and, I think, but the reality is when you get into that job, or if you land that job, it’s, it’s nothing of what was described in the job description or what the, what the interview even entailed it was it just it’s it feels we’re very challenging environment and I do mentorship with not just with WESIS I have a cohort that I’m mentoring now but I also to talk to a lot of my students that I teach at Temple and even just on LinkedIn people I talked to there it’s it’s a very challenging environment for people to get hired

Derek Fisher: And, it’s disheartening when a job gets posted on LinkedIn and within an hour, a hundred people have applied and you’re, well, what’s the point? know, you’re an hour or two and it’s, they’ve already been flooded with, applicants. I, I.

Chris: and you may have one qualified. I think that’s the other part of that is you have to have that proper job description that then leads to, proper candidates. it’s you do have that domino effect. Which I’ve unfortunately been part of.

Derek Fisher: Yep. I mean, and even myself, when I was looking for work, a couple of years ago, it’s, just, it’s your, you’re just, you’re a number. You’re just part of the noise and you’re just, you’re with everybody else. Just trying to beat the system, and, and, and job, job hunting has become a lesson in beating the system, and the sad part is that the hiring managers and HR on the other side, they’re doing the same thing. They’re trying to beat the system, Because, job seekers are now leaning on automated tools and other types of services to try to get through, the automated systems that, that the organizations have put up. But the organizations put those up because a hundred people were applying within an hour for a role and only a handful. of them actually have the skills needed. it’s there’s this kind of arms race between both sides and honestly I don’t think anybody’s winning in that race. It’s just it’s not a great scenario now.

Job hunting today is a lesson in beating the system, but hiring managers are also trying to beat the system. In the end, no one is really winning. Share on X

Chris: No. I would love to hear from an organization that has that process down and how they do it. Because it takes time to beyond that to prove that it was a success. you could bring someone in that, just be us their way through. But, know, those repercussions are going to hit later in time. I would love to love to hear, how how that’s being measured and what and what works, because

Chris: Most most places are doing it. I don’t think.

Derek Fisher: No, again, it’s a bad scenario now. And again, talking to people on the hiring side and talking to people that are trying to be hired, both sides have frustrations, and it’s really not doing anybody any service

Chris: . if you if you’re speaking directly to someone that’s looking to break into the industry, especially in areas app sec or dev sec ops, but has little to no real world experience, what would you say is the optimal place that they should start?

Derek Fisher: for me, it’s really understanding what’s in demand. I get asked a lot, I’m sure Chris, you probably do too. get asked, hey, I want to get into cyber, what should I do? and, know, oftentimes I ask, my response is, well, where’s your interest? What is it that you’d to do? What, what makes, what appeals to you about cyber and not just cyber, but what appeals to you about technology? to be honest, a lot of times the responses I get vast majority of times it’s, I want to be a pen tester. And it’s, why, why do want to be a pen tester?

Derek Fisher: And to be honest, those, the pen testing type of roles, it’s just saturated that there’s just not, there’s too many people trying to get into it, not enough roles, in it. And I think it comes down to again, understanding where your expertise is, where your passion is, because you have to actually what you’re doing. you can’t just get into cyber. And I’ll be honest, I think that a lot of people think that, cyber, it’s glamorous. It’s, know, I’m to make a lot of money and I’m going to do, I’m going to be able to see the world and do all these things. And, the reality is that it’s it’s a job and, know, there’s there’s things, you It’s a, not a nine five, but what I mean? It’s a, it’s a job. It’s that you’re, that you’re dedicating yourself to, and you really have to what you’re doing. and you have to really feel what you’re doing is making a difference in that you’re, that you can go home at the end of the day and say, I made a difference. I did something good. I enjoyed what I did. I learned something new, those types of things. And I, I do feel some individuals that are, that are trying to get into. cyber, kind of doing it for the reasons of, I’m going to make money, I’m going to have a successful career and all these things. But you have to go where the openings are. a lot of the roles that are open now are in, risk related roles and they’re in defensive type of roles. Pen testing doesn’t rank up there. it’s basically managing risk.

