Chris Marks shares insights on cybersecurity education and standards, plus the need to prepare the next generation for the digital world.
Guest: Chris Marks, Information Security Officer at First Databank, Inc
On LinkedIn | https://www.linkedin.com/in/christopher-marks-7357441b/
Host: Josh Mason
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/joshua-mason
______________________
Episode Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
______________________
Episode Introduction
He highlights the need to prepare the younger generation for the digital world and emphasizes the importance of cybersecurity awareness and practical skills. Marks mentions the challenges in the field, the need for internships and co-op programs, and the gaps in traditional education systems. He also discusses the potential for cybersecurity standards and the impact of cybersecurity on various industries. The conversation explores evolving beyond passwords and the need for more robust authentication methods. Overall, it's a conversation about the state of cybersecurity education and the efforts to improve it for the next generation.
______________________
Resources
______________________
For more podcast stories from Loops and Lifecycles Podcast with Josh Mason, visit: https://www.itspmagazine.com/loops-and-lifecycles-podcast
Watch the webcast version on-demand on YouTube: (coming soon)
Josh Mason: [00:00:00] Welcome to Loops In Lifecycles. Today I'm joined by Chris Marks and Chris. Tell the audience about yourself.
Chris Marks: So I'm a cybersecurity veteran. I'm not gonna say expert because expert is relative. You could be in cybersecurity for 20 years and still not be . You not know everything. So I'm a cybersecurity veteran. I'm originally from Louisiana. I've been in cybersecurity on the corporate level since 2012.
2000, yeah, 11, 12. Been in it since 2003. Live in Dallas, Texas currently. And just love doing cybersecurity work. So that's me.
Josh Mason: Nice. So our friend Phil Wiley connected us and what are, what have you been up to recently, Chris?
Chris Marks: So I actually ran into Phil [00:01:00] last month. It was the first time in three years I've seen him face to face. And when people you said Phil's. Our friend Phil's everybody's friend. There's not, no, there's not a person in cybersecurity I have met yet that hasn't known Phil Wiley. So that that is awesome.
But lately it's just been trying to improve cybersecurity posture as a whole with with the company I work for, but also too, just trying to, I trying to get the younger generation into it. Everybody, there's a . We wanted to today's side where there's not uneducated, but also miseducated and there's more miseducated than uneducated because you could go on YouTube right now and hear people talk about, oh you don't have to be technical to be in a technical role.
You may get a job, you're not gonna keep it. And I'm speaking somebody who makes those decisions where somebody gets hired or [00:02:00] somebody gets fired and a lot of companies and a lot of people are seeing that, hey, even people four year degrees are coming outta college and they're not not getting acclimated into the workforce force immediately.
So I'm trying to go into colleges four year universities, two university community colleges, And even like some high school programs and talk about cybersecurity and what people need to know and understand that what you go into school to do, that's the minimum You need to be on your own figuring some of this stuff out.
And there's plenty of websites why I like I know a lot of people that I have their own content and that's great. Me, I would never I don't foresee myself making my own content because there's so much good content already. Why reinvent the wheel? It is just using that content and directing it to the right people.
Josh Mason: exactly. Exactly. I love this. For those who are new to listening to this channel on loops and lifecycles, we talk about technology, [00:03:00] cybersecurity, life, and sometimes flying because I used to be a pilot
Chris Marks: Oh, that's dope.
Josh Mason: we improve and just mature. In all different ways. And it could be the DevSecOps Lifecycle, it could be C M M C or C M M I.
Everything moves in a maturity model from baby steps up to excellence and what you're talking about right there, taking the education for cyber. Because it's, if you were gonna like put a a number on it, it's at like stage one. I, I believe where there's some people who are trying, there's places that are, are doing it.
Sans has been around for a long time, but I don't even wanna say that. It's hitting like the maturity point of is, but Man Sands is so expensive and is anybody that watch Sands or from Sands that's watching this look, y'all have a good product. I will
love you.
Chris Marks: But [00:04:00] does it really have to be that expensive? Like really?
Josh Mason: And I, I get it. Chanel doesn't need to like mark down their bags. I
Chris Marks: Yeah.
Josh Mason: bags right. Like, I get it, but at the same time, like we need an alternative. We need like we need good alternatives, and there's, there's folks who are, who are starting things. I'm going to Wild West Hack next week, and Black Hills Information Security is doing good stuff.
Keith Adams is doing, I think, the closing keynote and they're doing good stuff at T C M Security. I've worked at I n E in the past and they're trying to put out some great stuff. We, we know plenty of people who are getting there, but again, this, it's this low maturity level. For this, the industry as a whole.
