Building Cyber Resilience: The Power of Essential Skills in the Hiring Equation | Navigator Series Par :Alana Walker April 19, 2024 Estimated reading time: 45 minutes. Note: This episode of the Navigator is better if heard. If you are able, we encourage you to listen to the audio as the text may contain errors due to the hard-to-follow nature of a complex discussion. The transcript was generated using a mix of speech recognition software and human editors, and can only be edited to a certain degree without losing the nature and the meaning of the conversation. Please check the audio before quoting in print. Welcome to the Navigator Series presented by Lighthouse Labs. In this episode, CEO Jeremy Shaki sits down with two cybersecurity experts, George Al-Koura, CISO at Ruby and Dominic Vogel, President of Vogel Leadership and Coaching. They discuss entrepreneurship, the importance of investing in junior and cyber-adjacent talent to fill gaps, the value of gaining hands-on experience, and why a non-traditional tech career path isn’t so out of the ordinary. Enjoy. Or listen to the podcast. 00:00:00:03 - 00:00:25:05 Jeremy: Hi, my name is Jeremy Shaki, co-founder and CEO of Lighthouse Labs. And I'd like to welcome you to the Navigator Series: a series of panels featuring leaders in cybersecurity and data from across Canada discussing their tech journey, what's impacting the current job market, and what to expect from the future of work. Today's session is titled Building Cyber Resilience: The Power of Essential Skills in the Hiring Equation. 00:00:25:07 - 00:01:04:14 And we'll be discussing what it takes to succeed in the ever evolving world of cybersecurity, as well as what does Canada need from its labor force in order to protect and defend its most critical assets? So without further ado, let's dive in. Jeremy: Hello, everyone. I'm lucky to be joined here by two incredible leaders from the Canadian tech scene to my immediate left, George Al-Koura, Chief Information Security Officer for Ruby. 00:01:04:15 - 00:01:29:08 Welcome, George. And joining George is Dominic Vogel, president of Vogel Leadership and Coaching. Welcome Dominic. Dominic: Thank you for having me. Jeremy: Like that you named the company after yourself. It's bold. Very nice. I like it. Well, I'm very excited to get into this with both of you today. Let's go talk to me a little bit, George, about how you got into cybersecurity, a little about your journey, maybe the first job you did within the space. 00:01:29:08 - 00:01:50:15 I'll let you start. George: I got into it by accident. I really had no prior formal education, anything to do with cyber before I got in. I was a career soldier before this around 2015, 2016. I kind of didn't really want to do that anymore. Like full time. I started to think, Well, maybe I can try something in business. 00:01:50:15 - 00:02:12:03 And I tried a couple of small businesses and I had a couple of startups with varying success and I fell flat on my face, ultimately with all of them (which is apparently par for the course for most founders. Jeremy: It’s called entrepreneurship, I'm pretty sure. George: That's pretty cool. Right on. So, you know, you go through that rush of a big contract and then that famine of, you know, if you haven't made money in a month, then you got to pay bills and that sucks. 00:02:12:05 - 00:02:31:12 Eventually, a friend who I'd worked with in the Army for a long time hooked me up in an interview at the global SOC that he worked at. It was a big consulting firm and I was like, “I don’t know, man. Like, I don't have a background for this.” Like, I understood the analysis because I had previously been in like intelligence roles in the Army. 00:02:31:12 - 00:02:51:03 So I understood security. But in terms of just cyber stuff, I was really lucky that I had a manager or that the manager of the SOC at that time wasn't really caring about people with certifications, didn't really care about people with formal education in cyber. He cared about, “Can you solve the problems? Are you a curious person? Are you a good team player?” 00:02:51:05 - 00:03:19:03 So based on those parameters, I got through the job interview. I landed my first job as a SOC analyst, and then from there it's kind of hard to put into words how fast I rose up through the ranks in this whole thing. I went from junior level SOC analyst working a 24 seven shift type job as part of a large team to, you know, within two months I had gotten put onto a special project. 00:03:19:05 - 00:03:43:20 Eventually I became a senior consultant within a year. I specialize in threat intelligence and I didn't even know CTI was a thing when I started. But eventually, as I got into the field and I was like, Well, you know what? Analyzing packets is great, but there's other interesting things out there too. I did have that entrepreneurial spirit, which I found benefited me greatly because I ended up looking through all sorts of different contracts to understand how the business operated. 