John Strand isn’t interested in fixing the broken security education systemβhe’s tearing it down and rebuilding it. In Part 1 of this two-part conversation, the founder of Black Hills Information Security explains why scholarships don’t solve the real problem, how American universities are losing ground to European programs, and the unexpected places where he’s finding the next generation of security talent.
What We Cover
Why scholarships preserve a broken system instead of fixing it The barriers that actually matters: Not what you expect American universities vs. European programs: who’s winning and why Career changers bringing new perspectives to the industry. AI’s “fallow period” in hiring and what comes next The standardization of mediocrity: how AI is making everything “blah”
Listen Now
Tune in to hear our discussion with John Strand.
Guest Bio
John is the owner of Black Hills Information Security, a company specializing in penetration testing and security architecture services, and is one of the premier voices in the security industry.
π Full Episode Transcript βΌ
John Strand (00:00) Disruption doesn’t have to be violence. Disruption doesn’t have to be tearing apart companies. Disruption can be kindness. And one of the things going back to β people that should be on the show is I love hanging around people that are giving their all to the community,
Joe Patti (00:18) This episode, we’ve got John Strand. John is one of the grand masters of the cybersecurity world. And in part one of a two-part discussion, he’s going to tell us how he’s not just securing organizations, but changing lives through his groundbreaking approach to training for the profession.
Joe Patti (00:33) Welcome to the Security Cocktail Hour. I’m Joe Paddy.
Adam Roth (00:35) And I’m Adam Roth.
Joe Patti (00:37) Adam, we have very special guest today and we’re going to get right into it
he’s up late hanging out with us after a long
We appreciate it. have John Strand. John, welcome.
John Strand (00:48) Thank you so much for having me, gents.
Adam Roth (00:50) Government TechCon is run by Simone Barry and it’s a great conference.
so at Government TechCon, β
people that were there, the poor people that were there, a lot of them were people like half my age, just out of school, and they were asking
how do you get a job in cybersecurity? I’m like, I don’t know, because it’s so hard these days.
Joe Patti (01:10) Yeah.
John Strand (01:10) Well, and I want to I want to speak on that because, you know, one of the big reasons why I’m doing the pay what you can training for anti siphon is first and foremost, I, you know, this sounds awful, but it, you know, I always tell people stick with it. We always talk about scholarships for.
like minority groups that we want in and we should get diversity. I’m a huge fan of diversity because like just sitting around
a bunch of middle-aged white guys is boring as hell. I don’t want to sit around and talk about how great Pearl Jam was in this 90s. Yeah, right. That’s us, right? I like talking with people with incredibly diverse like views and backgrounds and solutions to problems. But the problem I have with scholarships is it doesn’t fundamentally change the system, right?
Adam Roth (01:41) What did you speak to about me?
Joe Patti (01:44) Yeah.
John Strand (01:57) I want to break the system down. And we found out with the pay what you can model, it doesn’t matter what your religion, your socioeconomic status is, your β income background, your β race, any of it.
It doesn’t matter because we’ve taken that barrier away completely.
And I just want you to come hang out and it’s here. If you want to apply yourself and you’re a waitress or you’re a truck driver, so many truck drivers have taken our pay what you can classes. It’s ridiculous. And you can like take our class. You can put it on your resume and get a job. I want you to come party with us. I desperately want you to come party with us. And that has fundamentally changed things for a lot of people. But here’s the problem. Right.
Joe Patti (02:28) Really?
John Strand (02:46) I get these people so far we know for a fact 275 people have reached out to BHIS and said that they’ve
a job because of our pay what you can training and because of Jason Blanchard’s job hunting. 275 lives have been changed and that’s a small bit but I also know the people that self report are a very small percentage of that total universe.
Joe Patti (02:58) That’s great. Yes. Well done.
