A cyberattack is a real and ongoing danger for businesses today. Cybersecurity training can help you protect your company from the inside so you can feel as prepared as possible. The Cyber Range and Training Center in RIT’s Global Cybersecurity Institute does just this. They train people by giving them immersive scenarios and emulation training. They also believe in bringing as many people into cybersecurity as possible. It doesn’t matter if you’re a nurse or disabled; as long as you’re interested in cybersecurity, you can train and help protect the world from hackers.
Join Matthew Stephenson as he talks to the Director of the Cyber Range and Training Center in RIT, Justin Pelletier, about their approach to training. Justin also oversees cybersecurity competitions that bring together top cyber talent from across the globe. Discover what it takes to get into cybersecurity and why diversity and inclusion are so important. Check out their Bootcamp and start your training today.
—
Listen to the podcast here
Dr. Justin Pelletier: Protect The Outside By Protecting The Inside
My name is Matt Stephenson. For some of you that are new to the show, you may know me from pm73media, perhaps from the InSecurity Podcast. Maybe you saw me at Black Hat in Vegas. I’m that guy. More importantly here on the show, we will be bringing you top experts in the industry for a chat about all that is interesting in keeping our world secure.
We are excited to welcome Justin Pelletier to the show. Justin, I don’t even know how to even describe this because it’s so cool. At the Rochester Institute of Technology’s Global Cybersecurity Institute, he is the Director of Cyber Range and Training Center. He’s a Professor of Practice in the Department of Computing Security.
He teaches at the undergraduate and graduate levels and helped establish the entirety of the Hacking for Defense initiative. He has a PhD in Information Assurance and Security, an MBA in Entrepreneurship, which is pretty cool, and a BS in Computer Science. He is a combat veteran and currently serving as a Major in the United States Army Reserve.
—
Dr. Pelletier, welcome to the show.
Thanks for having me. That’s making me blush a little bit.
That’s your life. Don’t thank me. This is for us to thank you for putting in the work to do all that stuff. Let’s get after it. Let’s open with RIT because you guys are doing something interesting. It feels like it’s one of those joints that people may not know about but has been influenced by. When we talk about the Global Cybersecurity Institute, at the top of the website, it says, “RIT Cyber Range and Training Center is capable of hosting more than 5,000 virtual machines simultaneously in immersive scenarios, enabling executive incidents response training, threat intelligence, emulation training, and more.” That’s a lot. Tell me about your baby.
This has been a labor of love for the team. I’m grateful to be working alongside such amazing professionals to help put all this together. I have the great fortune of being able to describe that with some regularity to prospective clients and different learners who are interested in exploring the range. What we do is host competitions and build training environments. We do that in our range, which is capable of hosting many thousands of machines altogether with complex networking and sub-networking.
It allows us to create realistic scenarios that can be quite deep and broad at the same time. We do that in competition and training so that we can present realistic contexts for our learning objectives. We do that by simulating various critical infrastructures and different companies from energy, healthcare, and finance, even managed elections or voting.
Managed elections are a dangerous way to describe things.
Let me explain a little more before I get myself in trouble. In that specific scenario, we created an elections provider as a simulated competition environment for the Collegiate Penetration Testing Competition, which we host at RIT. We have hosted there for years. A handful of years ago, we recognized that the cybersecurity of elections is an important thing.
We created this environment for students from all over the country at that time and now all over the globe to pen tests, ethically hack, and then give reports on what could be improved. This isn’t necessarily meant to model any specific election district or anything like that. It’s all hypothetical but it does give good exposure to realistic technologies and use cases that students can then go on and explore further after they have graduated.
You and your team built this environment but since then, you have been deeply involved in applying it to things. For you, which is more interesting, the creation of this type of tool or the application of this tool for hard-hitting journalism?
It’s a lot of fun and there are some sweat and tears. I don’t think we have had too much blood yet but there has been a lot of energy, effort, and enthusiasm into building these different environments and creating these types of training but in reflecting more, it’s the application. We host these competition environments. Students get realistic scenarios of needing to do a pen test and then explain the risk in a language that executives can understand. It’s not only deeply technical. It’s also about communicating well, which is very rewarding to see.