00:03:43:20 - 00:04:05:18 But then I saw opportunities for growth within that contract review. From there, I managed to get a shot at running my first managed service. So I built that, you know, within two years I had taken that to two over a 1.2 million in new revenue for the companies. They were super happy. And then I ended up getting on to some government boards where there, you know, those public-private boards kind of thing. 00:04:05:18 - 00:04:22:18 So you build a profile. I kind of learn how things work nationally. I ended up getting my first shot as a director, running an entire cyber practice at one of the oldest military defense contractors in the country within under four years. So I went from junior analyst to director in under four years. CISO the year after that. Jeremy: Wow. 00:04:22:20 - 00:04:46:08 George: And now you know, I did my time in the defense industrial space and that's great. I saw a really cool opportunity in online dating and I saw an opportunity to work in Toronto. So here I am at Ruby. Jeremy: That's amazing. And what do you do? Ruby Just giving everybody a sense of what that role is. George: So I'm the head of information security, which means ultimately anything security related boils down to me and my accountability. 00:04:46:10 - 00:05:06:10 I run a fairly decent sized team, fairly substantial budget as well. The company, you know, they had a major event last decade. And so the security culture at the organization is very, very good. I'm not saying they're having to explain why I'm asking you to do certain things, but I am having to explain the ROI of why we should do it now. 00:05:06:12 - 00:05:31:07 So that's probably been the enjoyable part of the experience. Running different teams as a senior executive when you're still relatively new in the industry, like I'm under a decade in the industry trying to run a very diverse team that has a SOC team to it. I have an application security team of an architecture team, I have a programs team and we're part of a very, very integrated CICD pipeline like we do our own software development life cycle there. 00:05:31:07 - 00:05:48:11 So understanding secure software development, when I'm coming from a pure security operations world. All that is to say I run all the things security, but really my job is a head coach, a maestro of an orchestra, of high performance specialists who are much smarter than me at what they do. Jeremy: You must be learning every day. 00:05:48:14 - 00:06:04:16 George: Every day. Jeremy: Nice. Nice. Dominic, let me follow up with that and say, give me a little bit about your career path. You had some really interesting moments, kind of take place, some seminal moments for you kind of moving into cyber. Dominic: Yeah. I mean, I'm a sucker for a good origin story. I love Georgie's origin story. 00:06:04:16 - 00:06:32:05 But for me, my dad is retired now, but he was a high school teacher for a long time in East Vancouver. And I knew I wanted to do something with technology but wasn't quite sure what. So in grade 11, maybe in grade 12, I can’t quite remember, my dad brought home this huge stack of IT magazines or mainly Microsoft magazines because, you know, being in charge of computer science there at the high school, he would get all these free magazines and he says, “There’s got to be something here.” 00:06:32:05 - 00:06:47:04 Then he just dropped them on the front of my bag and I was like alright. So I just spent the next few hours going through them. And they were all like, some were really tacky. Some were talking about, here's how to do this, you know, school thing here. And it was really too hands-on from a code perspective for me. 00:06:47:04 - 00:07:04:15 And I've never really been a code guy. So I kept sifting through and at one point I got frustrated and the pile fell over. And almost by magic, this magazine popped up and I looked at it and I said, Well, what does that say? It says Information Security Magazine. And I was like, What in God's green earth is information security? 00:07:04:15 - 00:07:29:06 I'd never heard the term before, So I picked it up, looked at it, read it, cover to cover, and I was just blown away by it because to me it was a mix of technology, people, risk, you know, using business lingo, business language. I thought, this is so interesting, this is what I'm going to do. And I thought, okay, well, I was already early to say I was going to do computer science at Simon Fraser University out in Vancouver. 00:07:29:08 - 00:07:48:13 And I thought, okay, I'm going to learn about information security there. And so I went there. I did my four year degree and the word information security was mentioned once, and I was by myself during a class when I said, no, you skipped over the information security part of the textbook. And the professor said, that's because no one really teaches that, right. 