John Strand (03:10) So here’s the issue. You have kids today.
that are going through college and colleges still are not all colleges. Many colleges are not rising to the occasion and developing the skills that are required to deal with today’s cyber threats because they lock their curriculum and they don’t allow any changes unless it goes to a board for approval and they’re just stuck, right? So you’re trying to get out of college and you’re trying to get a job and over here, you got a trucker who has been spending the last four months
Busting his or her ass to learn computer security and like just like when I see that on a resume that someone has been making themselves better That’s a person I want to talk to right the other problem that we’re encountering in the United States is If you’re looking at like Europe a lot of European programs for cyber not just security But just cyber IT in general they will start training those kids their junior year. I think
And it varies from country to country to country and I have talked to people like kids who are 22 23 years old that have a PhD and more importantly It’s from a comp from a university that is actively trying to be as cutting-edge as they possibly can I was talking before we started recording I was I presented inclusion to POCA in Romania, which is like the IT hub of the Romania
And we had all these students that came to our table. was over a thousand people were at this conference. And I found out that their professors are using our pay which you can stuff in their curriculum to prepare these kids. So I think that a lot of people in America have got to sit down and understand that there are people that are tremendously hardworking and incredibly motivated that are looking for a career change and you’ve got to compete.
You’ve got to compete and if your number one thing that you spent time on in college is playing β Overwatch or Fortnite, you’re competing against that person that’s in the back of a semi truck busting his or her ass to learn computer security. If you’re someone that’s in a college and that college is still trying to teach the 10 CBK from the CISSP from eight years ago because they have not been able to update the class because it’s locked in.
and it has to be evaluated by the Board of Regents before any changes, you are competing against university students in Central Europe whose program is actively changing dynamically to get ready. So there are some great universities. Dakota State University is one that I’m gonna do a shout out for. St. Leo’s down in Florida is also doing some really, really great things. There’s a
of universities and I didn’t get them all. Those are just a couple that popped into my head.
Joe Patti (05:59) Mm-hmm.
John Strand (06:00) You wanna know who’s doing a good job, go to a CCDC competition. Cyber Collegiate Defense Competition, who’s competing and who’s winning, those are the universities that are leading the way. And I’m gonna give you a quick hint, it’s not the big name universities that are leading the way. We have to get better to make sure that people have the skills to meet the challenges that are coming to them right now.
Adam Roth (06:23) Yeah, we see that. We see, think Joe Wright will say, we see people that have spoken to us, including Natalie, if I say her name right, so, I hope she won’t kill me. But she came from recruiting and from social work and then now she’s at a bank in cybersecurity at a nice level. know, a lot of people migrated away from other traditional jobs to get into cybersecurity or information security. It’s not what it used to be. know, people that were
in retail sales that I’m going into security.
So it’s great stuff.
Joe Patti (06:57) Yeah, mean Natalie’s story is… yeah.
John Strand (06:57) No, and I want that. I want that.
β Like just using the truck drivers, right? β Like think about their unique solution sets
the problems in information security. Think of a waitress or a line cook that comes into security. I know that sounds crazy, but think of their interpersonal skills and their stress management and their communication skills. Like there are so many things from all of these different places where you’re just getting some of
amazing people that come with a really diverse kind of background and how they solve problems like even construction, right? If you’re dealing with construction doing construction management think of all the things you have to manage in architecture and thinking how this relates to that sounds a lot like IT infrastructure, right? And I think that a lot of these things are graphable over to our industry
Adam Roth (07:47) In relatable, yeah, relatable.
Joe Patti (07:49) Yeah, well think it is very important. mean, Natalie’s a great example, but others too. Like you were saying, John, people always ask me, what do you look for when you hire someone? I say, well, what I look for, especially in the young people is that they live for this stuff, that they love it. know, someone is not going to spend hours and hours and days on an incident. You got to love it. Or you’re just going to check out, burn out, whatever.
John Strand (08:14) Yep, you do. β
And we get people all the time. I’m sure you see it and God bless them, right? They just want to show up. They want to do their job. They want to punch the clock and they want to go home. And I have nothing but respect for that. If that’s what you want to do, you want to focus on hobbies. You want to focus on your on your life and all of that. And there’s nothing wrong with that. But if I’m looking to hire someone, I want someone that that is a digger. I want somebody that’s going to be passionate about this and is going to surprise me.
Adam Roth (08:38) passionate.
Joe Patti (08:44) Well, we want that, but we also want people who understand that there are things outside of security. There is a life beyond it too.