We have created some training programs that are well-suited for non-technology folks looking to break into the cybersecurity industry. That has been overwhelmingly rewarding to learn about a receptionist, a construction worker, or a trash collector now getting jobs in cybersecurity following our training programs. That’s life-changing. That is a big difference that we are able to make through that. There are a lot of other examples but the application is probably the most enjoyable part of it.
Let’s step into that a little bit, especially when you talk about the non-traditional. Students are there. You are a part of the academic evolution of our industry but you are also involved in bringing anybody who has an idea and motivation into cybersecurity. We all know the Gartner numbers and the skills gap cliches. We’re all tired of hearing about it. What do we do?
When you talk about the trash collectors and the people that are in their late 40s moving on to new portions of their lives, they may not think about us. They may think, “I need to get my real estate license. I may need to go do something.” Why don’t they think of us? How can we get them to think? We need smart people. You’re smart. You’re charismatic. Why not look at us?
That’s a question that we have been wrestling with. It took the disruption from COVID for us to take a swing at it because we have this amazing in-person experience with the Cyber Range. It’s a compelling, and amazing security stadium where we can host these events. I’m speaking out of turn here. I don’t know that I could call it a stadium.
That’s super cool. It might see ten people but if we’re getting into this whole lake eSports thing and if we can make that part of our thing, it’s a stadium. I’m in. Let’s go.
This is a little bit on a tangent but the Technical Director for the Cyber Range is Chad Weeden. He’s the eSports director for the university. We are the largest and most successful eSports program in the country. I say that because we specifically are looking at what we can learn from eSports to make cybersecurity more spectator-friendly. Instead of watching paint dry on the wall, there are some things that we can do with visualization and communications to make it a little more compelling.
We have seen a great example of that with the President’s Cup in CISA. Seeing that and the feel, we have tried to imbue some of that into our competition hosting. The core question that you asked is about what we can do to help with this skills gap. It is a bit cliché but when we had 30 million Americans laid off at the start of COVID and this persistent gap of 1 or 2 million cyber jobs unfilled at any given time, to me, that was a big opportunity.
The team rallied around the idea of creating this on-ramp to the field for exactly who you described like the mid-career professional who got their industry pulled out from under them. They’re smart and hardworking. They’ve got a mortgage and kids to feed. They want to get on their feet again. Maybe they have always been pretty good at computers or at least curious about cybersecurity and willing to go through the hard work to get there.
What we did, we built an entirely virtual fast track or a boot camp to launch their careers in cybersecurity. After fifteen weeks, they’ve got enough skills to get their first paid experience. We have had some tremendous successes from that. I shared a couple of anecdotes from some of those who have graduated from the course but in building that and seeing what happens, it’s so resonant to me that what we need more of is cognitive diversity in the field.
We have a great pipeline from amazing universities and a four-year STEM degree. You have a couple of years of experience in IT or computer science, and then you go into security, that’s great. We need more people like that too but what about other people with other life experiences that come at it from different angles? The nurse, for example, who knows about the patient experience and the healthcare worker experience, is trying to get security in the hospital. We need more people to understand what the hospital environment is or the hospitality manager.
We had a young man about my age who had a decade and a half of experience as a hospitality manager for a major hotel chain. He wants to learn about cybersecurity and help all the major hotel chains across the country get better at cybersecurity. That context is something that you can’t make up or get in the classroom. I want to expand on that idea of cognitive diversity.
It’s very clear from the research that teams with high cognitive diversity outperform other teams in complex and creative tasks. I can’t think of a more complex and creative task than the need to outsmart hackers who are by definition creative thinkers. They think outside the box, so we need to outsmart them. We need different types of thinking in the field, so we created this specifically for that purpose.
We have the National Technical Institute for the Deaf at RIT. We have partnered with the National Technical Institute for the Deaf to offer boot camp cohorts in American Sign Language. All of our cohorts are blended. We have a lot of different definitions of what it means to be cognitively diverse. Abilities, backgrounds, ethnicities, and skillsets are all complementary and should be if we’re looking at this as a holistic problem-solving activity.
Disregard everything that I said that you and I were going to talk about, that I had said to you, and that we were going to do this because you blew my mind. It’s something that I should have been thinking about and we all should have been thinking about. I had the great fortune to speak with neurodiverse people about the role that they play in our industry. I am a White, blue-eyed, right-handed, CIS male American born. I am the most average person.