Derek Fisher: and design type of roles. And those are where people should be putting that are trying to get inside or put their focus in. And that may change. in a year from now, something else might pop up. There may be more open in different areas. But now, that’s where the roles are. And understanding that, understanding, hey, is that something that aligns to what I actually feel I’m passionate about and feel I can make a difference in, then go for But I think that’s the That’s always the starting point, is to figure out what do you want to do? Are you going to be happy doing it?

Chris: I think there’s a void to for individuals at that that low level in terms of just knowing what positions exist. what is your take on, those type of individuals going to networking events or trying to look for mentors just to understand positions available and gain exposure to what those are and what to expect from those. Because you said, with pen testing, it could just be, that’s what they see. That’s what they see online. That’s what looks interesting to them, but could be completely different once they get there. how do they gain that real life exposure from people that are already on the front line?

Derek Fisher: I think you said, going to events, connecting with people, starting conversations with people that have been in the industry. I, I’d be happy to talk to anybody that wants to reach out. when somebody mentions, I want to get in cyber I said, the first thing I asked is what do want to do? And it’s pen testing. I think because, you said, that’s kind of the most glamorized, well-visible type of role that’s out there. Nobody. . But the reality is, I said, that risk type of roles are the dominant roles that are open. Nobody

Chris: They want to be a hacker, but they want to do it legally. And the closest to that is going to be a pen tester.

Derek Fisher: Nobody, I’ve never had anybody come up, well I shouldn’t say never. I’ve had very few people come up to me and say I want to get into risk. know, cause, even I don’t want to be in risk. know, it’s, those are the nerds, But, But

Chris: But to but to know what that involves from an organizational level is is I think where there’s some confusion.

Derek Fisher: and, there’s again, cyber, the way I always equated is that When you look at technology as a whole, there’s much. There’s the hardware aspects, there’s the networking, there’s software, there’s cloud, there’s all these different parts, whether it’s robotics and anyway, there’s a ton of different parts of engineering. Security sits on top of all of that, when you say, want to get into security, that’s why I was saying before, think about technology. what in technology appeals to you? Because then that’s going to help you get into that type of type of role because all of those parts of technology need security and generally have security later on top.

Chris: I would also advocate for focusing in on a niche, part of technology that you may enjoy, but within your own mind, you think it’s obscure that there’s no security positions needed for that. But I think you’re wrong. And I think that that’s where you’re going to become more valuable as a candidate by having that niche expertise.

Derek Fisher: and 100 % because, for the longest time I always thought of AppSec as being kind of a big, deal in security only to find out when I talked to other people that aren’t in AppSec or haven’t been in AppSec. They’re, what is AppSec again? It’s, wait a minute, what? But they say, the last thing the fish recognizes is the water, if you’ve been in it, you don’t realize how small, of a part that that plays, in the overall, security thing

Derek Fisher: security system. But, you you’re. mean, find, find a niche, a place that either is just underserved or, maybe a future tech that is coming on the horizon that, you feel you have an interest in and figure out, is there, is there space in there for security to be layered in?

Chris: I did I did mention this, but you you currently teach software security at Temple University, and I’m always curious to know from the educator standpoint what the biggest gap is that you see between what students are learning in academia versus what they actually need to know in the real world, because it’s it’s often, very hard to replicate real world situations in. a textbook or in a classroom. is there a challenge of preparing students for industry work? And are there areas where schools need to do better in your opinion at applying more practicality for our future workforce?

Derek Fisher: I mean, and I experienced this myself and I’m sure plenty of others have as well, but I graduated with. computer science bachelor’s. And when I got out into the real world and got my first software engineering job, my degree prepared me absolutely zero for that role. it’s, it’s, and it’s the mundane things, we didn’t learn about, source code management in, my bachelor’s degree. we didn’t learn necessarily about, the testing cycles and

Derek Fisher: Deployment into production and how to manage that in operations and those kind of things are things that you learn on the job and Yes, you learn how to write code not not great, but you learn how to write and it gives you To me, university gives you the training wheels to prepare you to actually get out, to take your first ride on that on that bicycle. But the job takes those training wheels off and gives you the real world experience. You’re going to fall off your bike. You’re going to hit a tree. You’re going to do all those things. But, those are the experiences that you start building up. I think when universities are looking to prepare the next generation to get into a workforce, they have to be able to to provide some type of real world experience and that often comes from partnering with companies in the area. Internships are a great example, If you can land an internship, that gives you that exposure to some real world type of environments. But they’re often short-lived. You don’t always get real experience as an intern