Adam Roth (08:49) It’s definitely
It’s it’s it’s it’s a it’s a very hard thing to balance because at the end of the day you do want somebody’s Passionate you do so much you want somebody at home. I see this on LinkedIn all the time people like β I’m doing my own project and that’s outside their job and I might need they might not even have a job in cyber or in encoding they’re like I just wrote something the code to take all my menu recipes and
John Strand (08:52) There it is.
Adam Roth (09:17) save it up into the cloud and then automatically order my food and You know, it’s incredible what people are doing today people have created a diversity now i’m not talking about race and religion but a diversity from where they come from from their from their opportunities their jobs to utilizing coding skills and things you would never think of β I work for a hairstylist and my my coding is that I want to be able to
John Strand (09:21) You
Adam Roth (09:43) You do just-in-time hair cutting. I mean, it’s some crazy stuff. Yeah.
John Strand (09:47) scheduling, just a general scheduling
for them, right? And yeah, I just love that passion. You know, I’ve got, you know, I’ve had people that have come up and said that they’ve had multiple jobs, and they got into computer security, and they can spend more time with their family. But the story that I think hit me and a lot of people on the team the hardest, I think this was in Reno. There was a lull in COVID right before the Delta variant came out. And we snuck in and we had a con in Reno, Nevada. And it was pretty well, it’s
attended and I had this one lady that came up to me and she was talking about like Jason Blanchard and his job hunting and then the pay what you can training and she’s like I was able to get a job in cyber. She said literally the only thing I have on my resume was that I had taken your classes and the team was like holy crap. They interviewed me and I got the job and she was great and she said right after she got the job. She found out that one of her kids had cancer.
She was like, I’m like, my God, is kid okay? And she’s like, it’s fine, it’s fine. was, was, it was an operable cancer. We caught it early, but she said, I went from no health insurance to having a good job with solid health insurance that I was able to take care of my child in that situation. And those, you know, we, go back to the beginning. We were talking about, you know, money’s part of it. Businesses are part of it.
You know, but I think that those are the types of things, you know, when you’re fundamentally changing someone’s life and you’re doing it better and you’re making their lives better in ways that kind of hit something like saving a child and helping them get to that point in their lives. You you were talking about disruption at the beginning.
And I think we were trying to get around it. I think we were trying to go back and forth. Disruption doesn’t have to be violence. Disruption doesn’t have to be tearing apart companies. Disruption can be kindness. And one of the things going back to β people that should be on the show is I love hanging around people that are giving their all to the community, be it in a podcast, be it in training, be it in on these things. And one of the questions I probably will never get answered.
is how come there aren’t more of the people that are giving back to the community at like, you know, like doing a podcast like this or Paul is a Dorian and you know, or like what we’re doing with security weekly and what we’re doing with the pay what you can training and John Hammond, like I can think of like six or seven people that are doing that. And there’s some companies that are starting to do it now too, but boy.
There’s a lot of opportunity for some great disruption out there just by doing something amazing that fundamentally changes people’s lives and helps make the industry better.
Adam Roth (12:33) Think we’ve definitely enjoyed this right y’all we do this because we enjoy it We definitely don’t make money on it. We wish we made money on it We lose money on it, but but we this is what life is all about passion I mean like I don’t look at myself as giving back It’s some other people like we were talking about Natalie because β my god, you know like You know that that’s really it but She she really gives back
Joe Patti (12:39) No.
what they’re doing.
Adam Roth (12:58) So
check this out Joe, at SEC CocktailCon, which John Strand is gonna be the opening speaker, we’re gonna talk about how to be a disruptor in the cybersecurity or offensive security market and what you need to bring to the table. That’s gonna be the main conference in 2027 at SEC CocktailCon. By the way, you can sign up now for our conference a year and a half in advance, go ahead.
John Strand (13:22) There you go. 2027. That’s a long view.
Joe Patti (13:23) Yeah, yeah,
Adam’s big innovation for the conference is going to be basically free drinks. We’ll have cocktail waitresses and waiters walking around like a casino, right?