It’s always like, “How can I talk to anybody that’s not me?” That’s the thing about this but I don’t know if I considered the notion of cognitive difference. I don’t want to use the wrong word here. Forgive me if I use the wrong one. If you talk about deaf and blind people, how does that come into the conversation about coming into our industry? What are the additional things they bring in the way that they consider security in ways that we may not?
One of the easiest and most obvious answers to that question is the inherent acceptability of access to technology within those communities in particular. They’re used to mediating conversations with others through technology. They have a lot of applied experience in that process, which they bring to bear. That’s one but also, with different sensory abilities, there’s a neural mapping that’s differentiated.
I’m not a neuroscientist. I can’t speak to that in particular but as a person who builds teams and tries to get security improvements into companies through research and into practice, folks with different neural mappings tend to look at the world differently. Everybody has some individual variation in the way that we process words and thoughts.
I dropped this on you out of nowhere. In reaction to your question, it’s like, “It’s amazing.” I’m not expecting you to speak for everybody on this.
I’m happy to do that because it’s a great passion for me because it does tease out some of those deeper questions that we have been wrestling with as a society in particular over the last several years. We all know that diversity, equity, and inclusion are the right thing to do but in this case, in particular, there’s a lot of evidence to suggest. It’s the smartest thing we can do.
Diversity, equality, and inclusion are not only the right things to do but also the smartest thing you can do.
I’m leaning forward in my chair getting out of host mode. We’re sitting in somebody’s basement throwing a Rush album on and talking about what we’re going to do here. You are in an interesting position. You have created this incredible place that is designed to do this thing. It’s not only that you want to get the smartest people in the room. You want to get the most creative thinkers in the room.
There’s a sliver of people that are tired of hearing the word diversity but what we need is everybody who thinks differently. If that means people who were born without vision, people who cannot hear, and people that are neurodiverse, let’s get all of their opinions on these things because otherwise if we’ve got a bunch of White dudes, 2 or 3 women, and a couple of people who aren’t White, that doesn’t count. How weird can we get to start thinking about security to deal with everything because that’s the best way to do it? Let’s get weirder than they are willing to get weird.
There are a lot of interesting takeaways that I’ve gotten through this process. I can’t speak for my team but I suspect that many would agree. One of those, in particular, was we were thinking, “What about specific boot camps or programs and cohorts dedicated to a specific minority group?” One of my teammates made me think about that in a deeper way when she said, “There’s no evidence to suggest that people from this racial background think differently. Necessarily, they don’t learn differently.”
We know with a blind person or a deaf person that there are different learning modes that they require. That’s a great point. Maybe we don’t have to necessarily adapt our learning resources as we did to accommodate the different abilities of the deaf and hard of hearing or the colorblind and so on but we should still contemplate the different perspectives that people with different backgrounds and ethnicities bring. That’s not just ethnicities or gender. There are a lot of different ways to define that.
Even further, when I look at bringing somebody on the team, I generally ask, “What’s your position on diversity, equity, and inclusion?” It means a lot of different things to different folks. To your point, some folks are fed up with the whole topic and some folks embrace it wholeheartedly as their soapbox or something. Others have a bit more nuanced approach. One of those jumped out to me in one of the interviews I had. I had a response to that question. It was something like, “Diversity is about how we identify.” Nobody can tell you, Matt, that you’re too normal or you’re not weird enough. There are different ways that we identify.
I’m willing to accept that I am too normal.
Nobody can tell you how to identify necessarily. It’s about what you bring to the world. In thinking about that, it doesn’t necessarily only conform to one type of background but one thing that does resonate with me is that when we think about people with different abilities, whether neurodiverse, deaf, blind, or born with less advantages, there are tons of different natural things as well as all the other ways that we might think about diversity, equity, and inclusion.
Fundamentally, underpinning all of that is a natural recognition of the dignity of the person and what value each of us can contribute to society. When we think about the mission orientation of the service that we provide as security professionals, we’re inherently interested in doing something that makes a positive impact and something bigger than ourselves. That’s something that everybody from any walk of life or any ability level can get behind. That’s tremendously motivating to me.
