Nurturing Cybersecurity Talent Development with Kenneth Ellington (2/2)

Welcome to episode 240 of the Nerd Journey Podcast [@NerdJourney]! We’re John White (@vJourneyman) and Nick Korte (@NetworkNerd_) – two technology professionals with backgrounds in IT Operations and Sales Engineering on a mission to help others accelerate career progression and increase job satisfaction by bringing listeners the advice we wish we’d been given earlier in our careers. In today’s episode we share part 2 of a discussion with Kenneth Ellington, detailing his work as a mentor and coach to students at Ellington Cyber Academy (ECA). We’ll discuss different specializations in cybersecurity and some popular stereotypes, get some perspective on what Kenneth has learned as a business owner, and hear his future vision for ECA.

Original Recording Date: 07-03-2023

Kenneth Ellington is a Senior Cybersecurity Consultant specializing in SIEM and SOAR technologies. He is also the owner and founder of Ellington Cyber Academy (ECA). If you missed part 1 of our discussion with Kenneth, you can find it in Episode 239.

Topics – Coach and Mentor, Cybersecurity Certifications and Specific Roles, The Business Owner’s Blind Spots, What’s Next and Parting Thoughts

3:14 – Coach and Mentor

  • Was the mentoring and coaching part of Kenneth’s business something that was surprising given his experience as an instructor or expected?
    • Kenneth says the two play hand in hand with one another.
    • Normally if people want 1-1 coaching after the program ends, there is a cost.
    • When you’re part of the program, Kenneth is there to help you with any questions or concerns because he knows it’s challenging do the work.
    • Kenneth says it can be difficult when you’re getting rejected for jobs over and over again. He’s been there and wants to help his students get through the tough times.
    • Kenneth tells the story of spending all his money to buy a suit for an interview that was cancelled the day before it happened.
    • “It’s hard to see the light, when you’re crawling through the mud, when you’re down in the trenches. So it’s my job to tell them, ‘keep going. It does end. Trust me….I can see it. I’m not in the mud anymore.’ That’s one of the biggest things to get across to my students.” – Kenneth Ellington
    • John mentions there is a difference between knowing intellectually that you can / will break through and feeling it emotionally.
    • Kenneth agrees and says people have to trust in the process. There will be times when no one calls you back after an interview and times when you don’t get interviews.
      • This kind of experience can lead to self-doubt.
      • “If you do these steps over and over again, and you keep tweaking it until the desired result, it will work. That’s what I’m there for.” – Kenneth Ellington, on trusting in the process to eventually produce outcomes
      • The time it takes for people to get a job who go through a program can vary based on experience coming into the program and how well they understand the concepts (i.e. might take more time and work to refine skills and cement concepts).
      • People may need help in areas like interview skills / improving their resume to help get a job, or it could be getting a promotion that someone wants. It depends on what the person going through the program wants.
    • Nick asks if Kenneth sees any kind of peaks and valleys with people going through the program (i.e. getting a job / promotion and then hitting impostor syndrome)?
      • Kenneth says he doesn’t see this with his students after finishing the program. ECA partners with managers from different companies like AWS and Accenture and partners his students up with those managers. This usually helps students understand what they are going through is a process that takes time.
      • It’s the beginning of the program when the impostor syndrome sets in because people didn’t expect going through the program would be difficult. Even though people are told the program will be hard they cannot actually experience the difficulty until they go through it.
      • People will get into the capstone presentation and say things like they haven’t previously done a presentation that difficult. It creates nervousness and anxiety because the presentation is being made to managers who work in cybersecurity.
      • The first capstone presentation can be a low point when people begin to doubt. And generally they gain confidence after that.
      • When students continue to not do well on a capstone presentation it is likely they did not properly prepare. If students do not do well on a capstone, Kenneth will sit down with the person to provide some feedback on where their presentation fell short, and he helps them understand what they can do to improve (creating a “roadmap”).
      • Kenneth shares that he is a coach and not a player.
      • “I’ve given you all the tools to be successful. We’ve repped it out over and over again in practice, but when it’s game time, it’s actually on you to produce and execute. That’s how I’ve always seen it.” – Kenneth Ellington, on his role as a coach for students.
      • Kenneth tells students to treat the capstone presentations like a job interview (because it definitely is) and prepare accordingly.
      • Kenneth has presented to Fortune 20 companies and can tell when people are not taking the capstone presentation seriously (as can the managers listening). There have been times when people did not prepare, and it was embarrassing and frustrating.
      • “You give them all the tools to be successful, and they don’t always do it.” – Kenneth Ellington
      • Kenneth is there to help students succeed, but they have to do the work. When they don’t prepare or take things seriously it reflects poorly on him as the owner of ECA. Kenneth takes pride in his name and expects people in the program to take pride in theirs.

