diff --git a/content/sessions/2023/mini-summits/Oct/Governance/The-Cybersecurity-Talent-Gap-Addressing-the-Growing-Skills-Shortage.md b/content/sessions/2023/mini-summits/Oct/Governance/The-Cybersecurity-Talent-Gap-Addressing-the-Growing-Skills-Shortage.md
index 3376a74f88c..a1b6088aefe 100644
--- a/content/sessions/2023/mini-summits/Oct/Governance/The-Cybersecurity-Talent-Gap-Addressing-the-Growing-Skills-Shortage.md
+++ b/content/sessions/2023/mini-summits/Oct/Governance/The-Cybersecurity-Talent-Gap-Addressing-the-Growing-Skills-Shortage.md
@@ -33,3 +33,797 @@ zoom_link    : https://us06web.zoom.us/meeting/register/tZ0ofuqvqD4sH9GF19gonYcV
 - Upskilling and reskilling strategies to bridge the skills gap
 - Partnerships with educational institutions and cybersecurity training programs
 - Promoting diversity and inclusion to attract a wider talent pool
+
+## Transcript:
+Dinis Cruz - 00:00
+Yeah. Hi. Welcome to this open security summit session in October 2023.
+And I'm here with Chen, and we're going to be talking about, I think, a
+massive topic in our industry, which is basically how you address
+cybersecurity talent gap and fundamentally the growing skill shortages
+that we I think we all feel. Anybody who's hiring and is building teams
+experience this. So you want to just kick us off, Chen, and give
+introduction about you and then your views on this topic?
+
+Chen Gour-Arie - 00:33
+Yeah. So. Hello, everybody. I'm Chen. Coming from many years in hands
+on application security, I've been consultant through, say, the first half of
+my career. A lot of pen testing, been around many places and so I kind of
+struggle with the problem. I must say that by the time I was a consultant,
+not many companies were directly employing cybersecurity professionals.
+It just started, it was mostly consultants at the beginning and then slowly
+but surely, companies realized that they need to build their own internal
+task force. And it was fascinating to see how the industry responded to the
+cybersecurity threat by building internal capabilities and internal teams
+and developing methodologies. The second half of my career I was still in
+cybersecurity, but more on the Venzo side. So building products, including
+my startup, was recently acquired by Sneak and Enzo Security.
+
+Chen Gour-Arie - 01:43
+This was the first ASPM solution on the planet and just a few months back
+we got acquired by Sneak. And there I was, responsible for many different
+things, but essentially building up a platform that will help companies
+manage and run their application security gig, which I think is one of the
+areas where the expertise needed are so delicate and the frameworks and
+methodologies and structure around the problem space are so
+proliferated, where this actually become a very big issue. So, yeah, I think
+maybe this group is small enough that we can open up everybody's access
+to microphone and then we can have it as a discussion because otherwise
+it would be just the two of us.
+
+Dinis Cruz - 02:41
+Yeah, absolutely. I'm making everybody a co host. Right. So if you guys
+feel free to chip in with your views and talk about this.
+
+Chen Gour-Arie - 02:52
+Right.
+
+Dinis Cruz - 02:52
+I think this is a really key thing. One topic maybe first to explore, maybe a
+little bit not controversial, but I would say I don't think we have in a total
+a skill shortage. I think we have a skills transfer problem. I think what
+we're not very good at is creating opportunities and creating recruitment
+workflows that allows individuals and talent from other industries outside
+cybersecurity, from either technology or engineering or even left fields,
+from medicine, from poetry, from all sorts of different ways of life, right.
+And professionals to bring them into the cybersecurity field, because I
+actually feel that will increase the diversity of what we have, but I think it
+will bring a lot of experienced professionals in our field that also really
+needs them. So it's not necessarily that our pool is quite small.
+
+Dinis Cruz - 03:51
+It's like maybe we should have a bigger pool of talent to draw from.
+
+Chen Gour-Arie - 03:57
+For me, when I think about this subject, I think that there are a few things
+to recognize. First is that the entire information technology industry is
+quite new. When you compare it to other industries, then even when you
+think about other industries that are similar in nature to what we are
+doing, which is actually building things and you look at other industries
+that are about creating products and building products, you'd see that
+there is always different levels of professionality. You'd look at one shop
+and they'll be building in a very chaotic way. And then you look at another
+shop and they will be building very accurately with planning and designs.
+So the industry by itself is young. Building software, building applications,
+building digital systems is very difficult. There isn't yet a perfect way to do
+this.
+
+Chen Gour-Arie - 04:59
+Everybody struggles with leading an effective operation of building
+software. It includes a lot of talent, a lot of different aspects that you need
+to consider when you're working on this. And then in this industry, this
+kind of bad boy, which is cybersecurity, is even younger than the industry
+itself. And he's trying to deliver something that requires first
+understanding all lot of information about building information
+technologies and then understanding where it can go wrong and also
+providing a practical solution for securing it. It's a lot to know, it's a lot of
+knowledge, it's a lot to take in and it's a lot to deliver to. And in this, we
+still haven't figured out what would be the right way, what is the right
+methodology, what are the actual things that we need to worry about.