00:07:48:15 - 00:08:11:13 So I finally almost 20 years later, they're still not really doing that in many comp-sec four degrees. But that's a separate tirade. But so I decided I was going to study that on my own. I got my COMPTIA+ certification. I just absorbed and read as much as I could. I just soaked it all up and I thought, No, I'm going to apply for information. 00:08:11:15 - 00:08:30:20 For an information security job. And this is back before it was called cybersecurity, cybersecurity became the sexier name. I don't think anyone really calls it information security anymore. And I just applied, applied, applied. And no one's going to give me a chance. So for six, eight months, my mum was constantly on my case, all wanting to be a do this, do this, do that. 00:08:30:20 - 00:08:49:16 I was like, No, no, no, this is real. I can feel this is going to be something. I'm going to do this and finally one day someone took a chance on me. She said, I love the moxie. I love how you self-taught yourself all this stuff. I’m going to pay you crap, but the job's yours. 00:08:49:17 - 00:09:07:04 I was like, I still live at home, so great. Yeah, let's do it. And that was the job that launched my career. Jeremy: What was the job? Dominic: It was a junior cyber security analyst role for a large logistics company out in Vancouver. At that time, it was an opportunity to move very quickly as it still is in the industry. 00:09:07:06 - 00:09:23:18 I ended up going into a spell with a consulting company and I saw sort of how the sausage was made with consulting companies, as I swore off never to work for them again. And to this day I have a huge disdain for them and I don't think any of the Big 4 are sponsoring this. So I’ll just piss all over them. 00:09:23:20 - 00:09:44:17 Jeremy: Speaks for himself. Dominic: Yeah. Then my last corporate stint brought me to the financial services industry, I worked for a large credit union. I think it was kind of the second or third largest credit union by asset size at the time. I quickly became in charge of cybersecurity. Even though they were too cheap, they actually gave me the actual CISO title. 00:09:44:17 - 00:10:05:07 I was pretty much the de facto CISO and I worked under very toxic leadership there. The messages that I would try to convey to the board were not translated. I wasn't allowed to talk to the board because they felt that I was being too gloom and doom, but they would paint rainbows kind of stuff and it was just very, very toxic. 00:10:05:07 - 00:10:28:12 And it left me basically burnt out, became a shell of myself and my wake up call was that my wife said, “I don't even recognize you anymore.” You come home miserable, you're jaded or cynical. And I wish I said, “Is there anything else?” Which was obviously a very cynical comment. And so and and I, I just took a long look at myself in the mirror and I thought, this isn't who I want to be. 00:10:28:13 - 00:10:50:09 I felt like there were two versions of me. There was work me, who I absolutely despised. And then there was the real me who I tolerate most days. And, you know, one day I just sort of I just broke. I said, I can't do this anymore. I guess they kept telling me how to look, how to shave, they weren’t fans of the, you know, I'm a bushy beard. 00:10:50:11 - 00:11:07:14 My breaking point was I got a speaking engagement and I was representing the company and I appeared on TV as well. And they said, We don't like the language you're using. It's unbecoming of the credit union. And they said, You're not doing enough to sell the correct services. I said, I'm talking about a hacking incident. I just dropped it in, 00:11:07:19 - 00:11:36:11 and by the way, our TFSA account is a really big deal right now. And corporate broke me. And then ten years ago I became an entrepreneur. I fell into that, knew nothing about being an entrepreneur. I had no desire to ever be an entrepreneur. I spent the past ten years building a virtual CISO company with a business partner, wind up going on divergent paths, and now I'm a solopreneur doing small CISO work for small and mid-sized organizations across the country and doing coaching work for I.T. leaders as well. 00:11:36:11 - 00:11:53:18 Jeremy: What an incredible story. You both have pretty amazing stories. And I mean, I know you said entrepreneurship, you know, you never had an interest in entrepreneurship, but both of your stories very much have the foundations of an entrepreneur who has to kind of get through. I mean, you both have somebody who gave you a shot, which is very nice to see. 00:11:53:18 - 00:12:10:10 I do have one very important question amongst all of that. Did your mom take credit for everything you did? Dominic: All these years later? When I was living in Vancouver, it's not cheap, especially raising a family in Vancouver. And she always says, I'm so proud. I'm so glad you went to this field. 