10:38 – Cybersecurity Certifications and Specific Roles

  • When students come out of the program and are ready to get a job, what other things should they consider when progressing in a cybersecurity career?
    • John references certifications as one way and cites the CISSP – Certified Information Systems Security Professional. Kenneth does not have this certification but has heard this is a hard one to obtain.
    • Kenneth tends to focus on Microsoft and Splunk certifications since they are the ones most needed for the technology stacks he works with as part of his day job.
    • As part of the ECA program students are given the material for and able to sit for the Splunk Core Certified User and Splunk Core Certified Power User exams. These are some of the front line certifications for those who seek to pursue a security analyst position.
  • Do security and compliance mandates within organizations come from under a CISO (Chief Information Security Officer)?
    • Organizations may do this differently from what Kenneth has seen (depends on organizational structure).
    • Kenneth feels the CISO should report directly to the CEO of the company, but he’s seen CISOs report to a CIO or CTO for example.
    • Kenneth sees many organizations with silo environments where information gets stuck in one area. It may not be clear what everyone on a team does, and people may not have the time or knowledge to document things to account for people leaving.
      • This creates a lot of knowledge gaps and can prove difficult when trying to replace senior engineers who leave the company. Kenneth has seen this lead to expensive problems – large backlog for the team, existing members burning out, and someone in a high position getting the blame.
    • John stresses the idea of having good people and not being totally reliant on those people.
      • There is the idea of 20% art in a job role that requires experience, and others might be able to get 80% up to speed by reading all the documentation. But if an organization doesn’t have the documentation to allow people getting up to at least 80% ready, it’s a bad place to be.
  • Even though cybersecurity is one part of technology, the discipline of cybersecurity is still quite broad. How do people determine their specialty or area of focus based on skills and interests?
    • Kenneth says many people who come to him about getting into cybersecurity are interested in being an ethical hacker.
    • John has seen this behavior quite a bit. Kenneth tells us people often times do not know what it takes to become an ethical hacker.
    • Kenneth tells us if you want to be a penetration tester (or part of a red team), you should be prepared to write a book each time you perform a test / exploit.
      • “You have to document step-by-step every action you did over the past month thoroughly…word for word…step-by-step. And it takes 200 pages sometime to write that down.” – Kenneth Ellington, on the documentation required for penetration testers
      • Kenneth doesn’t think writing a book every time he does his job sounds fun. He has no desire to teach red teaming or to do it.
      • We see this role glorified on television, and it’s become somewhat of a stereotype. Kenneth gets asked all the time if he’s a hacker because he’s in cybersecurity.
      • “They think I sit with my hoodie up in my basement (even though I live in an apartment) and just type away on my keyboard, eat pizza, and drink Mt. Dew (even though Mt. Dev is disgusting). They think that’s what I do, and I don’t do any of that at all.” – Kenneth Ellington, on the stereotypes put on people in cybersecurity
      • Kenneth says many people may not have the temperament for this kind of work (penetration testing / red teaming) or don’t want to write that much.
    • Kenneth encourages people to research what they think they might want to do in cybersecurity, play around with it (and some of the technologies used in it), and then come back and talk to him.
      • After some research, people often come back saying they don’t want to do ethical hacking and that they would rather be a security engineer or SOC (security operations center) analyst or a GRC (governance, risk, and compliance) analyst. Kenneth can help people with those types of roles.
      • A SOC analyst is like the first line of defense in security operations (tier 1 / tier 2). Once an alert fires in an environment, it would be your responsibility to respond to that alert (i.e. a user clicks a phishing link and gets credentials compromised).
        • There are different tools one could use here like Carbon Black, Splunk / Splunk ES, Microsoft Defender, Microsoft Cloud, etc. (depends on your company and what tools they use).
      • A security engineer will often times build some of these toolsets or possibly design and engineer them.
      • A GRC analyst stands for governance, risk, and compliance.
        • These personnel would put many of the policies in place within an organization. They would need to be aware of regulatory practices that are related to NIST, FedRAMP, MITRE.
      • None of the above that Kenneth mentioned require you to eat pizza, wear a hoodie, and drink Mt. Dew.