+
+Chen Gour-Arie - 06:02
+So, for example, one of the things we've been focusing when we build
+Enzo security was the specific topic of how do we build up a very
+professional approach to the problem space? How do we try to eliminate
+the cry wolf situation where many cybersecurity professionals think that
+it's their job to just raise the alarm, but it isn't really? It's also to build up
+into the culture of the organization, the sense of right prioritization and
+right investment in security. So it's a lot. And because this is a lot I get
+back to what you just said. Because this is so much. There are many ways
+in which we can open up and bring in more talent and more approaches to
+the problem and try to enable more people in assisting in making
+companies more resilient to cyber threats.
+
+Dinis Cruz - 07:03
+Yeah, if you look at, I would say, the qualities that you want in your
+professionals is curiosity, ability to learn, ability to handle pressure, ability
+to be a good team player, have a great cultural fit, ability to process lots
+of complex information, be able to get things done and understand
+complexity so you can get on right. And a lot of those are I would say
+human and professional skills that have nothing to do with cybersecurity,
+right? And yes, it's a lot in our field, but you could argue that it's also a lot
+in the medical field, it's also a lot in other industries, right? Almost every
+industry has a lot going on, right, in a lot of the stuff they do. So the
+challenge there is, how do we give them those skills, right?
+
+Dinis Cruz - 07:52
+How do we give skills to that individual that is joining an industry that
+doesn't have a huge background? And I think there's different paths. I
+think there's a path where you're very technological and I think there's a
+connection there, but there's also, I think, a path where you might not be
+very technological, but you have a lot of engineering in a wider sense of
+engineering sense, or a lot of structure or ability to consume a lot of
+information sense. And I think each of those pillars require different
+attitudes or different approaches for how you expose that individual to an
+industry, which, like you said, there's a lot of stuff going on. But we also
+invent the wheel a lot, right? We also sometimes overdramatize a lot of
+these things in our industry because it's about the fundamentals, right?
+
+Dinis Cruz - 08:39
+It's about figuring out what you want to do, how you want to do it, how
+you get it done, and enabling others. Because a lot of times in security, we
+are a property of a system, right? We need to get the dev team or we need
+to work with the dev team to implement certain things. We need to work
+with engineering team to implement certain things. A lot of times we
+shouldn't be doing it, we should be empowering, enabling, providing
+guidance, providing information, or managing risk, et cetera, for other
+teams to be productive. So a lot of those skills you can learn. So a lot of
+those specific technicalities things you can learn.
+
+Dinis Cruz - 09:15
+I think my hypothesis is the other skill set is much harder to learn and the
+talent pool that we go for these days is much smaller, which a lot of times
+doesn't have those skills of. Basically. For example, I was talking to a
+friend of mine and his wife, he's a teacher, right? And I think teachers are
+amazing, right? I think teachers anybody who can teach a bunch of kids,
+right, fucking it's a hell of a skill, right? And if you talk about managing
+and keeping that in control and dealing with all the stuff and now there's
+a lot of complexities in UK about it, but those individuals are amazing,
+right? But they're actually not very well paid in a weird way.
+
+Dinis Cruz - 09:56
+We have a premium in cybersecurity that we should be leveraging because
+it's almost like we need people to do transfer from one industry and
+actually we can pay them more even to where they are, even if they don't
+have domain expertise. Because at the moment, the premium is actually
+really high. And you can argue that for the skill that the new generation
+has, that premium is out of whack. It just happens to be a lot of demand.
+Like you said when you started, when I was around initially there was no
+cybersecurity teams, right. The market for cybersecurity professionals was
+much lower to be hired as a threat modeler. What the hell? That wasn't
+the thing. Right? And now a full blown career path, right?
+
+Chen Gour-Arie - 10:40
+Yeah, I think they've been trying to build in some universities, they're
+already trying to build. They've been existing also for a while, full training
+programs and full education programs around the subject. But I think one
+of the challenging things here is that this subject is so much about other
+topics. It's not so much a thing by itself is just to properly understand
+information technologies and then try to find ways to inject some security
+in them. If it's in the understanding the infrastructure and then from
+understanding the infrastructure you can understand potential threats and
+risks and then you need to understand how to deliver solutions to this. So
+you have a long way to go. But I think that similar to how I spend a lot of
+my time in a lot of my career in companies that build information
+technology project.
+
+Chen Gour-Arie - 11:45
+So I live and breathe the DNA of companies that are building software.
+And as you spend more and more time there at the beginning, you think
+it's just a bunch of developers behind the keyboard. At some point you
+start to realize that there are also product people and operation people.