Adam Roth (13:32) Whoa, whoa, whoa, So so we’re gonna miss so it’s it’s sec cocktail
con β It’s a mixer event of security and cocktails and we’re gonna give the people will sign up for the floor Five vouchers and then they’re gonna be served a cocktail β in hours security cocktail our Podcast class and that’s gonna be under our parent company of security mixologist our consulting company, which we’re open for business
So let’s go guys. We’re ready. We’re a year and a half in advance. Let’s go.
John Strand (14:03) Yeah.
We got it. We got it. Yeah. Maybe we’ll get you guys in our next 24 hour con so you can feel that pain. β all right.
Joe Patti (14:05) That’s right.
Yeah, and was very ambitious. wants to have a, I actually looking at your site and you know, he wants to have a family of companies like you have. When I saw that, I thought of, remember when I was, I remember when I, I remember when I was a kid, I think my dad had a Lincoln or a Ford or something and it was like this little badge and it said, from the Ford family of fine cars. And I’m like, oh, it’s from the Strand family of fine Infosec.
John Strand (14:40) Yeah. dude. No, you don’t.
Dude, so my wife
and I have this joke, you got to keep caffeine away from us because if we get caffeine, we’re going to start another company. β But it’s just it. I don’t know. I felt I felt bad. had somebody that’s like Mr. Strand is a serial entrepreneur. And I’m like, I don’t want that title. β I don’t like that. β No, I’m not there yet. Right.
Joe Patti (15:16) Yeah, that’s right.
Adam Roth (15:16) Well, it’s been in the serial killer.
John Strand (15:21) It’s just weird how these things like bleed into each other. It’s like pen testing. And then we noticed that a lot of security operations centers suck. They were just bad going back to quality as the differentiator. we’re like, well, let’s create a sock, which is hard by the way, very hard to do and do it right. And then it’s like security training COVID hit and I already.
retired from the Sands Institute. And there was so much need for a community, right? Like everybody was isolated, everyone was locked in and we hit this niche and our content community director, Jason Blanchard is like, we won COVID. It was us and Zoom. Those are the two people that won in COVID.
Joe Patti (16:01) thought, yeah.
John Strand (16:02) And we created that community around it. And then we started anti siphon. And then network threat hunting has always been something that’s near and dear to my heart. have some developers, and we started active countermeasures. And now, when I talked to the or Erica and I, we talked to the finance team. It’s like, well, we got this idea. They’re like, no more companies, no more stop. You can’t do this. β Because starting a company is like bringing home a cat or kitten or a puppy. It’s cute. It’s wonderful to play with. But then it shits all over the floor. And then you got to raise it, you got to live with it for
Adam Roth (16:22) So, yeah.
John Strand (16:32) the next 10 years. And that’s what we’ve been kind of dealing with on that. So we’ve got to take a breather for school.
Adam Roth (16:36) Joe didn’t
tell you there’s another company I already kind of semi formed in my mind. When we get all the revenue from security mixologist and the podcast and the cocktail con, we’re going to put some of that money, lend that money to β mixologist real estate holdings and buy buildings.
John Strand (16:56) There you go. You got
Joe Patti (16:56) Yeah.
John Strand (16:57) to diversify and
Joe Patti (16:59) Seriously.
John Strand (16:59) real estate. It’s like Gene Hackman and Superman, you know, it’s all about it’s all about real estate.
Joe Patti (17:04) Yeah,
there you go. So John, I have to ask you, since you do so much training,
whenever I meet young people just coming into the industry, graduate students, whatever, we go to some events where…
We invite them and all of sudden I got a crowd of people around me because they see me with a great air guy in security and they’re like, how do I get into security? What do I do? How do I get a job? You survive. But you see, I think you interact with people a lot more who are trying to their game up and make their way. mean, what do you tell them besides take every course they can?
John Strand (17:25) He survived. Yeah.
Dude, it.