Derek Fisher: you’re kind of, you’re not, and again, this is a blanket statement, I’m not saying this is the way that it is everywhere, but you’re kind of given, a pet project or something that to say, here, go off and do this for your six to eight weeks or a couple months or whatever, and then report out the end and you’re good to go. I think where we can, better partner with organizations in the area and really provide our students the opportunity to get their hands dirty in a real environment and actually do productive work for an organization, I think that’s where you’re going to get the most because teaching from a textbook, getting through your 30 classes or whatever you have to take to get to your degree, you’re going to be academically ready but you’re not going to be real world ready. And we are trying to do that with Temple. We are looking to see how, especially in our cybersecurity program, how we can align our students with real world projects for some of the local companies that we have that they can get that hands-on experience.

Chris: speaking of our future workforce, you wrote Alicia Connected, which is a book series that introduces kids to cybersecurity. If you don’t mind, talk to me a little bit about that, and what was your inspiration for for writing that?

Derek Fisher: my I wrote it at the time when my daughter was around the age of the main character. you I had been in cyber security for a couple years at this point. And I decided that, hey, it’d be good to kind of give back to the next generation. And I had never written a book before, definitely not a children’s book. that was always, kind of a bit challenging. I do remember, I think I know we were heading on vacation and I was actually writing in the car, while my partner was driving. and I think I actually wrote it through the pandemic and got a release, afterwards. it was one of those things where it’s I time on my hands. know, the topic really kind of resonated with me. I had a daughter that was at that age. I think.

Chris: And the topic resonated with the time too, I think because during the pandemic year, everything was virtual.

Derek Fisher: everything was virtual. and a lot of kids were getting introduced, to technology, maybe prior to that, their parents were, kind of keeping, keeping it at arm’s length. But at that time you didn’t have a choice, You you had to kind of set them up with, with the technology. And, it has definitely been, since then I’ve written two other books. there’s a, a three, three part series of the book.

Chris: Nice.

Derek Fisher: But it really is a very challenging environment for parents. We give this technology to our kids. And, I always kind of liken it to, giving a car to a a 10 year old, Because it’s a very similar situation, The child is not ready to, be able to manage everything they have to manage, in that situation. And, we all know what what the Internet looks. And, even even adults with, thick skin and and the ability to kind of let things roll off.

Chris: Thank still disturbing.

Derek Fisher: you get one negative comment and you’re, your whole world collapses. it’s, and yet we’re adults and we can kind of brush it off. But for kids, it’s just a totally different environment. And I feel for lot of parents that are struggling with that topic and trying to get to either use technology in a way

Chris: you

Derek Fisher: that is appropriate or completely keep them away from it. there’s, I could go on for a long time about it, but there’s a lot of different challenges in that space. And it’s heartbreaking sometimes to see parents that have had tragedy from these devices and from the exposure to things social media and the different challenges they face. it’s, I mean, it’s heartbreaking.

Chris: I know we could talk about this for a long time, but if you just have one moment, what is probably the the biggest security challenge now for for our next generation? Is it is it the AI deception techniques now? Is it just, what what should parents be aware of today?

Derek Fisher: I think technology is just going to be everywhere. we’re seeing that more and more where it’s just, I’m within arm’s reach of multiple devices and it’s going to continue to just be pervasive. I think, I always, I told this story recently, but

Chris: constant connectivity.

Derek Fisher: it was sort of a not a joke, but it was sort of kind of a funny, lighthearted way of looking at it. But there was a teenager who her parents took her phone from her because she did something. And she starts, she was trying to post to her audience on Twitter, at the time. And, her parents took the phone. And next thing, it shows her posting from the refrigerator, because it’s, she managed to somehow log into Twitter on the refrigerator. and send a tweet from there. it’s, kids will find a way to get around this stuff. again, it was kind of a lighthearted way of looking at it. But at the same time, mean, it’s everywhere. It is everywhere. this comes back down to the fundamentals of parenting, to be honest, is you have to be able to have open conversations with your kids. You have to be able to know what’s going on in their lives. You have to be able

Derek Fisher: real conversations about the dangers that are on the internet because they’re not getting any better. It’s just, it’s, the bark keeps on getting lower and lower. And I think, with, you mentioned with AI, being able to tell, whether something is, is false or not has become a skill, to be able to see through some of that stuff, it’s just

Chris: we know that, we understand that risk, but for for others, not in our industry or for younger ones, they’re definitely not thinking about that.