+Why would you need an operation person in a company that all they do is
+build up software but you actually really need those operation people
+because coordinating between the different efforts of the company is super
+critical. Why do we need so much investment in product definition?
+Because if you don't invest properly in product definition, you will have
+your developers running about trying to build stuff that won't connect and
+won't deliver to the actual needs of the user eventually. So you need to
+actually invest more in product.
+
+Chen Gour-Arie - 12:33
+And then you even have things like marketing and people that are just
+explaining what this should be explaining to the outside world, what this
+should be to building up brand and marketing around it. And as you spend
+more and more time in high tech and you realize how many different
+professions are there in high tech, you can open up to the notion that it's
+not necessarily about the technicality of things like you said before. It's
+more about and especially in cybersecurity, it's more about mindshare,
+mind, share of the organization. The successful cybersecurity professional
+is the one that managed to convince as many different people in the
+organization that this is important. They don't even need to understand
+the single expert.
+
+Chen Gour-Arie - 13:24
+They just need to understand that eventually bringing security to a
+company is just changing the mindset of the people and making them
+aware of the problem eventually. Doesn't matter how good of a pen tester
+you are. If the developers don't think so, it doesn't matter. You have to
+convince them eventually. You have to convince their managers.
+
+Dinis Cruz - 13:49
+To.
+
+Chen Gour-Arie - 13:50
+Give you the budget and to put efforts into securing. And when you think
+about this, like you said before, it opens up a lot of opportunities to loop in
+more people, loop in operation people, loop in product people, loop in
+marketing people. Marketing is super important for cybersecurity,
+intelligent marketing, promoting the notion that we need to be more
+careful with how we do things. You can just put a marketing person on
+that job, just feed to them professionally with the right messaging, the
+messaging that will be useful for developers and then they will be probably
+more impactful than the best pen tester on the long term.
+
+Dinis Cruz - 14:35
+No, I agree. And I think the interesting challenge now is how can we
+create jobs and help people in those transitions? Because the ones who are
+hiring have in a way of responsibility to create jobs that allow those
+individuals to make the jump. One of the things I try to do these days a lot
+is to do internal seconds. So try to find other individuals in the company
+that want to join a cybersecurity team, even just for a little bit, and then
+that allows that transition to be smoother and that allows us to say, hey,
+we got this project here that would be great if you can help. So that makes
+a big difference. So Anthony has a good question here, which is what are
+the good instructional schools and education we can obtain?
+
+Dinis Cruz - 15:20
+My main thing on this is like a I think in security you need to learn how to
+hack. I think it's very important. I think there's something when you
+exploit that, you understand a lot better what happens in here. And I think
+a lot of the it's all about hands on experience, it's about having practical
+understanding and doing some of these things for real. And for example,
+open source communities are great because they need a lot of help and
+they're always quite friendly. And I have to say, these days I would say
+start with Chat GBT, start with Bard. But I think Chat GBT is still
+probably the best one on this level and the next generation of education
+bots are going to make a massive difference.
+
+Dinis Cruz - 15:57
+And I'm going to talk a little bit in the session, I'm going to work in a bit,
+but I think that is going to be a massive change because Anthony, for
+example, you will be able to create personalized training for you or for
+whoever you know, that needs this, right? And that is super powerful
+because you can say, here's the objectives, here's the topics, here's the
+concepts, here's the things we want to cover, and now here's your
+experience, here's what you know, this is the areas you're good at, the
+areas you have good references. How do we now create a learning path, a
+set of explanations, a set of knowledge that is completely customized to
+the individual.
+
+Dinis Cruz - 16:37
+And I think that's a game changer because it allows somebody who
+already has a lot of domain expertise to realize that those acquired skills
+are actually not that far off from the more advanced cybersecurity skills
+which might look very Chinese in the beginning, but actually they're just
+variations of things that you probably already know. You just call them
+different things.
+
+Chen Gour-Arie - 17:00
+I think that one thing that is kind of shared between all cybersecurity
+professionals is that they promote thinking out of the box and trying to
+think outside of the box. And then when you think about the title of this
+session, how do we address the gap in cybersecurity? It could be
+immediately our first response to think out of the box and the out of the
+box here would be to try and find different ways of reaping value from
+people that are interested in people are interested in. And if Anthony, if
+you're interested, like exactly like Denny said, go about the thing that you
+know, what brings you into the It industry? Obviously not the all of
+cybersecurity is about the It industry. There are big parts of any industry
+because every industry have it today.
+
+Chen Gour-Arie - 17:52
+But I would speak from it industry perspective because this is what I know
+best. Think about all the profession that exists there in the It industry and
+then if you're focusing, if you're already in this industry, you already have
+a profession in this industry. Maybe you're a product manager, maybe
+you're a developer, maybe you are in marketing, maybe you are in sales. If
+you're already in this industry, try to find what would be the closest angle.