00:12:10:10 - 00:12:26:22 I pushed you to do it. And no you didn’t? You didn’t. And so don't take credit for it. You’re a good mama. Don't take credit for that. Jeremy: I like it. I like it. So I mean, both of you kind of went through a big gamut and you've obviously hit some really interesting peaks in your career. 00:12:26:22 - 00:12:49:07 You're still moving forward and still, like you said, learning a lot as you go along, reflecting on the first job that you did; are there skills that you took from that first job that are still very critical skills? Or as you've kind of evolved in your career, has that skill set completely changed? Especially because we're talking, you know, a few years back without dating anybody. 00:12:49:07 - 00:13:06:06 Just what those skills were then and now. Talk to me a little about the skills you took for your first job. Dominic: Yeah, I mean, I was very technical early on. Like that was everything even though that technology is obviously very outdated now. But it was very, very technical. I was all hands on glass and that type of thing. 00:13:06:06 - 00:13:30:02 And the thing that I took away from my first job was that my manager afforded me the opportunity to embed myself in the rest of the organization. So it allowed me to have conversations with people in marketing, communications, and executives. The communication skills I learned basically by baptism by fire, and how to communicate to non-technical people - that became my greatest strength all these years later. 00:13:30:02 - 00:13:55:07 And this, I believe, is my calling card when I do the work that I do. I am able to be that conduit, that translator. And that's something that carries on from that. They're looking at me. Jeremy: I like that. How about you, George? George: It's kind of tough because I, you know, I spend time in the SOC, but my job is so much more than just being a SOC analyst because, you know, every opportunity to get a different experience within the organization, I took it. 00:13:55:09 - 00:14:21:20 So if they need a technical specialist to join a sales call to be able to answer questions, happily took it. If they needed someone to come in and help on an architecture meeting, I happily took it. And even though my knowledge of understanding how networks were properly architected at the time was still like in its infancy, you know, I just needed to understand the process of how business actually does this stuff. 00:14:21:22 - 00:14:41:11 Having the opportunity to understand the business of cybersecurity while actively working as an operator, I think it's not just one specific skill. It gave me a toolbox. And that toolbox helped me figure out how to get the most out of my career, regardless of the phase I was at. So I guess adaptability would be the biggest thing. Jeremy: Nice. 00:14:41:13 - 00:15:01:08 I mean, you know, and it it's not surprising to me then both you coming from these - interesting I wouldn't you know, Dominic your yours could be called the traditional path - but I could call it very untraditional in terms of first of all, you started very early and it wasn't when a lot of people were doing it. Then second of all, you've kind of had to navigate the different environments and the different places all the way to entrepreneurship. 00:15:01:08 - 00:15:22:11 And you're both pretty big believers in what matters. What kind of skills really matter for someone entering the field. Talk to me a little bit about what you see as essential skills for individuals coming into these roles these days. And right now, you know, you have a military background so it would be very easy for people to just naturally go: “Military background to cyber. 00:15:22:11 - 00:15:38:22 That's why it worked.” But then you kind of explained what it took to actually do it and why someone took a chance on you. Talk to me a little bit on your end, George, about what essential skills are kind of critical for people coming into the field. George: So I'll tell you what the military advantage is, right? It's discipline and reliability. 00:15:39:00 - 00:16:01:03 That's why people like ex-soldiers, is that they know they can be put through a program where there's an expected result. You put the goal path in front of them. You enabled them on how to do it. They'll usually give it to you. Right. What it took to actually kind of stick within the process, though, is you have to be willing to fail. 00:16:01:04 - 00:16:36:02 Basically. You have to be willing to fall flat on your face. And I think that's kind of an important thing. And then, you know, whether you're an ex-soldier or whether you used to be a teacher or whether you, you know, the countless other fields are converted into our industry, really, it's about kind of understanding your own strengths, understanding where your own opportunities for growth are. And then figuring out, you know, based on what your current role is in the field, if you can get that role or what your desired job is, how do