The Job Security Cybersecurity Podcast

Episode 8: Early Adopters

Host Dave Johnson and co-host Ben Baker sit down with Greg Notch, Chief Security Officer at Expel, and Jay Beale, CEO and CTO of InGuardians, for the first installment of the Early Adopters series. Greg and Jay share how they stumbled into cybersecurity before it had a name, built tools and standards that didn't exist yet, and found that the same curiosity that makes a great practitioner also makes a surprisingly good leader. Key topics & timestamps How they got started (1:41 - 8:15) * Jay: Unix sysadmin at a university, suspected a hacker, wrote a hardening script, fell into Bastille Linux * Greg: broke copy protection as a kid, became the NHL's first de facto CISO after a real incident made it real * Dave: exploited a NetWare login screen at age 11 to print for free; attended HOPE 2000 with his dad at 16 Building security before the frameworks existed (18:55 - 21:00) * No CIA triad, no NIST, no SANS certifications—just BBSs, Bugtraq, and people sharing what they figured out * Aleph One's "Smashing the Stack" first appeared as a plain text file on a BBS * The early community wasn't malicious—there was nothing to steal; it was a pure pursuit of knowledge Hacking is QA (17:21 - 18:01) * Jay ran the QA department at Bethesda Softworks in high school before it became the Elder Scrolls company * Offensive and defensive security are both about asking "what happens if I do something unexpected?" Curiosity as a leadership advantage (24:59 - 27:10) * The same systems-thinking that makes a great practitioner translates directly to leading people * Greg's test: ask aspiring managers what books they've read—most name a Python book, not one on team dynamics * Empathy is a skill, not a personality trait—and it's learnable the same way technical skills are The one thing that hasn't changed (30:49 - 31:12) * With sufficient motivation, time, and effort: they're gonna get in * 100% failure rate—always has been, still is Key quotes "For all of us defensive security people, for all of us offsec folks—we're kind of QA folks who found a way to make it cool. What are we doing? We're looking for ways to find out: what happens if I put in input that might be unexpected? It's a very, very related job. We just get to have a lot more fun with it." — Jay Beale "Curiosity is a major advantage in leadership. But the system you become curious about isn't hardware, software, networks—it's human interaction. Team dynamics. What motivates people. My memory corruption vulnerability now is: how do I motivate someone during a one-on-one?" — Greg Notch "Curiosity killed the cat—but the part we forgot is 'satisfaction brought it back.' We are very much in the satisfaction brought it back category." — Dave Johnson Helpful links * InGuardians [https://inguardians.com] * Expel [https://expel.com/services/managed-detection-response/] Production credits * Hosts: Dave Johnson, Ben Baker * Producer: Ben Baker * Sponsor: Expel Inc. Connect * Follow Expel [https://expel.com/] on LinkedIn [https://www.linkedin.com/company/expel/], Twitter/X [https://x.com/ExpelSecurity], and YouTube [https://www.youtube.com/@expelsecurity] * Rate and review on your favorite podcast platform

Episode 7: Red Team Village: Break stuff, make friends

Host Dave Johnson sits down with Mike Lisi, President of Red Team Village, and Wes Thurner, Advisor at Red Team Village, to explore offensive security training and community building. Mike and Wes share how Red Team Village creates a collaborative environment where practitioners at all levels can develop skills, share knowledge, and push boundaries—without the gatekeeping that often plagues the industry. Key topics & timestamps AI's role in red team operations (0:00 - 1:26) * Tools help with vulnerability discovery but can't replace human creativity * The real threat: being replaced by someone who uses AI better than you What is Red Team Village? (2:26 - 4:16) * Collaborative space for offensive security professionals to share skills and knowledge * Covering the full spectrum from beginners to experts * Hands-on learning through workshops, tactics sessions, and demonstrations Red team vs. penetration testing (4:19 - 6:20) * Red teaming focuses on adversary simulation and testing detection/response * Pen testing is about finding vulnerabilities with defined scope * Similar technical skills but different objectives and approaches The tactics format: learning in small chunks (3:20 - 4:16) * Digestible sessions on topics like buffer overflows or API security * Less formal than workshops—participants can engage or observe * Creates round-table discussions with 20-30 people collaborating Red Team Village beyond DEF CON (26:20 - 27:02) * Expanding presence at BSides conferences (NYC, Philly) * Making offensive security training accessible year-round Reading recommendations (26:43 - 28:01) * "Redefining Hacking" co-authored by Omar Santos, Savannah Lazar, and Wes Thurner * Covers quantum computing, AI integration, and modern offensive security approaches Looking ahead to 2026 (28:01 - 30:00) * Expanding the tactics format and improving platform support * Check redteamvillage.io for updates Key quotes "The focus here is that we're here to share our skills, share our knowledge with folks that are interested in offensive security. It's not necessarily just the advanced folks that are trying to transition into red team roles, though that is a big part of it. But we really try and cover across the spectrum of offensive security." - Mike Lisi "What we saw was just this roundtable with somebody that was knowledgeable at a topic, and then 20 or 30 people just all huddled together talking about it was like a very communal sort of thing. It was way less formal than sitting in the audience and just watching one person speak." - Mike Lisi Helpful links * Red Team Village [https://redteamvillage.io]  * (Book) Redefining Hacking [https://www.amazon.com/Redefining-Hacking-Comprehensive-Teaming-Hunting/dp/0138363617/ref=tmm_pap_swatch_0?_encoding=UTF8&dib_tag=se&dib=eyJ2IjoiMSJ9.lQZVX2dfxw8ED-UbvDHn9hqxnbIqrerrFjnfodyK5CvEQV3w_wgnbhzCzYVbhjkyq9xoyX4PZqE_6SGVXHFMgRfZY2P8BpDJJE8L1hJQYo4.mzE2w9szr0iX-lIKWSySlYeUiDPQ8uZxu4wVM3twdOs&qid=1772463925&sr=8-1] by Omar Santos, Savannah Lazar, and Wes Thurner * DEF CON [https://defcon.org] Production credits * Host: Dave Johnson * Producer: Ben Baker * Sponsor: Expel Inc. Connect * Follow Expel [https://expel.com/] (follow us on LinkedIn [https://www.linkedin.com/company/expel/posts/?feedView=all], Twitter/X [https://x.com/ExpelSecurity], and YouTube [https://www.youtube.com/@expelsecurity]) * Rate and review on your favorite podcast platform