+Of course you can go about formal training, like the list that you shared in
+Chat. What kind of training and certifications? Recommended ones. I
+personally, I admit I have none of these. I don't have CISSP, I have none of
+these and I've been delivering security in many different organizations for
+a very long time now. I don't have any formal education.
+
+Chen Gour-Arie - 18:58
+This is definitely a route that you can take to try and onboard one
+program. I'd say go start with Udemy, start with acquiring knowledge
+before trying to go for a certification. Maybe try and play around with bug
+bounty programs. They're open. You can maybe try and bank over a
+specific issue like corset scripting for example. Try to learn it, go to
+Udemy, go to YouTube, learn about corset scripting and then go to bug
+bounty programs and try to find one. And try to find corset scripting by
+yourself. This will really create some appetite for more because if you find
+one, you could actually get paid for it. And I've seen people start their
+career this way.
+
+Chen Gour-Arie - 19:45
+I've seen people very successful today start and accelerated their career
+this way by just learning about few classes of inabilities one by one and
+then trying to find themselves. There are a lot of available resources to try
+yourself, like look for vulnerable web applications. In Google, there are a
+bunch of applications that can be used to try out, right? Yeah. Juice shop,
+for example. Use juice shop and similar applications to try out and
+experience yourself what it is to exploit applications. And then from there
+take it to bug bounty programs and try in the real world, if your vector is
+technical, if you're interested in trying out exploits, trying out, finding
+vulnerabilities, this is definitely a way to go.
+
+Dinis Cruz - 20:44
+In the past, I was a lot more dismissive of certifications. I think it depends
+where you are, and I think it depends on the path that you have available
+to you. There's definitely places in the world that certification is a big
+deal. I don't think I'm on that world. I don't think when we hire, that's
+definitely not what we look for. We would never say, if you don't have the
+certifications, you're not applicable for the job, right? Actually, I would
+even argue that whoever does that, you don't want to work for them
+because they're already looking at the wrong thing. That said, there is
+value. If you like to study, if you're good at exams, that's a way to learn,
+go for it, right? But I don't think you should view it as the primary, most
+important thing.
+
+Dinis Cruz - 21:29
+If you get those compton ISC square, et cetera, it's not how you get those.
+You get a job. Right. That's not how it works. And I don't think that's the
+best way to learn. I think, again, some individuals care about it. I actually
+really like the idea of starting to create customized, again, versions of that
+based on what matters. Because the problem with a lot of those
+certifications is that only 10% of it is interesting, right. The other is just
+fluff, or the other is not relevant, or basically it's, okay, well, persuade
+10% could be relevant to some things, right? But where you want to go or
+what your skill set is not that good. Now, you mentioned also boot camps.
+Now, these are interesting, and I've seen some really good ones. I'm sure
+there's really bad ones.
+
+Dinis Cruz - 22:14
+But the boot camps have an interesting concept, at least the ones I've
+seen, which is they take cohorts of individuals who have a lot of
+experience, but for example, don't have security experience, or don't have
+technology experience, or don't have development experience. And like, for
+example, I would absolutely hire somebody who did a developer boot
+camp, right? I think that's a great thing because I think development is a
+really hard skill and somebody who's gone through it and understood and
+knows version control and knows a lot of those things, that's actually
+quite a really great skill. That is highly applicable. Yes, there's probably a
+money grab there situation that you're talking about. I think you need to
+be careful. Again, there's probably a lot of lemons in the market these
+days.
+
+Dinis Cruz - 22:59
+I would look at what's the output, what did the people that took the
+course, the boot camp did but some of them are quite good because it's a
+three months intensive thing or six months or whatever it is and it's almost
+driven by the market. So a lot of those actually give very highly
+employable skills and it's all about the attitude, it's all about how you
+approach it. So I think you be careful and again you could spend a lot of
+money right and not advance a lot, right? I think there's lots of ways you
+can start straight away to learn that doesn't require to spend a lot of
+money on courses.
+
+Chen Gour-Arie - 23:39
+Yeah, I think that if you think about the subject of this talk I think maybe I
+recognize now that the content for an individual is trying to enter the
+cybersecurity market and try to become to work there is different than if
+you talk to a company who's trying to bridge their gap in recruiting people
+is completely different. And I think that if we have captured here
+something in it together and I think that for the latter, for the companies
+that are trying to find out how they can onboard more professionals open
+up, think out of the box and try to find ways to enable people contribute to
+cybersecurity from different angles. Because actually there are many
+angles that have been neglected. There marketing I think is one of them.
+Internal marketing, promoting the message.