I profit the most off my strengths while giving myself the opportunities to build on, I want don’t want 00:16:36:02 - 00:17:00:22 to call them weaknesses, but your challenge areas, right? And if you can figure out that formula, you're going to set yourself up for a really fun, successful ride in this career. Jeremy: Like that. How about you, Dominic? Dominic: Yeah, I mean, while we’re on the topic of essential skills. I mean, George nailed all of them. I mean, to me, the additional ones, I think are really focused on the ability to just want to seek the unknown out. 00:17:01:00 - 00:17:24:09 People who have that natural curiosity or are tenacious, might have that tenacity to be given a problem - like you're saying, given power, give them the parameters and have them go figure it out. Stuff like that. You can't easily teach, you know, and it's whatever you want, call it intrinsic motivation, internal fire, something that gives people a get up and go type attitude. 00:17:24:10 - 00:17:45:03 That to me is one of the core essential skills. The other one, which I’ll say, depending on what career path you want to go down in cybersecurity, is the ability to be relatable. To be able to connect, to be able to think, especially if you have aspirations of becoming a CISO. So if you just want to, you know, be focused on more technical piece, that's fine. 00:17:45:03 - 00:18:08:16 Not everyone likes to talk with other people. I get that. I mean, I try not to talk to my mother in law, but I still do most days - George: - Don’t put that on film. Dominic: Yeah, yeah, “Hi”, yeah. And the, but the ability to be a communicator on someone else's term, through an empathetic lens as well. So many traditionally, I'd say, so many security communicators. 00:18:08:20 - 00:18:37:05 Again, we fall back on the tech talk, we fall back on the acronyms and most executives don't like to appear dumb or feel dumb in front of their tech people or the screen team. So what you end up having is what I refer to as nodding syndrome, where, you know, you'll I've seen it play out so many times where you have a CISO or security director talking about here's what got blocked at the firewall, here's all these different security technologies and IPsec, all these different acronyms and you should see you see all the nods head 00:18:37:07 - 00:18:56:21 Yeah, that was good. Yeah, sure. That's nodding syndrome, right? So what to me, essential skill, the ability to communicate, to connect, actually get that level of conversation going with the executive. So you have to talk. Having a meaningful discussion about cybersecurity and not just a sort of checkbox approach to security, which is what we've struggled with for many years. 00:18:57:01 - 00:19:16:11 Jeremy: I'm so interested in that. Those points, because I feel like they're repeated actually more and more that those communication skills, the way you talk about that stuff, the way you think about it, what’s actually quite critical in these fields is not what people think about when they think about what's important in cybersecurity. It's not naturally what they think about. 00:19:16:13 - 00:19:46:02 I think we can separate the conversation right away into two major areas, which is like, what do companies and employers need to do better? And I know, Dominic, on your end, you do a lot of coaching on exactly that side. But before I get there, you know, George, you're a you're a fan of the hot takes, you're a fan of the big the big topics, you know, And so one of the ones that I've heard you say is whether you believe that someone who's come in like 18 to 20 is taking their first job coming right into this field, and you're not sure that that's a good idea. 00:19:46:08 - 00:20:01:14 And I have to imagine it has something to do with some of these essential skills and the kind of things we're talking about. You want to talk us through a little bit about how you think about that and why? Because I know we've had that conversation. It's a mistake to think about that from your perspective as gatekeeping. 00:20:01:14 - 00:20:21:14 There is more to it. And so talk a little about how you feel about that. George: So I have to tell you, first of all, I am a veteran. I'm in cyber as a CISO. I am the saltiest oldest young man you'll ever meet. So I need to understand that. The other thing is I just think that if people, and Jeremy, we talked about this and you had a really good point as well. 00:20:21:16 - 00:20:45:03 People need to have a little bit of career experience generally to understand how business works, how organizations function, how to get the most out of an organization, how to contribute the most to an organization before going into cyber. Like pure cyber skills, whether you want to be an operator or whether you want to be an architect, whether you want to be a DFOR guy like doing forensics, whatever the role is that you want to do. 00:20:45:04 - 00:21:17:11 And even sales people