Episode 6: Becoming a tech evangelist

Hosts Dave Johnson and Ben Baker sit down with Tim Chase [https://www.linkedin.com/in/timchase2/], Global Field CISO at Orca Security, to demystify one of cybersecurity's most intriguing and often misunderstood roles. With over 20 years in information security—from manual penetration testing in 2002 to leading cloud security programs and now evangelizing cutting-edge technology—Tim shares the real story of what tech evangelism means, how to break into the field, and why listening matters more than talking.  Key topics & timestamps Defining tech evangelism (4:00 - 6:07) * Not just talking about products—educating on industry trends and challenges * Sitting at intersection of marketing, sales, and product teams The guiding philosophies of effective evangelism (8:03 - 11:21) * Drawing on personal CISO experience to stay authentic * Putting yourself in the audience's shoes before prescribing solutions * Listening as much as talking—learning never stops in cybersecurity Tim's journey from practitioner to evangelist (12:52 - 20:53) * Started in AppSec to cloud security to evangelist * The path was convoluted but intentional at each stage Why connections alone don't make good evangelists (21:25 - 25:16) * Hiring for rolodex depth is a short-term strategy that fails * Executive presence and communication skills matter more * Speaking CISO-to-CISO changes the entire conversation dynamic The art of adding value without being preachy (25:16 - 28:36) * Cybersecurity professionals don't want product pitches—they want help * Executives struggle with "Is this just me?" moments—evangelists provide perspective * Positioning your company as thought leaders, not just vendors Breaking into tech evangelism (33:10 - 35:48) * Find your preferred communication medium and start there * Stretch yourself in areas where you're uncomfortable * Learn how good sellers ask discovery questions What's happening at Orca Security (38:11 - 39:48) Key quotes "A tech evangelist to me is just someone that sees what's going on in the industry. They've got the history, they've been in it long enough that they can really kind of educate others... to tell them kind of what you're seeing and where they should be focused." - Tim Chase "One of the ways that you can get security leaders to pay attention is if they know that you've walked in their shoes before. I've literally seen the face and the conversation change when I introduce myself and they realize I'm not an SE or a seller—I'm a practitioner." - Tim Chase "Let the sellers sell, and let me evangelize. They've got their process and they're respected for what they do, but let me just talk about the problem." - Tim Chase Helpful links * Orca Security [https://orca.security] * (Blog) Where to start your cloud security program [https://orca.security/resources/blog/cloud-security-program-maturity-guide/] by Tim Chase * (LinkedIn) Tim's response to Tom Alcock [https://www.linkedin.com/posts/tom-alcock_cybersecurity-activity-7392226477167165440-XJ0x] Production Credits * Co-hosts: Dave Johnson and Ben Baker * Producer: Ben Baker * Sponsor: Expel Security Connect * Follow Expel [https://expel.com/] (follow us on LinkedIn [https://www.linkedin.com/company/expel/posts/?feedView=all], X [https://x.com/ExpelSecurity], and YouTube [https://www.youtube.com/@expelsecurity]) * Rate and review on your favorite podcast platform

