Really happy to bring you this interview as Daniel is not only one of my favourite twitter accounts to follow buy also has some amazing resources on his PwnDefend site.
PwnDefend is a cyber security awareness, advisory and educational organisation with a mission to spread cyber security knowledge throughout the world, they do this to empower people and organisations to protect, detect and respond to current and emerging cyber threats in the modern technology driven age with a unique approach of using offensive capabilities as a learning mechanism such as Capture the Flag games!
Ultimately their aim is to help current and future generations live in a world not ruled by digital fear, uncertainty and doubt.
Daniel having spoken to him several times now really is one of the good guys in cybersecurity, always stays positive and see’s the fun in everything and you really should give him a follow along with the PwnDefend account and check out the website for some awesome posts, information and resources.
A couple of my favourite articles on the blog is ‘The problem with gatekeeping in the cyber security industry’ and also giving I work in Incident Response I really enjoyed reading ‘Incident Response Web Logs’.
What are the services offered by your company ‘Pwndefend’ and is there any other useful resources on offer if anyone needs them?
Awesome about the IR plan ? I figured it was a good tool to help people not only plan for IR but also it’s a good risk management input tool.
My company provides consulting services across a range of activities, I tend to blend management consulting and technical consulting together to create a unique (ish) way of approaching customer challenges.
Previous projects have included:
- IT Transformation (vCISO/vEA)
- Cyber Security Assurance and Architecture Programmes
- Discovery and assessment projects
- Advanced Troubleshooting
- Technical Consulting stuff:
- Offensive pews
It tends to be projects that are challenging, the weird and the wonderful or simply the “crap, we have real inertia and we need to unblock change” type stuff or to look at things from a different perspective and “go deep”.
Not going to lie, I am a fan of your twitter and find you not only informative but sometimes hilarious. What’s your verdict on the cybersecurity twitter scene?
Twitter is awesome, weird, funny and crazy! There are so many amazing people on there, many of which I am lucky to call friends! It’s the internet so it’s a wild west but largely it’s amazing but you need to block, mute and roll every now and again!
How did you get started in cybersecurity? When did you first become interested in hacking?
Parents tried to stop me playing doom… bad move! Well or good move depending upon the perspective! Look like for me this is just about having a really keen interest in technology, I sort of fell in love with computers when I was very young and I’m fortunate enough to be able to work in an arena that is basically a hobby. When did I first become interested in hacking? Forever really, making computers work they way you want them to is cool, clearly there’s the fun of learning, the mischief of pranks when I was a kid etc. I started in corporate IT when I was 17 and I’m about as white hat as you can get, I’ve never gone out to be a criminal, I’m sure however I’ve (for the right reasons) done stuff which is grey (that’s why we need a better reformed CMA) but I am a defender, even if I’m trying to find weaknesses. I don’t like labels but I’m basically rainbow team, I strategize, plan, design, build, break and sometimes operate. I’m fortunate to have been in tons of roles and positions in my career so hopefully I bring a balanced perspective into the world.
Do you have any advice for aspiring cybersecurity professionals?
Loads, firstly, rule number 1: do not compare yourself to people. That’s a route to burnout.
2: Cyber is a new industry, it’s insanely fast paced, it’s incredibly broad and no one knows everything.
3: Attitude, approach and communications mean more to me than technical skills. If you are a wizard and an ass I will only see the ass.
4: learn, learn, practise, fail, fail more, keep moving forward.
5: if it’s money you want go and work in sales.
6: networking (both TCP/IP) and the human.
What does a “typical” day at work look like? Is there even such a thing as a typical day haha?
I don’t have a typical day, it depends on the business demands/requirements and also projects and research. Some days I’m in the lab, sometimes I’m running workshops, sometimes I’m researching, sometimes I’m talking…
How long have you been in cybersecurity and how has it changed; do you think organizations are more focused on security now than they were in the past?
I don’t know how long…. I don’t even know what most people think cyber security is. I killed my first malware when I was a child so did I start then? Who knows. I’ve worked in the technology industry all my professional life.
Do I think organisations are more focused on security now? Yes, 100% they are… but more like it’s a shoe lace that’s lose and they should deal with it before they trip up but “that’s IT’s job” or “It will be ok”. There’s still significant underinvestment in people in cyber, there’s still shockingly poor cyber postures in the majority of organisations. It is getting better, but it’s better at a snail pace!
Can you tell me a little about yourself?
For someone who is online a lot I actually try and be fairly private. I love spending time with my family, going on adventures and being away from computers. If I can be snowboarding, rock climbing (badly), shooting or hiking I’m going to have a big grin on my face. Life requires balance between IRL and a the matrix, I’m not great at the balance but I do try and get outside. If I can whisk my partner away for a holiday then I’m in a happy place but also I love the work I do! We only get one life, so I try and live mine with a smile on my face!
What types of resources have you found most useful for learning security videos, courses, blogs, qualifications etc?
Practise, Practise, Practise!
Build labs, use trials, get hands on!
Don’t forget theory, and don’t just learn about infosec! Security isn’t everything in life, opportunity is important (not just risk)!
There’s shed loads of free security training and tools out there on the CTF/offensive side like Try Hack Me, Hack the Box, Vulnhub but also there’s loads of management and defensive content out there. Not everything is about pentesting (yawn!).
Qualifications are an interesting one, there’s a mixed bag of certs and people become certification obsseesed. A positive attitude and hands on experience are going to outshine a certificate any day. Ideally you want to get experience and certs!
What plans do you have for the rest of the year and then into 2022?
Plans for the rest of the year? You know it’s the end of the year, so I’m planning on seeing family, friends and going snowboarding! Next year I’m looking forward to helping more people solve some of their cyber challenges and seeing where the world goes.
Will finish with this. One book, one podcast, one blog (started signing Eminem to myself here), one cert and one YouTube channel. What would you recommend?
- Adventures of an IT Leader
- I wouldn’t recommend a single specific cert – that’s the path to living in a tunnel!
- I don’t watch specific youtube channels I just search for cool stuff! John Hammond makes great content so if I have to pick one he’s a good person to go see (ok and IPPSEC, both are awesome people!)
Give him a follow and a look over here:-
Twitter = https://twitter.com/pwnDefend
Twitter = https://twitter.com/UK_Daniel_Card
Website/Blog = https://www.pwndefend.com/
Thanks again for your time.