I apologize. Your answer fired me up. It wasn’t in any way to ambush you. I’m like, “What about this person who’s not included?” That’s not what I mean. It’s interesting. You have built this opportunity for students to come in and learn. The coolest thing is you have no idea who’s walking in your door. You have brought in the opportunity to learn but then they’re also coming in to teach. It’s that whole learn-teach-learn thing. You have no idea what they’re going to look like and where they have come from. You’ve built this incredible opportunity for our industry to learn this.
Maybe this is a better and easier question to answer. Are we paying attention to the people who don’t look like the bulk of the industry to gain that additional thing? Give me a second to get loose here. Everybody loved Thor, not the last one because that one was terrible but the one before that because it was big, fun, and weird. Taika Waititi did this amazing thing with it. Are we willing to listen to voices that don’t look and sound like us to make the adjustments that we may need to make, adapt, read, react, and overcome?
That’s a profoundly necessary question that we should continually ask ourselves. I can share what I’ve learned from our experience. We started with a fully deaf cohort in our fourth iteration of that boot camp. We’re opening up cohort number nine. We have had enough time in retrospect to see how the market of future employers responded to these grads. We have found that the deaf grads were getting a fraction of the interviews and taking a lot longer to get the job.
I said, “What’s going on with that? That seems wrong.” I brought this up with my colleagues in the National Technical Institute for the Deaf and they said, “This isn’t a surprise. We have known this for years.” I said, “What’s up with that? Are people biased and discriminatory? What’s the story?” Donna, my colleague, said, “There’s a language barrier. If you’re trying to communicate high technology, the difference between SMTP and SNMP could blow your interview. An interpreter trying to relay that nuance is not something that you would expect.”
As soon as she said that, it was like, “I should have known.” What we have done is built an apprenticeship program following it. We built a grant-funded pilot. We have 4 deaf and 2 hearing in different categories of diversity in this pilot program but the goal here is to present opportunities for them to do real-world work and build a portfolio. Instead of trying to convince an employer, “Take my word for it. Here’s how I know what I know and so on,” they can say, “Here’s what I’ve done for them. Here’s what I can do for you.”
That’s our approach to dealing with that implicit issue. It is an important question because who wants to take a risk on security? If you don’t have the right pedigree and you don’t come from the right bag and speak the same language, whether that’s a heavily accented language or using the exact right words and cadence in the right sequence, that could blow the interview for somebody or it could make the difference between two competitive candidates. Your question is spot on.
I was about to say, “Remember the things we were going to talk about,” and then you dropped another bomb on me that I can’t let go of. I promise this is the last knuckleball I’m going to throw you. You said, “Who wants to take a risk on security?” Tear of the mind, I did the thing where you put your hands to your head, and it goes to the mind, “Who wants to take a risk on security?” Do with that question what you will. That’s the worst interview question I could possibly throw your way besides, “Tell me about yourself.” Who wants to take a risk on security? Where is the value in being willing to take a risk?
What we’re starting to evolve to is a managed risk perspective. We always take risks with security but I don’t think that we necessarily have that mindset going into it. You can’t spend more money than the company takes in revenue on security. It doesn’t make sense. Inherently, there’s going to be a risk because you can’t perfectly secure anything anyway.
If you spend more money on security up front, is it applicable to say, “We did it because we know that it’s going to pay off in the end?” Is there value in making that argument? I’m not saying you should or you shouldn’t. I don’t want to have a position at all because I want to do another episode.
That’s one question that is part of the crux of my research agenda as an academic looking at what’s economically optimal from an investment and risk management perspective. There’s the standing awareness that about a third of the expected loss is the optimal expenditure and information security protections. What that investment is in is debatable.
What we might say is the best way to calculate the expected loss is still debatable. The value of data or different phases of maturity is still under investigation but there’s that idea of what’s the right investment level. How do we know that we’re hitting the mark and spending only what we should now? How long is our time horizon for that investment?
The thing about hiring decisions is that they are in theory permanent but in reality, they’re two years because of the turnover in our industry. It’s not an infinite time where you would say, “You’ve got somebody for a 20-year or a 10-year career.” That’s not necessarily the case. There’s room for hiring managers in particular to push back to the HR filter that says, “Everybody needs a CISSP and five years of experience to do an entry-level cyber job.”