Episode 5: Hackers helping hackers: Mental health in cybersecurity

In this episode of The Job Security Podcast, host Dave Johnson sits down with Amanda Berlin, CEO and co-founder of Mental Health Hackers, to explore the mental health challenges facing cybersecurity professionals and what the community is doing to address them. This conversation covers the unique stressors in cybersecurity work, the prevalence of neurodivergence in tech, practical strategies for combating burnout, and how Mental Health Hackers is creating safe spaces at conferences worldwide where hackers can support other hackers. KEY TOPICS & TIMESTAMPS 4:00 How Mental Health Hackers got started  5:22 What Mental Health Hackers does  7:52 The challenge of finding mental health professionals who understand cybersecurity  8:32 Practical strategies for preventing burnout  12:08 Why polymaths have an advantage in mental health  13:35 The most common mental health issues in cybersecurity  16:10 The pressure of leadership and C-level mental health  18:52 Finding therapists who can follow technical conversations  20:43 Connecting mental health professionals with InfoSec practitioners  22:50 Mental Health First Aid training—what is it is and why it matters 24:13 How to volunteer or sponsor Mental Health Hackers  26:49 What businesses can do to support mental health  29:17 The cultural evolution of the cybersecurity community  32:05 How DEF CON has changed over the years  35:26 The connection between physical and mental health KEY QUOTES  "Do something that is not security related, something that's not your day job related. For a long time I did not do that and burnt out." - Amanda Berlin "There's actually a really high occurrence of general mental health issues in STEM fields, as well as neurodivergence. We see it all the time." - Amanda Berlin "When my kids tell people what my nonprofit does, they describe it as sort of like a daycare for adults that are geeks. And it's pretty close to that." - Amanda Berlin HELPFUL LINKS  Mental Health Hackers - https://mentalhealthhackers.org [https://mentalhealthhackers.org]  CREDITS  Host: Dave Johnson  Producer: Ben Baker  Sponsor: Expel Security Connect * Follow Expel [https://expel.com/] (follow us on LinkedIn [https://www.linkedin.com/company/expel/posts/?feedView=all], X [https://x.com/ExpelSecurity], and YouTube [https://www.youtube.com/@expelsecurity]) * Rate and review on your favorite podcast platform The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

Episode 4: Making cybersecurity events findable

Host Dave Johnson sits down with Walter Martín Villalba, founder of InfoSecMap, to explore how he's solving one of the cybersecurity community's most persistent challenges: finding and tracking the thousands of InfoSec events happening worldwide. This conversation covers the origin story of InfoSecMap, the mechanics of manually curating event data at scale, and the unique welcoming nature of the InfoSec community that keeps people coming back. Key topics & timestamps The problem InfoSecMap solves (3:37 - 5:16) * Missing events after expensive travel, information scattered everywhere * Turned frustration into action during early pandemic 2020 Building InfoSecMap from scratch (5:54 - 9:45) * Started as side project, realized one person couldn't maintain it alone * Today: 6-7 people handling operations, outreach, and development Recent explosive growth (10:40 - 12:55) * Crossed 10,000 unique monthly visits two months ago * Now at 23,000 monthly visits (120-130% growth) * 100% organic traffic—no paid promotion Strategic partnerships and credibility (12:55 - 15:47) * Official partnership with OWASP Foundation provides credibility * Partnerships with BSides Security globally Partnership opportunities (15:51 - 19:01) * Flexible models: cross-promotion, highlighting CFPs, sponsor calls * Powerful filtering by dates, regions, and topics First conference and community passion (19:17 - 21:49) * First major conference: OWASP Global AppSec USA 2013 * InfoSec community uniquely welcoming with knowledge sharing culture * Platform lists CTFs valuable for career development Manual curation at scale (23:28 - 25:29) * Everything manually curated to ensure accuracy * Prevents spam and vendor pitches * Expecting 5,000+ listings by end of year The actual numbers (25:54 - 27:44) * Conservative estimate: 7,000-10,000+ InfoSec events annually worldwide * InfoSecMap has close to 5,000 events for 2024 alone Automation and AI exploration (27:44 - 30:50) * Exploring AI for curation automation with mixed results * Higher priority: making platform self-sustainable long-term Future vision and new features (33:14 - 37:00) Key quotes "I simply got tired of wasting a lot of time searching online... spending a lot of time and finding only a handful of events and still missing a lot." - Walter Martín Villalba "The InfoSec community is very special in regards to certain aspects. It's very welcoming. There's a ton of knowledge sharing. There are a lot of people willing to give you a hand, not expecting anything in return." - Walter Martín Villalba "It doesn't really matter how big or small the event is. If it's a legit InfoSec event, we'll list it, even if it is five friends getting together every other Friday to try to do some Hack The Box machines." - Walter Martín Villalba Helpful links * InfoSecMap.com [https://infosecmap.com/] Production Credits * Co-hosts: Dave Johnson * Producer: Ben Baker * Sponsor: Expel MDR Connect * Follow Expel [https://expel.com/] (follow us on LinkedIn [https://www.linkedin.com/company/expel/posts/?feedView=all], X [https://x.com/ExpelSecurity], and YouTube [https://www.youtube.com/@expelsecurity]) * Rate and review on your favorite podcast platform The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.