+
+Chen Gour-Arie - 24:32
+If you look at even security frameworks, they would deduct a very big part
+of the framework would be about publishing the data and the knowledge
+inside of an organization. And this doesn't have to do anything with
+knowing, with actually understanding cybersecurity, it's just understanding
+messaging and how to talk about it. If you are an individual, I think that a
+good thing to do would be to look at yourself and how you're usually
+interested in learning things and acquiring new skills and new knowledge
+and apply the same thing to this process. There is no right or wrong way
+to do this, there is just opportunities all over the place. Many of them are
+free. I don't think you should start with something that you pay for and
+then just embark on a journey. But please understand it will be a journey.
+
+Chen Gour-Arie - 25:28
+It will take years until you'd get to a level of people that have been doing
+this for a long time. But you could acquire a lot of knowledge quite
+quickly if you use what's out there.
+
+Dinis Cruz - 25:41
+But here's the thing, right, and I've been trying to do this for a little while.
+The fundamental requirement is you need to start to have an interest
+passion, because some people show passion different ways but you need to
+be maybe fascinated is a more better word. You need to fall in love with
+cybersecurity, right? Because I think the nice thing of our industry is most
+of the professionals, they absolutely love it. There's a passion about it,
+there's a genuine sparkle in the eyes that you see in our profession, which
+is great, by the way. I think it's one of the great things of our industry. And
+I also feel that there is an interesting situation because cybersecurity is
+quite a glamorous in one way career path. A lot of people talk about it.
+There's good media promotion and then there's good salaries.
+
+Dinis Cruz - 26:30
+I do see people trying to cross that for the wrong reasons. And although I
+do believe that if you do the right path, you will earn more, your career is
+probably better path to have a higher income. And not that should be the
+goal, but again, there's a path there. Doing that for those reasons is
+wrong. I do feel that it's a great career, probably not for everybody, but
+it's a really cool thing. And that's the feel that it's almost like individuals, I
+want to get into cybersecurity. They need to find the sweet spot, they need
+to find the area. And cybersecurity is massive. It's fucking huge in terms of
+areas that they can really relate to. And more important, they can go, oh, I
+could do that better. Marketing is a good example.
+
+Dinis Cruz - 27:13
+A marketing executive can look at how we communicate and go, and you
+guys have no freaking idea, right? This is a shit show, right? I can do
+better. I might not understand cybersecurity, but I know how to
+communicate, right? He says Response somebody might go, this is a shit
+show. The way you handle incidents. If we did that in a hospital, half our
+patients would die, right? So I think there's also areas engineering. Give
+me an area. I can find an example in cybersecurity that you can probably
+add value. And the good news is that we're not a mature industry. The
+good news is because the market keeps evolving, because the threats keep
+evolving, because technology keeps evolving, and now we got the whole
+GPT and AI world, which is another massive area.
+
+Dinis Cruz - 27:55
+The good news is you can still hack your way into the industry, like you
+could still do what we did. I would argue that we hacked our way into the
+industry. We didn't had a lot of formal stuff. We just stumbled across,
+became good, gained reputation, got hired and it went from there. So it's
+still a good moment to join the industry and I think we need a lot of new
+blood and new ideas and new experiences. And it could be a work from
+home mom, right? It could be somebody who's joined a bunch of other
+stuff who wants to join. Or it could be somebody who wants to go the next
+level of their career. I think there's a lot of really cool opportunities.
+
+Chen Gour-Arie - 28:28
+Agreed. I think that it's actually a very good timing because the evolution
+of this is due. It's really required now that I think the same as information
+technology is now maturing to a level where people have been shouting,
+agile, do this, do that. But now it's already been through, I'd say, second
+phase of evolution where people realize that even agile is not just a magic
+solution and you need to have more. And the different professions inside
+information technologies industry are evolving to become something much
+more professional. Like, if you compare agriculture or other industries
+that have been there for a very long time, you see the level of knowledge
+and professionality that the humankind have around these is much more
+mature than what we have information technology.
+
+Dinis Cruz - 29:29
+Put us to shame every day.
+
+Chen Gour-Arie - 29:31
+Yeah, it's amazing to see and it's amazing to realize this. And then if you
+think about cybersecurity, it's even behind it's playing catch. And this is a
+really good timing because as we can all see, it's really, truly necessary
+that people will get.
+
+Dinis Cruz - 29:47
+The stuff figured out and the exacts pay attention. Right. Like,
+cybersecurity is a top level risk for a company. It's not a low risk. And to
+be honest, we get this wrong, our customers suffer. Right. Our financing
+company suffers. Right. Or whatever you're trying to protect. So it's a real
+thing. Right. I like the fact that I make my customers safe. We make a
+difference by keeping their data, their assets, their experience, the trust.
+We protect it. So I think it's a really cool career, right. And it's always
+learning. There's always new stuff, there's always new things to learn. And
+the thing that Anthony, you just said I think is interesting is to say the path
+is hard to figure out where you can land. I would challenge that a little bit.
+
+Dinis Cruz - 30:35
+I think you need to find a path that you are already going and then do a
+Tweak on it, on security.