It’s absurd what we have seen in some of the recruitment though pretty much every practitioner gets it. They say, “I don’t care if they’ve got a Master’s degree, a Bachelor’s degree, or even a high school diploma. I want somebody that knows the skills that they can do the job.” That’s the right approach from the doer’s side and even the managers of the doer’s side but I don’t know how well that percolates across the organization to where they’re thinking about it in that holistic way, “Where can we afford to take a risk? For how long is that risk going to be actualized?”
The pain point that I’ve heard most frequently in talking with chief information security officers is that longevity piece. You spend however long recruiting a person. You get them trained up for six months. They can do the job well, and then they’re gone in eighteen months after that. That churn is detrimental to the posture. In my mind, if we invest in somebody, that fosters loyalty.
“You’re taking a risk on me. I’m going to stick with you even if you can’t pay me as much as I might get somewhere else or the $3 higher an hour. I’m going to go jump firms. You believed in me when I barely believed in myself.” That means something to people at a very human level. That will translate well once we can spread that message a little more broadly.
I’m going to give a shout-out to my guy, Christian Noreika. He’s one of the most badass security engineers I’ve ever known in my life who has his GED and PhD in the same frame. Please don’t tell me that you have to walk this path to get to the end of your life, do this thing, and make things. We have been talking about people. It’s one of the things that you and your team have built at RIT.
When you are talking to your clients, and you’ve got the great privilege to work across the spectrum, it is public, private, big, small, or all kinds of things going on but the common element in everything is people and the chaos of people. Do they ask you about people when you come in to talk, “How do we lock down your stuff? How do we keep things secure?” How much does the chaos of people come into the conversation?
It depends on who we’re talking to. Most technologists in the IT department see people as the problem because people are the ones clicking the link they know they shouldn’t click. That’s still the most prominent infection vector but when we have the dialogue, pretty much everybody agrees that cybersecurity can’t be solved by technology alone. It has to include people and processes as well as technology. That gets some traction. Inherently, other fields tend to look there first.
Cybersecurity can’t be solved by technology alone. It has to include people and processes.
HR, finance, legal, and these different complementary disciplines within a firm that does have cyber equities and stakeholders if not shareholders in cyber tend to think about people first. It’s who we’re talking to within the organization. The senior compliance officer and the chief counsel at a company want to know how to make sure that their people are doing the right things and that they’re following the right processes. They care about technology but not in the same way as the CISO would or an IT project manager would. It’s not the most direct answer but sometimes it depends.
On the show, what I’m not looking to do is ask you a question and for you to pick A, B, or C. What we want to talk about is your approach.
It’s not a multiple-choice interview. I love that.
This isn’t T or F. I was always the one where my Ts looked a lot like my F depending on how one crossed the other one. You also come from a very interesting background. We mentioned a bit of your CV. You are from a military background. I’m not looking for any type of deep-dive details. Before I ask this question, help me ask my next question. It’s way easier for you to do my job than for me to do your job. When it comes to military intelligence versus counterintelligence, in a short version, can you separate those two for me?
Simply put, military intelligence is an oxymoron. Military counterintelligence is a double negative. It’s real and smart. I’m kidding.
These are old Army jokes.
My friends busted on me when I joined the counterintelligence service. That’s what they said, “You’re not unintelligent anymore. Got it.” The whole idea of intelligence is informing what the enemy is up to. What’s the bad guy up to? Counterintelligence is about manipulating what the enemy sees about what we’re up to. It’s denying their collection apparatus. It’s misinformation in some cases for their intelligence collection activities. That is categorically the distinction. There’s more nuance there but at a high level, at least that separates the two fields.
You nailed it, which is perfect. Taking that from your history, you are boots on the ground. You are not the guy that has been sitting back in San Diego. There are no aspersions on them but you have been there in the field. You are a bloodied combat veteran. When you apply your experience to what is happening in the world of security when you were looking at attackers and how you would defend your client’s house and advise people to defend their houses, what can you bring from your field experience to them with regard to strategy, approach, and mindset? Pick all the words that I have not added to that list.