18:52- The Business Owner’s Blind Spots

  • In addition to what Kenneth mentioned about getting a sales and marketing coach for his business, were there any blind spots he didn’t see coming when he began as a business owner?
    • Kenneth says owning a business is a lot of work. He knew it was going to be a lot.
    • “Someone can tell you, ‘hey, climb this mountain.’ You know it’s hard, but until you actually do it you don’t really understand how hard it is.” – Kenneth Ellington on knowing what he was getting into as a business owner
    • Kenneth says the first month was completely insane, and he wondered to himself how people do it who are business owners. Since that time, many processes have been simplified so the company can scale and make things repeatable.
    • Kenneth thinks the business coach (Valencia) is the biggest thing he wishes he would have brought on earlier.
    • Kenneth feels the company has done well for being in business for 13-14 months at the time of this recording, helping at about 9 people get new jobs during this time.
  • How can people start a business and keep it from conflicting with their day job?
    • Kenneth would advise checking with your company’s HR department and ensuring they are ok with it.
    • If the company doesn’t have an issue with it, start small (minimal money investment) to test your idea and prove the concept. You can get a free landing page on Carrd.
      • You may have to give out advice for free to start. If people like it ask them for testimonials. Then you can look at starting to charge.
      • If charging for advice / services works, you could do some coaching sessions, but continue to build and scale from there.
      • If the above works, begin to automate processes and maybe hire a virtual assistant if you need it.
      • The steps here can take years, not just weeks and months!
    • “The biggest way to be successful is just to be consistent People will give up pretty quickly, so if you’re serious about continually improving processes and techniques over years, again not months or days, then you’ll outlast most other people.” – Kenneth Ellington, on success of a business over time
      • In some ways it’s a time game.
    • Frequent professional networking and going to events is important to build trust and connection with others. When people see you consistently over time they become more comfortable investing in you and what you’re doing.
  • How has Kenneth found ways to balance the work he does during the day with his training business? Is there a way to balance it all?
    • Prioritization is extremely important. Kenneth has determine the things he does and does not care about as a business owner. If he doesn’t care as much about it, he will pay someone to do it or automate it away.
    • Kenneth does boxing and kickboxing to keep himself mentally sane and in good shape. He can kick a bag as hard as he wants and practice his technique.
    • “Your physical and mental health is everything. If you don’t have that you will not be successful in business….If you can’t take care of yourself, you can’t take care of anyone else.” – Kenneth Ellington
    • Meditation, prayer, eating right, going outside, exercising, and getting enough sleep are all important.
    • Kenneth also likes to travel when he gets the chance to do so. He also watches anime and likes to cook in addition to working out 5 times per week.
      • Nick mentions he needs to get back to working out regularly.
      • Kenneth has been kickboxing for 20 months now and finds it to be second nature to just go and do it. At first he was scared and a little afraid of looking silly, and it was a task to get himself ready. But over time it’s become a part of his life.
      • Kenneth is modelling good behavior for all of us in making the time to stay healthy mentally and physically!

24:26 – What’s Next and Parting Thoughts

  • How does Kenneth decide what’s next in his career?

    • Kenneth has a number of goals. One of them is to get ECA to the point where it can be a full time job.
      • In this future state, Kenneth would like to travel to different conferences and events for different companies. He would like to do trainings for different companies as well.
      • The ultimate goal for ECA is to be a better alternative to a master’s degree in cybersecurity.
        • Kenneth has seen people spend a ton of money for a degree but get no practical experience out of a master’s like this (which shows during interviews in a negative way with potential employers).
        • Ideally Kenneth and team would bring in expert instructors from different niche areas like threat intelligence / vulnerability management to teach for 1-2 months of a year long program and provide hands-on experience to students.
        • Kenneth plans to include a way to gain experience doing professional networking in this program as well to help bridge the gap in what colleges provide people.
      • Kenneth would also like to expand into Africa. His family is from Jamaica, and it would be extremely meaningful to bring back technology there based on his heritage.
        • Many countries in Africa don’t have the right infrastructure, so Kenneth is working through various partnerships to help in this area.
    • John has had an open task to connect with BLKMEN IN TECH for several years now, and the discussion with Kenneth has inspired him to get involved in a local chapter.
      • John also says he needs to work on building a habit to get back on his spin bike at home consistently.
  • If you want to follow up on this conversation with Kenneth…

  • Mentioned in the outro

    • We don’t do a great job expecting things to be hard, and often times we do not understand the way in which it will be hard until we experience it. Don’t be afraid to ask for help! And we have to decide whether we will actually accept the help.
    • If you want to learn more about cybersecurity job requirements, look on LinkedIn to get an idea of the requirements hiring managers want. You might need to talk to someone like Kenneth or do an informational discussion with a hiring manager like Mike Wood did in Episode 169.
    • For more stories of people who went into cybersecurity, go back and listen to
      • Episode 133 – Forensics and the Boredom of Peacetime with Donovan Farrow (1/2)
      • Episode 134 – Pass down Your Legacy with Donovan Farrow (2/2)
      • Episode 180 – Hired on the Spot with Bill Kindle (1/3)
      • Episode 181 – Crossing the Burnout Fault Line with Bill Kindle (2/3)
      • Episode 182 – Security from the System Administrator’s Lens with Bill Kindle (3/3)
    • Business owners have control of ways to give back or make an impact to their customer base and the greater world.
      • Do you know how the company you work for is making an impact? Do some research to make sure you understand, or ask someone (your manager or others). Make suggestions on how the company can make greater impacts.
      • If no one has ever helped connect the dots on how you’re contributing to the way your company makes an impact, talk with your manager.

Contact us if you need help on the journey, and be sure to check out the Nerd Journey Podcast Knowledge Graph.

Leave a Reply

Your email address will not be published. Required fields are marked *