Some organizations have, have things worked out pretty well. I think T C M and [00:05:00] TCMs got a good system. SANS has a good system. Black Hills are anti syphon training has a good system. But like you were saying, the colleges, the schools, what about them and
Chris Marks: yeah. It's not just cybersecurity, it's, it is developers they're Yeah. You, they're, and it's not just, In Texas or Louisiana. But like in New York, it's all over. It's really, 'cause that's the people I've talked to and they're that, hey, these kids are going to computer programming four year colleges come out going to the workforce and all of a sudden it's, they don't know what to do.
Like they're not getting acclimated and. . It's crazy because we live in a world now right now, where every also two people think AI is gonna take their jobs. And I understand something when it comes to ai. If we're just talking from a developer standpoint, you have to know how to program in order [00:06:00] for AI to help you.
AI doesn't put Libraries and know what to look for. It'll give you, it'll give you a good format. But their form, I say a good format because it types up a format in roughly a 60 seconds. But you have to go and you have to edit and troubleshoot. You spend
Josh Mason: Oh yeah.
Chris Marks: hours doing that, but. I'm just trying to help these kids understand hey, okay what are the universities teaching?
Like what programs like, like my school still teaches c plus. Yes, there's some things that's written in C Sharp. But why are we still spending time on c plus when even the professor, I had an instructor I talked to, he's I hate c plus. Now, why? Why are we doing it? Why so important to it.
Let's talk about the different scripting aspect. Let's talk about Python since cybersecurity is gonna be doing it. Let's talk about PowerShell, let's talk about what's going on in [00:07:00] the cloud. What are with Terraform? What let's get these kids understanding these programming languages and then when they graduate.
But I, I always say this as People ask, do you need a degree? Do you need a certification? You need both. And I think it's time for four year universities to start doing both. You're going your theory, but you're also to work these certifications to where these kids get certified and have a degree.
So they get a better understanding where the workforce mindset is and then send them on the way. But it's also letting these kids know Hey, all these students know. You have to do this on your own, and I think adults. When I say older adults, like people 30 and up that go back to school, understand 'cause they've been in the workforce.
Okay,
Josh Mason: Right, right.
Chris Marks: take more of my time on my own, but let's get that mindset [00:08:00] into a 16 year old who's still deciding where to go to school? What do you want, wants to, what they want to do? What what major did they want to have? And understand the grasp of it. So that's what I've been doing.
Josh Mason: That's awesome. I love it. I love it. Yeah, my mind's. I'm going over a dozen things right now off of that. I know W G U is doing a really good job of putting out a model along those lines, getting certs alongside training. It's not perfect. I know people who are in the program, a lot of people who've gone through the program.
It's good stuff, but it, it shouldn't be the loan. Good system out there. There's several I don't want to use the, the B word, the bootcamp word, but
Chris Marks: Oh yeah.
Josh Mason: few programs at schools that I know are doing a decent job. There's a lot that lead, lead people in a poor position are just [00:09:00] making organizations money.
Chris Marks: Is the way they market boot camps. Boot camps should not be done until you've actually studied. Everything that the bootcamp says, like instance, if you do a C N A bootcamp. You need to have read that whole CC in a documentation, that big manual before you go to the bootcamp. The bootcamp.
Don't call it a bootcamp. Call it a refresher. That's all it is. Like you go and you refresh, and then the test, they tell you, okay, look at this for the test. Look at this for the test. I'm like, okay. Oh, but if you go to a bootcamp, week long boot and then go to exam, nah, that ain't happening. This not happening.
Josh Mason: No, completely agree. And there's, there's things that we could do on both sides as an industry, make it really put out what do people need to know to get started on the job? 'cause there's the information, you know, there's the information. [00:10:00] I know there's a lot of information that senior people know and, and if they turn around, they go, oh.
You should know this. This is gonna make you lethal in your job. And it's like, that's excellent. I need to get the job first. What'll get me in the door?
Chris Marks: Job and in the door. That's, that, is that, and I, one thing I will say, four year colleges or four universities do an all right. Job is just, we need to do more. They need more to understand it. It's internships.
Josh Mason: mm-hmm.
Chris Marks: You look, if you students and you're in college, co-ops, internships, while you're in college, go in, see the workforce, see how people work, see the expectations.
Then when you give back to school and you're going back over theory, you know exactly how the theory is supposed to be implied into the workforce. So you're absolutely right. There's a lot of W G U the, I don't know, . [00:11:00] They really do intern. I've heard of people actually getting their and master's degree.
Yeah. I do think like the four year colleges they really need to work with more companies to get these students, especially these tech students into internships. You're a pilot, okay.
Josh Mason: There should be plenty of them too. And it's, this isn't a new thing, I think of all the lawyers out there.
Chris Marks: Oh yes. Oh
Josh Mason: you don't get a job. You don't graduate from law school having never done an internship.
