David Fraley on cybersecurity policy, running a cybersecurity community on Discord, and more...

David Fraley has been an information security analyst for quite some time. He’s also passionate about TCM Security. We had a great chat recently.

Crawley: Please tell me a bit about your job and how you entered cybersecurity?

Fraley: I wear many hats in my job. My responsibilities range from closing out alerts from our various alerting platforms to writing policy and optimizing cybersecurity processes. I'm transitioning into a team lead role, so I'm focusing on supporting my team members with their projects and providing them with the necessary knowledge and training to excel in their roles.

My path into cybersecurity is quite interesting. I started in helpdesk, but quickly realized it wasn't the career path I wanted. I discovered that my college offered a cybersecurity program, so I enrolled. After graduating with an associate's degree in information assurance and security, I was laid off for two months due to the pandemic. It was during this time that I discovered my passion for cybersecurity. I imagine many people, when faced with a two-month layoff, would spend their time relaxing or playing video games. Perhaps I'm wrong, but after two weeks of gaming, I felt a strong urge to learn something new and develop my skills.

That's when I discovered TCM Security and Heath Adams, along with their Practical Ethical Hacker course. Given my cybersecurity degree, taking the course seemed like the logical next step. About halfway through, I became incredibly eager to learn as much as possible about cybersecurity. I began connecting with influential people on Twitter and LinkedIn, interacting with them and gradually building my network of cybersecurity colleagues, many of whom I'm still friends with today. I also decided to create a cybersecurity Discord server, which allowed me to both learn from others and teach those looking to enter the field.

My approach to learning cybersecurity was to become a "yes man." I embraced every opportunity that came my way, regardless of how daunting it seemed. I knew I might fail or make mistakes, but my primary focus was learning. A friend, Tyrone Wilson, gifted me a course from his company, Cover 6 Solutions. The course covered both offensive and defensive security concepts. This was just one of the many opportunities I received as a result of networking and putting myself out there. I was initially terrified of the course, feeling undeserving and fearing I would make a fool of myself. While that may have happened to some degree, the course proved invaluable.

Today, I'm a co-founder and administrator of the popular cybersecurity Discord server, Republic of Hackers. I have a strong network of fellow cybersecurity enthusiasts and professionals. My first cybersecurity job offer came through this very network. Because of the opportunities and support I received, I'm committed to paying it forward by mentoring others trying to break into the industry. Much of this mentorship happens on the Republic of Hackers Discord server, where we've helped users secure jobs, excel in interviews, pass certifications, and learn new security concepts."

Crawley: That's amazing, David. Does Republic of Hackers get a lot of new people joining? What advice would you give someone who wants to start a cybersecurity community?

Fraley: We definitely used to! A lot of our admins started getting new jobs or new roles that required more of their time, so less was able to be dedicated to RoH, but I’ve been trying to change that around and invite more people on, create more events to draw people in and just generate more activity on the server.

My advice to anybody wanting to start a cybersecurity community is to just do it. Don’t worry about if you have enough expertise or knowledge in cyber security to start one up. What you know and what you have experience in, someone else might not. Some that joins the server might have more experience than you and that’s just an opportunity for you to learn something from them.

Crawley: What should a company do if they've never had cybersecurity policies before?

Fraley: In my opinion, there’s a number of things that they could do. They could reach out to a consultant to help them develop some cyber security policies. If the company has the money, they could bring on an MSSP to help them build out their cyber security program. Heck, even getting audits done will show you what policies you need to create and enforce.

Crawley: Should they feel like they need to start from standards and guidelines like the NIST CSF or ISO 27001? How could they determine which frameworks may be helpful for them?

Fraley: I think the best framework to work towards would be NIST CSF, especially if you aren't working with international customers or organizations. That would be when ISO 27001 would come more into play. I also think, before starting to work towards NIST CSF, it would be ideal to do a risk assessment. Figure out where your weak points are, build out policies and processes to strengthen your security posture and then start working towards NIST CSF. Also, NIST doesn't require certifications or audits, so its a little more flexible and less intimidating for your organization. Once your company matures a little more, security-wise, moving towards an ISO 27001 would be the next best step.

Crawley: Here's another controversial topic. What do you think of the cybersecurity skills gap that industry influencers keep talking about?

Fraley: I heard that there was a study that some university did, that stated critical thinking actually decreased using AI and while I definitely think that there's a possibility to that, I also feel like you learn stuff using AI. I personally feel like it’s the best research tool that you can have. If you don’t know something, you just ask AI and for the most part, it will generate a logical response. Obviously, you always run the chance that the responses you get are incorrect, but for the most part I think it’s decent at giving you legitimate answer answers.

With regards to the skills gap that keeps getting talked about, I do think that there is a gap, but I think it’s because we don’t necessarily know how to go about properly filling it. I’ll be the first one to say that I don’t always pay attention to what some of the influencers say, because watching podcasts or something on these topics I just don’t have time to spend listening to them. But safe for instance that there is a shortage of people working on industrial control systems. How do you go about understanding those types of systems or how to work on them, when a lot of the different certifications that you can go for or platform that you can learn stuff on, do not cover that stuff?

So you have the gap knowledge there, but how do you go about filling it? To my knowledge, there are no platforms that train you up in understanding how to work with those types of sensitive systems. I think it’s just something that we as an industry need to get better at and develop programs and Platforms where people can really learn and test their knowledge in those areas.