+
+Chen Gour-Arie - 30:43
+Right.
+
+Dinis Cruz - 30:44
+Like, whatever career you're in, you're already in a career path, even if
+you're learning it, if you're a student, doesn't matter. There's already
+things that you love to do or you think you have a certain seller skill set.
+That's where you want to align yourself. Right. You want to align yourself
+with that. So I think sometimes it's easy to overbake this, easy to say, well,
+I should go there. No, a lot of this is just try to do it, try to protect
+yourself, try to protect your family, try to look wherever you are. It doesn't
+matter if you're a student or a professional work for a company. There will
+be a cybersecurity team that you can touch, that you can go in there and
+say, hey, I want to be a security champion. I want to help out, I want to be
+involved.
+
+Dinis Cruz - 31:23
+What can I do? Right? And open. Source projects. Like just volunteer,
+right? Hack your way into the project.
+
+Chen Gour-Arie - 31:30
+Yeah, exactly.
+
+Dinis Cruz - 31:31
+That's the best way to do it.
+
+Chen Gour-Arie - 31:33
+Yeah. One of the key tenants here is think out of the box. Hack your way.
+Hack your way into it. I think this would be the best if we're talking about
+people trying to get in. Hack your way in. No rules. The only rule about it,
+there is no rules.
+
+Dinis Cruz - 31:48
+Yeah. That's how most of us do it, right? Always be on the good side of the
+force, by the way. Always be at the coach. Never do anything for personal
+gain at that level. But apart from that, right? It's like, be out there and
+find that path. And the gen AI stuff is massive because for the first time,
+you can create a prompt that says, I do this to my friends. I write prompts
+where I say, I'm this person. I have this experience. I have this and this.
+What should I do? Actually, let me literally read you this, right? A friend of
+mine is a PE teacher. Literally I literally wrote this. Let me just find it.
+Which I think was a really good way to what's it called? Yeah. There you
+go. Look. See, I literally wrote this, right? I'm X name.
+
+Dinis Cruz - 32:47
+I'm a teacher. I'm just reading, really, the prompt I created right when I
+was with him, right in the car. I'm a teacher in London, has ten years
+experience. I'm good with managing people. He wrote this. He wrote the
+first part of it. He says, I'm a teacher in London, has ten years of
+experience. I'm good with managing people, and I'm good at listening,
+problem solving and resolving conflict. I love football. I'm a really good
+team player, have strong ethics and values. I believe in happy and
+productive teams. I had enough of my job. I'm frustrated with my current
+career.
+
+Chen Gour-Arie - 33:16
+Send over the CV, please.
+
+Dinis Cruz - 33:18
+And I'm frustrated with my current job. I am looking for a career change.
+And what are good options for me, right? I literally typed it. And then
+again, what are good jobs for me in cybersecurity, right? And then Chat
+GPT answered, hey, with your background in teaching, manage complex
+people in conflict resolution, coupled with a strong ethics and team play
+attitude, you are positioned to transition to cybersecurity. Here's a step for
+you. Education and certification. Leverage your skills. Cybersecurity
+Awareness and Training incident Response Team. Do some networking,
+get some soft skills, blah, blah. Start small, stay updated, tell your CV and
+that's it. So, literally, at this level. And then Chat GPT is cool because you
+can go, okay, can you zoom in on this? Can you give me a five action plan?
+Can you give me a three week schedule?
+
+Dinis Cruz - 34:04
+Just learn how to use it. In fact, Chat GPT at the moment, llams is a great
+way to enter the industry. Because I'm telling you, half our industry
+doesn't have a freaking clue. That's what I'm going to speak next, right?
+Literally, they don't have a clue and they totally deers in headlights. So if
+you even become half proficient in Chat GBT, you can use Chat GPT to get
+you the job. And you should be hired just because of those skills. The same
+way that people ten years ago were hired because they knew the internet,
+like, hey, they want to hire a designer. We have ten designers. They're all
+pretty good. You know the internet, there you go, we hire you. That was it,
+right? And so those are the opportunities.
+
+Chen Gour-Arie - 34:44
+I think that Denzel and I were roughly the same age from that. I know
+that we got our way into this industry, like you said before, by hacking our
+way through. So I think this would be our most Jupiter recommendation.
+Hack your way through what was just suggested here. Use Jet GPT to help
+you find your personal ending point. I think it's fascinating. It's really cool.
+
+Dinis Cruz - 35:13
+And look, by the way, hack just from a historical point of view is actually a
+good thing, right? Like hacking, you know, was taken by the media. But
+hack is finding a problem. Hacking is MacGyver, right? For the ones it's
+basically when you have a problem and you find a solution and you put it
+together and you find a way to get it done. That was actually what's called
+a hack in the early days. And that's what we would do in websites.
+Somebody would put a website, put an application for a network, and we
+will find ways to do things that were not supposed to be used like that. But
+we're like, hey, guess what, it's possible. And here's the problem, here's the
+implication. You just immediate that make it bad.