Chris Marks: Oh.
Josh Mason: and they get paid nothing during their internship. But you go and you work for a big law firm and you, yeah, you get paid nothing, then you have the experience.
You come out and they're like, oh, you work for so and so
Chris Marks: Doctors. Doctor's. Another one before you're released. You have your residency where you don't make any money, but you're under the the tutelage of an advanced [00:12:00] doctor. They're showing you, and to my earlier point, you're a pilot first. It doesn't just study how to fly in a classroom.
Then you tell 'em, get in this plane and fly it's baby steps. Okay. With an instructor. Real life scenarios like. Why? Tech should be the same way. Okay, we're in school, we're studying, okay, now let's go apply it somewhere. It is
Josh Mason: Yeah. And there's, there's been folks who say, we need to have certain standards. That what we're working on is at the same level. We could shut down companies if we do security. Wrong. Companies go away. Schools, districts, and towns have gone bankrupt because they've gotten hit by ransomware and the guy doing the it, I don't know, maybe he took second bus, he didn't.
Chris Marks: So to that point, yes. So I'm in the Dallas-Fort Worth area.
Josh Mason: Mm-hmm.
Chris Marks: And [00:13:00] you can look it up, how the D f w, like Dallas Police Department's emergency 9 1 1 got hit with ransomware and how long it took for them to come back up. It crippled them to the point where they had to make an announcement to people that, hey, police are responding longer, longer times to take response because we're trying to get them the correct information 'cause their systems wasn't up.
If I'm a criminal and I know that and then you come to find out they think we did our patching. Okay. Yeah. But are you having offsite backups? Are you doing your DR tests? Are you educating all of your employees on what to look out for? To your point, you're absolutely correct.
We should have certain standards because what is [00:14:00] happening are that external audit, that third party audit to test your systems to see where you rank? Tabletop exercises, are you doing that? Yeah.
oh,
Josh Mason: got me thinking about a whole bunch of other stuff too. Think about builders. Oh yeah, we get there. But I was just thinking like builders, plumbers, electricians, I. People have to have licenses they do work. They gotta get permits the city. Like, and if your plumber messes up something, what?
It's gonna cause a bunch of damage. It lot of money.
Chris Marks: Definitely.
Josh Mason: gonna like bankrupt the company and like make people No, but we've got systems in place that like that has to be done, right? There's a code and you have code inspectors that are paid by the city to make sure plumbing was done right.
Cybersecurity.
Chris Marks: Dude, we The Wild, wild west. Literally then we talking about maturity level. We're the wild [00:15:00] west. And yes, we have in the wild West you have Marshalls and things of that nature. But it takes so long for them to come to town to create the and then when they're gone, it goes right back.
So we definitely should have standards but we're also in a race where everybody's trying to be . That's standard. And not everybody could be nist. I'm sorry, NIST got nist. I s O has everybody because all everybody's framework is based off of that.
Josh Mason: Mm-hmm.
Chris Marks: There's not, you can't tell me, not hipaa, not G B L A, not C M C, not a single compliance that doesn't have a NIST F frame or i s o framework.
So is, but everybody's trying to be that person.
Josh Mason: And,
Chris Marks: be honest.
Josh Mason: and, and if you get down to, the reason we have fire codes, [00:16:00] building codes is because of like the Chicago fire the San Francisco earthquake, things that have like destroyed whole cities over things that could, could have been fixed by building rain. And now I don't want, I don't know I hate using this term, but like the A nine 11 type event for cyber.
But I feel like we've had a view that should have been like, wake up, let's get, get this right and yet here we are
Chris Marks: Have we gotten have we gotten adjusted to it? Like serious, like when we talk about Yeah, the Chicago fire the second city that was catastrophic news. Now it's like . Whenever you turn on the news or you're seeing a report, it's we're just, we're not phased as a society now in the cyber world.
My cyber friends who paranoid to whatnot [00:17:00] they're not like I know people that try to have, know digital identity at all because they know what's the re the ramifications of it, but, To that point, what was shock? What kind of event was shockers in 2023 and to say, Hey, we need one complete standard.
What level of event? A whole state being taken down,
Josh Mason: Yeah, I don't know. It's, something's gotta happen and I, I like the approach you're taking. I do wonder though, if we're gonna get there the leading cause of death in North America, if it's not like health related, like. Heart disease, cancer, the leading cause of, like most people dying is in a car in the United States.
And
Chris Marks: to man. That's about
Josh Mason: I'm about to drive probably for a couple hours today, like go into a thing and back and somewhere else, like, and I'm not even gonna think about it, like I'm gonna [00:18:00] do what I know is safe.
I'm not gonna do something stupid. But at the same time, We go out and we just drive cars and people die in them all the time.