as well actually speak the non-technical side. I think if you have that experience or background of having worked in another place, you've been part of a team, you understand how team culture is, you understand what quotas are, you understand having deliverables and working through that stress and stuff. When you enter into the cyber world, which in and of itself is a massive learning challenge, if you're new to it, you have the core foundational skill sets to still deliver value for an organization while you ramp up into your, we'll say, career maturity for the role you've been brought into. 00:21:17:12 - 00:21:45:04 Whereas if you don't have that kind of previous career background and you're young and you're completely green and inexperienced, plus you're inexperienced in cyber, If you somehow get in a job doing a junior role within the thing, you will likely be the first person that's clipped because you don't have the necessary institutional or corporate background to survive, to kind of feel out where you can still provide value even during, let's say, you know, budgetary readjustments or reorganizations. 00:21:45:06 - 00:22:01:19 If you don't understand the game that you're playing and in this case we're talking about, say, the field, right? I'm an athlete, love playing sports. If I love playing football, but I have no clue what the lines on the field mean. I'm probably not going be that good no matter how well I throw a run. It's the same thing applies in cyber, right? 00:22:01:19 - 00:22:31:12 Like I might understand code, I'm understand programing, I might understand analytics or certain toolsets, but if I don't understand my employee organization, if I don't understand my clients, if I don't understand the customers, if I don't understand what the shareholders and stakeholders want, all the technical skills in the world are absolutely useless. So I think when you see young folks who want to come straight out of school with no work experience and like the professional world and then try to find success in the cyber world, I'm not saying it's impossible. 00:22:31:17 - 00:22:56:04 It's a statistical outlier because they just don't have the foundation to actually play the game at the right level. Jeremy: And you've kind of definitely, you know, like you've mentioned getting in hot water and not, but the idea that there's a “prove it model” to this for people coming into the field. You're a big believer in you need to see people prove it, which I'd have to imagine, 00:22:56:04 - 00:23:18:18 Then you believe in people getting jobs to prove it. How do you see that? Like talk about that a little bit. George: So it depends on the type of process, right? If you're running a normal, standard process where there isn't an internship or a build up time, you're just hiring for the role. Part of that, especially if it's a junior or intermediate role and you're accepting kind of quote unquote junior level applicants. 00:23:18:20 - 00:23:45:07 They have to demonstrate their practical ability to deliver on the tasks or the types of tasks that you're going to ask them to. So having some basic testing or some basic live sessions where they have to actually track a problem while being assessed by either yourself or some folks on your team, I think that's really important because it automatically helps build trust between the folks you work with and this new candidate who's going to join your team. Like you want them to be not so much of an unknown resource when they join your team. 00:23:45:07 - 00:24:00:16 You want your team to be hyped up and excited to work with this individual, but if they don't know what they can do or can't do, then they just become a question mark and everyone spends their whole time there wondering, “Should I really trust this person? Can I rely on them?” 00:24:00:18 - 00:24:21:00 Whereas if you build practical exercises and they demonstrate their skills and then, you know, let's say you have a team based phase with most people I know, they run the individual interviews and there's a team interview and then an exec interview at the team base phase. The team can actually then really throw hypotheticals at that candidate where they can start building the trust with them. 00:24:21:00 - 00:24:43:03 Because I'm not going to lie to you, every CISO executive does things our own way. When I'm doing evaluations, I turn to my team leads and the members of my team and I ask them, “Did you like this person? Should we bring them on?” Even if I really like them? If my team doesn't like them, they're not getting in. Jeremy: I really like the nuance behind what it takes to trust somebody in the space, and then you kind of flip it on the other side and you're going, “Listen, see?” 00:24:43:03 - 00:24:58:23 So is doing it all wrong generally and not thinking about it, at which point I can kind of move to you, Dominic, and go like, know your role is dealing with a lot of coaching, but you're not coaching like you do a lot of coaching in juniors and people coming in, but you're coaching organizations in how to do this better, right? 