There are a few things that come to mind. First, the approach to training and simulation is pretty robust in the military. There are a lot of expressions that you may have heard, or maybe some of your audience hasn’t but, “The more you sweat and train, the less you bleed on the battlefield,” is one of those that highlight the fervor or the credibility of the training.
The more you sweat and train, the less you bleed on the battlefield.
That translates well to our training approach in making it rigorous and demanding, ideally beyond anything that somebody might experience in real life because you would rather over prepare when the bullets are flying than wonder what to do. Building that digital or keyboard muscle memory is important and something that we tend to bring to the equation. Maybe a derivative of that first point is the depth and complexity of the training are reliant on multiple simultaneous dilemmas.
If we think about cyber as a standalone problem, we get our runbook, do our checklists, and solve cyber. That’s awesome if that’s the only thing going on but how many times is that the only thing going on in real life? If you do a tabletop in isolation, when the quarterly reports are due and all the email is piling up from the person who you’re trying to get ahold of and need a quick response to, and they’re out of the office for half an hour or whatever it is, these things tend to compound when they hit reality.
No plan survives first contact with the enemy or with reality. That’s another military truism that comes to mind here. There are those plans that we see in corporations and even government agencies. If they haven’t stood up to robust trials, namely multiple simultaneous dilemmas where there are a bunch of crises going on, and cyber is one of them, that compounds the rest or creates a fog where you don’t understand what the actual problem is.
That’s much more realistic than probably a lot of folks consider when they go through their training or when they bring their people through the paces. It’s maybe a bit of a derivative of the first response. In the fervor of the training, it’s also the depth and complexity of the training and simulations that we try to create. One more thing that comes to mind with that is the differentiation between types of threat. As a counterintelligence officer, the idea of an insider threat is tremendously top of mind.
There are witting and unwitting insider threats but ultimately, if you don’t have a healthy security culture that is trusting but verifying, then you have a dysfunctional organization that breeds this misfortune of having not just the unwitting phishing clicker but also somebody who preys upon that to get adversarial intelligence from your organization, whether it’s IP theft or even something more malicious working on behalf of an adversarial government or something.
Depending on the firm or the organization, these may or may not be actual things but in a lot of cases, we see organizations you would never think of becoming proxies for information retrieval as a third-party conduit or an attack vector to a critical target. A company can be pretty locked down but what about their bolt supplier and so on? We see this through the cybersecurity maturity model. There are concerns that haven’t been fully promulgated through all industries yet but certainly, the military has those concerns.
First off, congratulations for using promulgated naturally in a sentence. That’s amazing. I know it’s a cliché. Everyone is like, “Consider this your official invitation to come back.” You made vague references to the SBOM and the DBoM. We didn’t even get to any of that sort of thing. We barely talked about insider threats, which is supposed to be the overwhelming thread that we go through all of this stuff. Unfortunately, we’re coming up on time, talk a little bit about you. Let’s go to the leadership corner. What’s on your playlist? What are you reading? What are you listening to? Take us inside your home.
I’ve got a couple of books on my desk. The Centaur’s Dilemma is one of those, which is about the law.
You’re the third person who has referenced The Centaur’s Dilemma.
I’m looking at it because I was talking about it earlier. That’s one certainly on my professional reading list but on the personal side, I’m enthusiastic about my faith. The Imitation of Christ is on the reading list and a few others in that vein. That tends to take most of my pleasure reading time, which also has a professional benefit because who doesn’t want to work for a more virtuous person or with a more virtuous person?
The things that get you going are the things that get you going. That’s the key. There are no aspersions cast on anybody for any reason.
That’s on my reading list. For my playlist, I’ve been getting into New Orleans jazz and funk a bit more.
Come on now. Lay it on me. You can’t say that randomly. Give me some band names. Let people click on stuff.
I couldn’t even do that because my kids make fun of me. I put on the Pandora radio station.
You’re cooler than your kids are by definition because they’re kids.
They’re at that age where I’m less cool day by day.
We’re cooler than they are.
That’s what I’ve been listening to but in the car, I’ll throw on Christian rock or talk radio. That’s not the most exciting thing but I enjoy it a lot. That’s exciting to me. What else was on your list?
Are you cooking? Are you gardening? Do you ride bicycles or motorcycles? Do you go out and do yoga? What’s your thing?