Derek Fisher: and even for us sometimes it’s hard. it’s you have, you almost have to take everything that you see on the internet as false as your default, And then, and then, and then, slowly start, piecing together whether it’s actually true or not, but you have, you have to start from, this is fake, And then, and then build from there because it’s just, and again, those are the things I think we need to tell our kids is that

Chris: it is. Zero trust.

Derek Fisher: you read on the internet it can be trusted because anybody can put anything up there and it doesn’t necessarily mean and it’s a shame that that’s where we are because you the promise you go back to the origins of the internet and it was information sharing between universities that’s how the internet started and the purpose of that was to share information that was academic legitimate could be trusted and then you you slowly morph into where we are today where it’s I

Derek Fisher: I can’t trust anything I see on the internet

Chris: Yes, completely reversed. looking ahead, know, whether it’s a whether it’s product security or even just the industry holistically, what would you say are the trends that you’re most excited about? are there any breakthroughs on the horizon that have, caught your attention at the moment?

Derek Fisher: I don’t know enough in either of these spaces, but the two things that I think are going to be interesting are the robotics and when I say robotics, mean physical robots and how that’s going to change what our society looks. grown up watching sci-fi where androids are everywhere and then you get to certain sci-fi movies where you can almost not distinguish between an android and a person. I’m a huge fan of Blade Runner and that’s kind of the premise there, I think that we’re going to see that in our lifetime, probably not too far off. that to me, I think from a security perspective, that’s going to be challenging, And that, will really, really change the way society, I think, operates. And, the other thing is quantum. I’m really interested to see how that, the impacts of quantum to not just, again, not just to security, but just in solving problems that we have. nationally and globally, think it’s going to be, think that’s going to be a very interesting space going forward. And again, I don’t know enough, I mean, I know enough to be dangerous in those spaces, but I don’t know enough, but I’m sure that as things progress, it’s going to become more ubiquitous the same way that AI is today. of course, we were talking about, think AI is going, we’re just not going to know what it’s going to look and who

Derek Fisher: with the combination of any of those, whether it’s AI and robotics and quantum, what is that going to look a couple years from now? there’s a lot on the horizon. The one thing think about, I’m a big history buff. And even going back to thinking about early, could you imagine

Derek Fisher: fast forwarding somebody from, 2000 years ago, 3000 years ago to today, their minds would just be blown, it’s crazy to think how far we’ve come in, in a short period of time. And when you look at the progression of technology, it’s really a very small window. we went from the Wright brothers flying a plane in North Carolina off of a sand dune to putting a on the Mart.

Derek Fisher: on the moon 60 some years later. I mean, that’s insane. I think we’re going to see just this rapid evolution of technology and I think it’s going to be interesting.

Chris: That’s insane Now, now reverse that say that you went 2000 years back or even let’s say you went. Let’s say you want 100 years back. Knowing what today. Would you be able to explain to somebody how to reproduce that to get to where we are today? I think that I’m with all this knowledge I have, if I go back.

Derek Fisher: I don’t think. I just

Chris: It’s going to look no different than what it did, because I would have no way on plotting that evolution, because I don’t know how that shit works, but they would just laugh it off. be, OK.

Derek Fisher: I mean, could you imagine explaining to somebody I even remember telling this story recently about how, when I was when I was in elementary school, I remember my neighbor said, we’re going to have. of telephones that will allow you to video chat with somebody. this was in a time when the telephone was screwed into the wall of your house, And they’re, you’re going to be able to, there’s going be a video camera on there and you’re going to be able to talk to somebody. I’m, why would anybody want to do that? what, and, and, I magic.

Chris: But then you get asked, how is it done? And I’d just be, I don’t know. It’s just it’s just done.