+
+Dinis Cruz - 35:50
+So when we say hack your way into it is finding that it's problem solving,
+is figuring out how to go to the next step.
+
+Chen Gour-Arie - 35:58
+I think that it is worth mentioning that in order to be really proficient, and
+especially if you want to choose the engineering journey, the technical
+journey, you need to learn a lot and you need to learn a lot about
+information technologies, about computers, about how software works.
+I'd say it's not so easy, but you have to start somewhere. So I'd
+recommend, if you're inclined to do the engineering path, the technical
+path I'd recommend, learn about communication, computer
+communication. Learn a little bit of coding with publicly available
+resources. Try to create your own first web application using React.
+Maybe go and try to follow step by step creating a React app today, it's
+quite easy. Setting up dependencies is quite easy. You'd start with
+something like a vite application. Vite. Try to go over the first step
+instructions on how to do this.
+
+Chen Gour-Arie - 37:08
+Get yourself familiar with how technology work, how computer
+communication work. You won't figure out everything in the first week or
+even months, but the more you learn about it will create an appetite for
+learning more. And then if you go with things like juice shop or other
+training applications, we combine these two, the growing knowledge
+around information technologies and software development, with the
+appetite to try and break them and try to find loopholes and hack them. I
+think this would set you up on a path, if technical path is what you are
+looking for. But like you said, there are many other ways to get there.
+
+Dinis Cruz - 37:50
+But the key I think you touch is you need to learn, right? And let's be clear,
+right? If you're trying to get an industry, you have a handicap. Let's just be
+very transparent. You are competing with individuals that industry have
+more experience. I would argue that if you come with a whole bag of other
+experiences, you have a competitive advantage against those individuals
+because you have a wider pool of talent and pool experiences, again, to
+bring not cybersecurity, but others. But you need to learn, right? There is
+no shortcut here. In a way, the learning, if you don't like to learn, then
+that's a problem. But if you love to learn or if you enjoy learning, then it's
+a good thing, right? I think that makes a big difference.
+
+Dinis Cruz - 38:28
+And also in terms of where to start, look, the Open Security Summit, in a
+way, if you think about it, with the speakers that you have here, with the
+community, with the people involved, there's enough employers, right, to
+hire a lot of people. But what I sometimes find fascinating is that why
+aren't a new generation a lot more involved? Like the Open Security
+Summit needs a lot more volunteers, needs a lot of people to help. There's
+a lot of stuff to do. There's a lot of things that don't happen because
+there's not enough time, because it's all like volunteer driven, right?
+Including my time. Right? So open source is a great way to be involved.
+Communities like this, communities like Oasp, right? They're amazing
+communities. And guess what? You can be hired through you.
+
+Dinis Cruz - 39:08
+If you involve and you help somebody, they're going to go, oh, I have an
+opportunity for you. And then it's a personal recommendation. And that
+makes the whole difference because it's suddenly like there's somebody
+who's more emotional connected to helping you, and they might give you
+good guidance, good mentoring, and a lot of those individuals are there.
+But you guys need to do the first job jump, which is be involved, help
+figure out where you can add value and try it out. The worst thing that
+can happen, you ignored that's. All right? At least you learn something. So
+that's the thing, right? And we failed a lot. We always try these things. And
+as long as you try and you learn and you recent repeat, eventually you find
+your sweet spot and also work with people that you have the same values,
+right?
+
+Dinis Cruz - 39:53
+There's lots of good people in cybersecurity. There's lots of bad people in
+cybersecurity. There's lots of people doing cybersecurity for the wrong
+reasons. There's a lot of people on areas of cybersecurity that have
+questionable ethics don't need to go to those. Right. There's others who
+are doing great stuff, work for great companies, or doing some great
+things. Right. So it's quite big. Right. So align with your ethics, with what
+you want to do, how you want to learn, and then take you from there.
+
+Chen Gour-Arie - 40:16
+Absolutely. Everywhere.
+
+Dinis Cruz - 40:19
+Cool. All right, man. I think we're just wrapping up. Any final words from
+you?
+
+Chen Gour-Arie - 40:26
+No, I think we've said it all. Especially I think I agreed a lot with what
+Denise said. Get connected with your own, with what you're good at. Try
+to use this as your penetration vector. To get in it. You have to learn. You'll
+have to learn some things. I personally recommend try to take in a lot of
+information about information technology. Or you could also think of it as
+a completely different thing. If you're not taking the technical and
+engineering journey, there are many options in I wouldn't jump straight to
+pay for education. Education is available for free. For your first steps, you
+should definitely be able to do it for free. And then when you see that's the
+right way for you, maybe you can also think of some paid education. But
+don't start with this.
+
+Dinis Cruz - 41:23
+Dalio, you're joining in. Come on. What's your views on this?