00:24:58:23 - 00:25:20:00 And so talk to me a little about how you see that and how you do that. Dominic: For sure. And my niche with coaching is coaching public sector organizations and those that struggle to get top talent. So the goal there is to get the most of the talent that you have while they're there, you know, and to me part of that is being able to coach them, to nurture them, to empower them, right. 00:25:20:00 - 00:25:39:00 Even if they're just sort of a passing star in the night sky. You need to bottle that for as long as you can because they can't compete with private sector salaries or what have you. And, you know, to give an example, it was a client of mine, their institution in the northern part of British Columbia. 00:25:39:01 - 00:25:56:10 And I helped them build out their security teams when I started with a CIO who brought me in and they did not have a security program. There was no dedicated security function, a bunch of people were doing it off the side of their desk and one of the first things that we did was look at, okay, well, what can we do in terms of a first hire? 00:25:56:11 - 00:26:16:20 Our first security analyst and, you know, posted it externally as just two or 300 people applied, which was shocking. But the majority of them didn't realize that as part of northern B.C, it was nowhere near Vancouver. They thought they were going to Vancouver. Jeremy: They're thinking in northern Vancouver. Dominic: Yeah, yeah, yeah. 18 hour drive on a good day kind of thing. 00:26:16:22 - 00:26:46:19 Attracting talent there, very hard. The talent pool there, already very small. It gets even smaller when you talk about cybersecurity talent. So the obvious equation there became, well, let's look internally. There was one person who was on their I.T. help desk team who had been there two years, understood what the organization did, and had good organizational knowledge already. And he demonstrated he really liked cybersecurity and he volunteered to help out our team with security projects. 00:26:46:21 - 00:27:15:20 So we brought him in, we interviewed him and it was just incredible. And here we are a year later and now we're playing for him within the year or within this year to be the more senior role to focus more of the strategic functions. And also there's another junior person they just hired about six months ago, and now he has shown a tremendous value, tremendous interest, I should say, in terms of bringing him to now backfill the security, the junior role. 00:27:15:21 - 00:27:35:05 Now, we're actually growing out a team internally, and I refer to these both of them as almost like franchise players. To me, it's like getting McDavid and Draisaitl, right? They're there. You build around them, right? Yes. This is a smaller market team. Are you able to keep them around forever? I don't know. If you build around them, give them the tools, coaching, right. 00:27:35:05 - 00:27:51:17 To get the most out of them while they're there. It's a very special thing. So that way we build some sort of organizational knowledge there. So when they do move on, we just keep building that farm system kind of thing. We built that pipeline because they're not going to stay forever, but maybe they will. 00:27:51:17 - 00:28:13:08 Jeremy: I don't know. I mean, you're setting some big, big, big expectations with Draisaitl and McDavid, but all I'll keep going. So then, I mean, in this market and you know, you're both believers in that kind of juniors coming up, proving themselves where they go, orgs having to figure that out. What are the specific roles that you're seeing that maybe are overlooked? 00:28:13:08 - 00:28:40:16 There's a lot of roles out there. I mean, for a junior person to parse through this market and figure it out is not always easy. Where do you see the specific needs where a junior should, would be a natural fit and something that would make sense for them to kind of direct themselves to? Dominic: One of the things and just from my observations, you know, over my 18 years or so that I've been doing this, one of the things which I really struggle with is the lack of standardization in terms of job titles, right? 00:28:40:16 - 00:29:03:18 You look at other job areas, right? If you say what's an AP analyst? Everyone knows what that is in the finance function, right? You say a security analyst. Security analysts at a public sector organization could be very different. The security analyst at the private sector organization. I know some people who are security analysts, which are basically acting as CISOs and I know other CISOs which are acting more as analysts. 