Derek Fisher: It’s magic. Well, it’s interesting because there’s a book, it’s basically a coffee table book, but it’s massive. And it’s something about how to restart civilization. And it answers those questions of here’s how you build X, Y, Z, or here’s the schematic for doing these things. And I always look at that and I should really get it but it’s kind of expensive it’s do I really need it that bad? That’s what I was thinking it’s it’s not it’s not it’s going to be in my my go bag when the the zombies come.

Chris: That would be interesting to see. You’ll probably never need that. But I always think, if I’m in that situation, I’m sorry, I can tell you what it’s going to be, but I can’t help you build it. That’s just it is what it is. I mentioned before, you’re an affiliate area, we often run into each other at different events.

Chris: And this next question we can keep within the state lines of PA or you can go beyond that. But I’m just curious, what’s the coolest bar or the coolest bar type atmosphere that you’ve ever been in?

Derek Fisher: I the bars that combine arcade and drinking. there’s one in Phoenixville called I think the underground something it’s it’s in Phoenix. it’s and it’s literally underground. I think it’s called the dungeon or something that. There’s one in in Westchester as well that just opened up, which is pretty cool. But then, of course, in Philly, there’s one called the Barcade, which is pretty good. But the. It’s near there. that’s a pretty cool place. And then there’s.

Chris: That’s there in Independence Hall, Or near Independence Hall. I’ve been to that one. It’s two levels, The one that’s two levels

Derek Fisher: Yep, and then it’s called Flight Club. Flight. It’s a dart place. And I’ve been to the one in Chicago. And it’s a really cool atmosphere. It kind of has the circus type of atmosphere. Not circus, but it’s got that circusy type of feel. They have all kinds of different games on the dartboard that you can play. And they’re supposed to be opening one in Philly. It was supposed to be opened, I think, in the winter, but we’re now past or somewhat past it. Hopefully, that’s opening soon because that’s a really cool environment at the end.

Chris: Derek, well, I just heard last call. You got time for one more?

Derek Fisher: Sure.

Chris: Alright, if you decided to open a cybersecurity-themed bar, what would the name be and what would your signature drink be called?

Derek Fisher: I don’t know why, but I love the art deco type of theme and aesthetics. I would open up a bar and make it a combination of a speakeasy with an art deco interior. Maybe add a riddle or some type of security challenge—like you have to “break in” to the speakeasy instead of just walking in.

Chris: You have to find it, then once you find it, you have to figure out how to get in.

Derek Fisher: Yes, exactly. Following the old speakeasy vibe. As for the drink, I’m a big whiskey and Scotch guy. I like whiskey sours or old-fashioneds, but I’ll also take it straight up. I think I’d call my signature drink the Zigzag Whiskey Sour.

Chris: Zigzag Whiskey Sour. What’s in that?

Derek Fisher: Whiskey, a little bit of lemon juice, a little honey ginger syrup, some orange bitters, and an egg white. I still have to try this. I sort of slapped together the recipe, but after I saw it, I thought, “I could probably give that a go.” I’ve only had a whiskey sour with an egg white a handful of times because something about that just weirds me out a little. But with the price of eggs these days, I’m sure the drink will be a $30 cocktail. Usually, if I’m doing what I call the “poor man’s” whiskey sour—

Chris: Or it’s lemonade mixed with whiskey.

Derek Fisher: Hey, that’s my picnic-style whiskey sour.

Chris: I need to try that. That’s your “poor man’s” version. Well, thanks again. It was great seeing you. Before you go, would you mind letting us know where we can find and connect with you online?

Derek Fisher: LinkedIn is always easy. You can also check out my site, Securely Built. I have some training on there, and you can find out more about what I’m working on, both on LinkedIn and the site. I’m also on Substack—Securely Built on Substack. But other than that, LinkedIn is usually the best place.

Chris: OK, and then you said you’ll be at RSA. Are you going to Black Hat and Def Con again this year as well?

Derek Fisher: Not this year. RSA is the big one. I’ll be at WESIS in Dallas in a few weeks, and then RSA at the end of April going into May. I’ll be at Boardwalk Bites in the summer, so I’ll be around.

Chris: Okay. Cool man. So for the listeners that are tuned in, if you’re going to RSA, up Derek, buy him a whiskey sour and you’ll be glad you connected with him. Or just lemonade and whiskey. All right, Derek. Well, thanks so much, man. It was great seeing you and I’ll see you soon. Take care.