I’m going to tell that that’s that’s there. β So it’s bad, right? Like, I’m not going to sugarcoat it. Like, there’s all bunch of people are 700,000 jobs in computer security. That was bad. Two years ago, they weren’t getting filled. It’s much worse now with AI. And β kind of what I’ve got, think
I think I’ve, I’ve used the same speech like five times in the past two days, but what I think is going to happen is β AI arrived just when we needed it. Right. We have this overwhelming complexity and computer security. And finally we get a tool that’s going to help us with that complexity. lot of legacy vulnerabilities, lot of legacy, β patching and updates and analysis post exploitation, β doing code reviews and static code review AI hits the scene. And it’s just what we need because we’re
drowning in this industry absolutely are drowning in this industry and AI shows up and Immediately people take AI and they’re like well now we can start firing people in computer security because we have AI Therefore we don’t need junior analysts. We have AI Therefore we don’t need mid-level analysts So I’m gonna let a whole bunch of people go because we’re gonna automate the snot out of this entire thing And that is a mistake AI was gonna let us finally catch up
And what’s happening now is all these companies are looking at this promise of AI and solar and all these things, and it absolutely can help, but we still need people.
We still need to have people because that 80 % that AI can help us in the Pato principle is great. We still have the 20 % hard, where we constantly have new technologies, new services, new APIs. We never got around to testing and analyzing
doing good security architecture for. We just kept slapping more technology on top of it. So now we’ve got thrown AI and it’s like, congratulations, here’s AI. And now we’re at a point where we’re taking people away.
So we’re just as overworked and we’re running into the exact same freaking problems. It didn’t show up as an enabler. It showed up as just this thing that’s gonna take a bunch of jobs. And I think it’s already biting organizations in the ass. hear CISOs and CTOs are like, whoa, we’re gonna completely do everything AI and it’s gonna replace 60 % of our sock. And a few months later, they get popped and they’re like.
We don’t have skilled people to deal with the incident. Now we’re gonna go hire Mandiant at multiple hundreds, if not a thousand dollars an hour to help us with this situation. And we’re right back to where we started. So when you’re talking about entering this industry, what I tell people is learn those core fundamentals. Learn Windows, learn Linux, learn networking, learn cloud, because you’re going to be using AI. And AI is a tool. And AI is only as good as the context and the prompts that we give it.
Joe Patti (20:07) Yeah.
John Strand (20:34) The more technical detail that you can give prompts, the more technical detail you can give these models and building things out, the better the quality is going to be on the other side. So it’s not like it’s going to replace all this basic stuff.
This basic stuff is now even more important than it was a year ago because we now have like an ill-tempered toddler who just so happens to be really good at technical things making rampant assumptions on crappy prompts and that’s going to bite us in the ass. So when we’re looking at this industry, those fundamentals, learn them.
Still do that training, get as much training as you can and learn how to integrate and interface with the new technology and you’re going to be fine in this career. But it’s going to be a fallow period for probably another eight to 10 months before organizations realize that AI is not everything it was hyped to be, at least not yet.
Joe Patti (21:08) Yeah.
Yeah, I agree. mean, I was just writing an article when I said, okay, you get AI, you automate all this stuff. It’s wonderful. But you still need people who are looking at the outputs and who are experienced enough to know if it’s good, if it’s right. It’s like having a bunch of assistants. You need a manager, you need a master who can say, yes, yes, no, no, do this again.
John Strand (21:39) Mm-hmm.
Joe Patti (21:55) And I worry that with all the entry and mid-level people being pushed out and making it difficult, where are those senior people gonna come from in five, 10 years? Where will they be? know? Yeah.
John Strand (22:04) Great question. No one knows. So we’ve seen this
standardization of mediocrity. I’m just going to use web apps as an example.
So if you, let’s go back to 2023, 2022. When we’re doing web app security assessments, we would see companies with really solid security. And Cameron, one of my testers, one of the first person she brought this to my attention. We had really good companies, solid security. They would kick our teeth in as a pen testing firm. And then there’d be a whole bunch of really crappy
like, like, pen test where it’s like, my God, have like, like, sequel injection, non-blind, like, holy.
Does anybody ever tested this app? We saw this huge discrepancy in security. So what happened once AI came onto the scene is that discrepancy between great quality and crap when it comes to security really narrow banded out to standardization of mediocrity because so many people are now using AI to develop their web infrastructures and their APIs. And it’s not great. It’s not crap, but it’s not great. And it’s weird because it’s almost made our jobs
Because those really really hard to get into organizations are now
Like they’re doing as much AI as they can. And AI was trained on data from stack overflow.