Well, what about cybersecurity? Like if we can't get people to think about like, oh, how do we solve that problem? How do we get them to think about it? How do we solve the cybersecurity problem? I like starting at the beginning. If we can get people young, if we can get people before they've. Realize what, what the world's like as an adult. their head with that useful knowledge of, Hey, this is how we, we become better. I think that's a good starting point,
Chris Marks: It to let them know how it affects their lives. Cybersecurity, you don't have to be in cybersecurity to know that cybersecurity affects your life. Perfect example, doctors. Doctors gotta go through these epic systems. Al al systems, whatnot. They're the, they get upset at the amount of times they have to make a password or whatnot, but[00:19:00]
it is what it is. You're dealing with health records and they know that the nurses they're in there all the time. So you're not you're not technical. To that you're, your mindset is somewhere else and your expertise is somewhere else, but you still deal with cybersecurity rules.
So if we speak to these young kids about it, and that's what I wanted. I wanted to. Tell them about it. I wanna show them how it affects their lives every day. So they're seeing a news report, or, and let's be honest, we live in a country that needs a dramatic update in the way it passes its policies.
Josh Mason: Mm-hmm.
Chris Marks: Cause I, how many people in Capitol Hill. Let's no, I'm gonna talk about it. 'cause we see it in local governments. Like I said, with the ransomware. Shutting down a city, your mayor and your mayor, and all of [00:20:00] them need to know about it. Your councilmen need to know about it. Your governor needs to know about it.
Your state representatives need to know about it. Capitol Hill needs to know about it, and it doesn't have to be. It doesn't have to be in the back for it. You need to put it right here now because don't come and tell me the big bag. Boogeyman of Russia and China want all your data, but you're sitting here arguing about a wall in Mexico.
Josh Mason: Yeah. Yep. Got me thinking about the videos, the, the reels, the tos of Mark Zuckerberg on the hill. I. And the senator's asking questions that like, my daughter can answer for you, and
Chris Marks: Yeah.
Josh Mason: It's just, I don't know. A few things there, like if we can get folks while they're in young, in school, I mean, we make people learn algebra and geometry and calculus.
Like, do I use it? I don't know. Probably, but, but what do I use more? [00:21:00] This right here? Like, let's make this as important as . And math and
Chris Marks: Okay. To, to your point again, algebra, geometry. . We use calculators every day but we know how to check a calculator if it's wrong.
Josh Mason: Mm-hmm.
Chris Marks: learn about history. And you'll see this on debates and whatnot when people talk about history, whatnot. We can go back and fact check because we that experience.
We need fact checkers when it comes to cybersecurity
Josh Mason: Exactly.
Chris Marks: procedures. That's all it is. . That's to your point. You're absolutely right. We need, it needs to be taught like in high school.
Josh Mason: Yeah. And there's creativity there. You, you were talking about passwords, like we gotta move away from passwords, but, and there's a, the passwordless revolution, but truth be told, it's gonna be, it's gonna be someone [00:22:00] in their early twenties that comes up with, oh, hey, this is what's gonna work. Next generations.
This generations, mark Zuckerberg, I hope, comes up with the cybersecurity solution that puts us out of a job so we can do something even cooler,
Chris Marks: So here's thing. Yeah. And here's the thing. To your point about passwords we need to move away. We know we need to move away, but we're still using it. It's so antiquated that we have so many passwords and so many rules to passwords that we have to have password keepers. I'll be I can't even think about how many passwords I use every day.
Josh Mason: Mm-hmm.
Chris Marks: Every day. Even in your personal life, your Netflix account, you wanna go watch Netflix? My daughter wants to watch something on Netflix. Okay. Gotta get in the hard account that, that password. Disney plus. Yeah. Okay. YouTube tv.
Josh Mason: Well, and it's funny [00:23:00] that like we're having to reeducate people, like people knew passwords a long time ago. Like Alibaba, 40 days, like open sesame. It's a, it's two words. It's got a special character, it's got a space in there,
Chris Marks: I got space in there. Right? it's more than eight characters. So, You we've moved, we've, we've, we've moved back.
Yeah. They was using cyphers Roman Egyptian days. It's, it is just time to evolve to find better ways to authenticate, but
Josh Mason: yeah.
Chris Marks: it's finding the right way, yeah. And just make it a normal thing. I don't know. We'll get there. We're doing good work. Love what you're doing, Chris.
Thank you.
Josh Mason: Thanks for joining me today and folks, thanks for listening in on this conversation. If you enjoyed it please like and subscribe and follow and share [00:24:00] with your friends, and we'll see you again for another one in a couple weeks.
Thanks,
Chris Marks: right.
Josh Mason: Chris. Bye-bye.
Chris Marks: Oh, thank you.