My wife’s thing is more of yoga. I ride a motorcycle. Do you know what I do as a hobby? I work because I’ve got my academic career right where I’m doing regular professor stuff and also this training mission where we do workforce development. That’s a full-time job. I’ve got Military Reserve duty. That sucks up a lot of time. I’ve got a pile of kids. I’ve got five kids. We had a newborn.
With a pile of kids plus being in the Reserve, you don’t have a lot of time for hobbies. That’s okay to be like, “My man doesn’t have a whole lot of extra hours in the day.”
My hobbies are being a dad and trying to be a better man.
You could have opened with that. That’s where we go.
That’s the summary of the whole bit by bit.
Let’s segue from that into shameless plugs. As you are being a better man, people who are wanting to find a better man to perhaps follow that path. If people are looking for you if you are making appearances, are you writing? Are there blogs? If you want to talk about what’s happening with RIT or anything like that, please be shameless. I know that you are not a man of ego. Now is your moment to flex. Tell people where to go to get cool stuff.
I wrote a bit in the conversation about the Ukrainian invasion and Russian use of cyber during the early part of that invasion. That’s the most recent public work. I’ve got a couple of academic papers published too. We’ve got a boot camp cohort coming up on September 12th, 2022. We’re starting it and then another one in October. Folks can check out our website and apply to be considered for that career launchpad. Last but not least, I’ll be speaking at Rochester Security Summit in October 2022 about some training that we did for Standard & Poor’s, the rating agency looking to get a common playbook on what is cyber risk and how we measure it. There you go.
I need everybody to understand that Justin is incapable of being shameless on this.
That’s not true. I wish it were true, Matt.
The way that you described this is, “Some work we did for Standard & Poor’s.” RIT is a massively important organization in the process of cybersecurity. Standard & Poor’s is one of the most important organizations in the financial industry in the world. That’s pretty cool.
It is cool to be a part of it.
Maybe let me stand in front of you and start yelling about all of these sorts of things. What about you and RIT’s websites, social media, or anything? If they could find where you’re going, where should they go?
Rochester Institute of Technology is RIT.edu/cybersecurity. That’s probably the quickest way to get to all the things that I talked about. We will blast out publications. It’s not just me. There’s a whole team and anybody that publishes or is a part of the media. You get a little blurb there and also our registrations and applications for our training programs. Learn more about our testing services, education portfolio, and so on. It’s a blessing.
Justin, thank you so much. We barely talked about anything we were supposed to talk about because we talked about some topics that are too important to not talk about. Let’s make sure that we keep going on those things. Come back.
Thanks so much. It has been a fun time. I enjoyed it. I appreciate the invite. I look forward to speaking again soon.
We’re going to get loose and weird but until then, that is it. Thank you, everyone, for joining us on the show. For more information on all that’s good in the world of cybersecurity, make sure that you check us out. Find us on LinkedIn and Facebook, as well as ElevateSecurity.com.
You could find me @PackMatt73 across all of the socials. You have to subscribe, rate, review, and give us five stars because if you don’t, you’re a hater because we’ve got guys like Justin taking time out of his day. Are you kidding me? Where are you going to get this stuff anywhere else? We will see you next time.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Justin Pelletier
- Global Cybersecurity Institute
- Collegiate Penetration Testing Competition
- President’s Cup
- National Technical Institute for the Deaf
- Lockheed
- Rochester Security Summit
- Standard & Poor’s
- The Centaur’s Dilemma
- The Imitation of Christ
- InSecurity Podcast
- Black Hat
- @PackMatt73
About Justin Pelletier
Justin Pelletier is the Director of the Cyber Range and Training Center in RIT’s Global Cybersecurity Institute. As a component of this work, he trains and leads student teams to perform security assessments for partner organizations. He also oversees cybersecurity competitions that bring together the top cyber talent from across the globe.
As a Professor of Practice in the Department of Computing Security, Dr. Pelletier teaches at the undergraduate and graduate levels and helped to bring the Hacking for Defense initiative to RIT. He holds a PhD in Information Assurance and Security, an MBA in Entrepreneurship, and a BS in Computer Science. He is also a combat veteran and currently serves as a Major in the U.S. Army Reserve.