+
+Chen Gour-Arie - 41:29
+We can't hear you.
+
+Dinis Cruz - 41:30
+We can't hear you.
+
+Chen Gour-Arie - 41:42
+Now. We can hear you now.
+
+Dinis Cruz - 41:43
+We can.
+
+Speaker 3 - 41:47
+Yeah. I just want to thank you for the session. It's always nice to learn
+with you guys. I'm Deldio. I'm working now in It development. I'm
+working as a quality assurance analyst. And I relate a lot to what Dinesh
+said in the beginning. My background is in biochemistry. I was a teacher
+for roughly three years, and after a few years, I started working in It, first
+as a business analyst and later on as a tester. And, yeah, I continue the
+journey and try and hack my way into the field, but no rush. I want to be
+sure on what I'm doing. So I continue to be interested in the cybersecurity
+field or industry, as it's becoming an industry.
+
+Dinis Cruz - 42:33
+Right.
+
+Speaker 3 - 42:34
+Or as you prefer to call it. The other day I attended Lisbon chapter
+session, so I think I'm still trying to find out if I'm in love, if I'm really in
+love with cybersecurity, and finding out if I'm up to the journey, basically.
+And today I was in the office and I managed to fit this session in my
+schedule. So I'll continue my journey and probably I'll try to hack my way
+into the field.
+
+Dinis Cruz - 42:58
+Brilliant. I think I'm presenting in the London Lisbon chapter next month.
+I think I'm just waiting for final confirmation. So might see you be could
+be, yeah. You are a great example of a lot of I would say, the talent that
+we need in our industry. One of the big elephants that always been I guess
+I come from a developer background, so I guess it was a bit rich of me to
+say this, but I always felt that if you understand development, you can't
+really do AppSec, right? Like, literally. And a lot of the problems we have
+in our industry is caused by even us as an industry or parts of our industry,
+dictating AbSec stuff to engineers who know 100 times more on that on
+the other side. And it's kind of like, dude, what the hell? Right?
+
+Dinis Cruz - 43:46
+You should understand how we operate, then give me guidance. And in a
+weird way, it's not the cybersecurity professional fault, too, because it's
+very skewed, right? Like, you're telling you we're asking for cybersecurity
+professionals to understand about frameworks and this and development
+and that workflow and this thing and that. The list is massive, which is
+why I also think that the Gen AI and the agents that are coming next will
+make a massive difference because it allows us to communicate in a much
+better language so we can start to talk about the intent that we want to do
+in security. But in your world, you understand about how to deliver code.
+You understand how to deliver effective solutions, right? Like, come on,
+man. Some of the cybersecurity teams, we're the worst ones, right?
+
+Dinis Cruz - 44:25
+Like, if you look at some of our development practices, if you look at how
+even cybersecurity products, man, fucking out, like, some of the products,
+literally, you think they should know better, right? But again, it's the same
+problem. They have a problem. They're shipping to market. They go out
+there by the time they're successful, it's lots of legacy stuff, and then they
+become just like the other vendors that we sometimes have problem from
+a security point of view, but they just happen to do a security product. But
+I think that transition from QA to security, especially in development,
+should not be that hard because you have a level of maturity that is
+missing in lots of areas in the cybersecurity world.
+
+Dinis Cruz - 45:07
+And I would argue that even if you just do cybersecurity for a couple of
+years, when you go back to your maybe QA is your passion or
+development is your passion and you want to do maybe that path, you'll
+better. I was a CTO for a while, and I can totally say that my definition of
+what's possible was very different from the other engineers. In fact, I
+would have to argue with other engineers about what was possible, and I
+was like, Dude, this is your world. Why don't you get it? Like, okay, it's not
+how it's supposed to be doing, but it works, right? So I found that even
+sometimes the development teams and QA teams and engineering teams
+get siloed, right? And insecure, you learn to question everything. You learn
+the power of well, I know it was not supposed to be possible.
+
+Dinis Cruz - 45:52
+I know it was not supposed to work, but I just made it work. Right. And
+then you understand how. So I think the curiosity is really cool in security,
+because we can go deep. Right.
+
+Chen Gour-Arie - 46:04
+That's my experience as well. If you start from security, you open up a lot
+of possibilities in software development because you adapt this kind of no
+borders kind of thinking. You will always challenge the information
+around you to see to find loopholes, and it opened up a good position for
+continuing your career in engineering everywhere.
+
+Dinis Cruz - 46:29
+Exactly. Cool. All right, guys, thanks for participating. We'll share the
+video, and I really want to figure out how to use Nargen AI to really
+augment some of these topics, because I think we have a lot of great
+content already on a particular summit, but it kind of gets lost. So I think
+another we move the needle a little bit further. So, again, thanks, Jan, for
+being part of it and helping with this session.
+
+Chen Gour-Arie - 46:52
+My pleasure. Thank you very much.