It was trained on all of these different Reddit posts over the years. And it’s going to be an amalgamation and kind of this standardization of all the code that has been put online, which is going to be inherently mediocre. So getting your point of the senior people, we now are finding vulnerabilities in those web apps because everything’s becoming kind of this narrow mid band blah security. It’s, it’s not great, but.
Joe Patti (23:24) Yeah. Right.
John Strand (23:46) it’s not horrible, but the people that actually know how to fix the code and understand the business logic, those people are starting to disappear because they’re using AI to build so much and vibe coding that you’re like, hey, this is a huge problem. And they’re like, we didn’t write that, AI did. We don’t know how to go in and fix it. There’s going to be a huge industry for people that do nothing but go and fix vibe code problems for
Joe Patti (24:09) Yeah.
John Strand (24:15) companies.
Adam Roth (24:15) So John, I’m
Joe Patti (24:15) yeah, people don’t even know how
to test it. They don’t even know what to look for.
John Strand (24:18) No, that’s true too. Yeah.
Adam Roth (24:20) Joe and I spent like five hours minimum trying to create a logo in different AIs and different LLMs. Meanwhile, I’m on Instagram and I see cats and dogs using firearms and weapons and doing martial arts like it looks almost real. I don’t know who’s doing that.
Let’s hire those people to do the app testing because if they can do that, they can do anything else. I’m kind of being funny, but you know.
John Strand (24:46) I’ve got a prompt that I gave.
I had this presentation that I gave at St. Colt con called onions, belts and fashion. And this is like a typical prompt for me when I’m trying to get AI to create an image for me. And I saved this one. said, I would like a picture of a cow overweight, smoking, drinking on the couch. It seems burnt out. Has stubble seems like it’s very tired. His life has not gone the way he wanted and love and work and personal growth. He has failed. Basically like Homer Simpson’s monkey mojo.
sitting on the couch, smoking and drinking, but a cow. And when you give a really good prompt to AI, it nails it. But I think, you you’ve got to really, really give it a lot to chew on and it comes through.
Adam Roth (25:22) detail you.
I
told the LinkedIn pixels exactly the pixels I wanted and it was supposed to be a rectangle and it came out as like a square and I said, what are you doing? I even once cursed out chat GPS said you’re an idiot. You know, you’re right. I am an idiot. I’ll do it right this time. You remember that Joe? And did it wrong again.
Joe Patti (25:36) Thank
Yeah. Yeah.
John Strand (25:52) Dude, I had
the exact same problem, but I think it was different. I was on chat GP and I got this picture of Xi Jinping and it’s him and he’s standing and there’s these airplanes, these jet fighters, and there’s a whole bunch of Chinese text next to him. And I think it said something to the effect of making China great cyber power.
Adam Roth (25:56) It’s a bit different, yeah.
John Strand (26:13) I’m not being facetious. think that’s literally what it said. And β I went to Chachi BT and I said, please change the Chinese text in this picture to say in Chinese who wants honey and β and β and it did just the blocks. It basically censored all of the Chinese and it’s like there you go. And I did it and I’m like, no, you didn’t like it literally just put a block over the text like
I needed to say for Xi Jinping, who wants honey? And it came back again, the blocks. And I’m like, there’s gotta be some censoring going on here with Trap GPT.
Joe Patti (26:51) Yeah, I’ve
done things. Sometimes you get a really wacky response or you get something where it just won’t do it. It won’t even do it wrong or badly. And I think those are guardrails when you see that.
John Strand (27:05) I think I hit a guard rail. I think I hit
a guard rail and I think I hit it hard. β So that’s my theory.
Adam Roth (27:12) You don’t have
any secret service FBI coming to your house yet?
Joe Patti (27:13) Well, the… β
John Strand (27:16) no, no, we talk with those guys regularly. β That’s a whole nother conversation.
Adam Roth (27:19) Hahaha!
John Strand (27:23) But yeah, they know where to find me. β not in a bad way,
Adam Roth (27:26) So,