00:29:03:20 - 00:29:34:13 The lack of sterilization still kills, I think, the field because there's so much confusion. And there's also other Frankenstein parts to that where you still have H.R. functions that are for the most part in control of these job descriptions. So you have the job descriptions being created by non-security people, and that ends up just being, just sort of like a Google collation there of all these different jobs, descriptions from all over the place and they don't make sense. 00:29:34:15 - 00:29:50:06 So to me, if we're going in order here, I like to see the industry move in terms of we need to start standardizing. This is why the security analyst means this is what maybe a senior analyst means, this is what an architect means. I think among professionals like George and others in the field, we know what it means. 00:29:50:08 - 00:30:25:05 We need HR functions to start coming on board and standardizing this right across the board, private and public. So to me, I would say that would be my priority. Jeremy: So your statement to any junior who is going, okay, “where should I focus?” Is trust me, none of this means anything anyway, so start looking. Dominic: Well, for me, I'm very curious here what George has to say but to me, the job title and depending where you want to go could mean something. 00:30:25:07 - 00:30:53:10 So as an example, there's a good friend of mine who I've coached for years. He's now looking at taking the internal security lead approach, just so he can go back out into the field because he hasn't had the CISO role. He wants to have that CISO role, but now he's positioned himself so he can always get the CISO title, even though they're not he's not functionally acting as a CISO because he's not an officer of the organization. 00:30:53:16 - 00:31:15:13 But that title will allow him to get there. Why? Well, because I'm going to say point, point fingers back to H.R. or anything. I don't want to make HR people feel bad, but I think a lot of stuff is being held up at the H.R. level. George: Yeah, it's tough. I mean, Dom brings up a really good point about the lack of standardization. 00:31:15:13 - 00:31:39:06 And he is correct, like even within the CISO role itself, like there's tactical CISOs, which are really just team lead analysts being completely underfunded and not enabled teams. You have your you know you can say your strategic CISO which is actually more of a middle manager still usually reporting up to a couple of layers at the top. And then you have your proper executive 00:31:39:06 - 00:31:57:21 CISO who's a C-suite was fully empowered in the C-suite and has board level responsibilities. So depending on the class of organization, you're trying to work out the size of the team, size of the budget. So many different factors who you are and what your job is like. If I was a tactical level CISO I'm a team lead, but I'm still effectively an analyst. 00:31:57:23 - 00:32:23:02 So you're still processing alerts, you're still filing reports, you're doing the thing. You're just an analyst with a fancy title and a lot more pressure. Whereas if you're a C-suite, like if I'm lucky, if I'm lucky in my day job, I get to hop in on an investigation. Most of the time, though, I'm dealing in business. This was not perhaps the skill set that I was educated for, but this is the nature of the role. 00:32:23:04 - 00:32:43:00 It's all the same title, right? So I think what's smart, and depends on what you want to do when you're trying to get into the field. I will always say if you have intended to be a CISO, you want to be that kind of executive insecurity. I personally know a lot of folks that I know that I respect. 00:32:43:02 - 00:33:01:15 I like people that have operator backgrounds. Find yourself a SEC Ops job, a security operations role and, you know, even forensics investigators. Fine. But that's a little bit more senior. You could even do some application security type stuff, which is great. That's a technical role. We are living in the era of applications, so it's totally valid. 00:33:01:17 - 00:33:19:13 But at the end of the day, if I haven't seen someone who's a CISO or I'm looking at them, or I'm looking at a statement they made or something they put out and within their background, there's no time spent working in a SOC through either just a pure business person or a pure GRC person. Respect to our GRC friends, we all need compliance. 00:33:19:15 - 00:33:36:00 They just don't have the same weight of professional respect in my eyes. So if you really want to be in this game and you want to have the gravitas that comes with it and you want to have that lived experience, to lead your teams and talk to your boards and be that hero, quote unquote, heroes in security. 00:33:36:02 - 00:33:57:23 You should spend some time as an analyst. You need to know, and this is just a basic like my kind of philosophy on leadership. And it comes back from my time in the Canadian armed forces. You need to be able to do the job of people two ranks under you, and two ranks above you. So how can I give orders to an operations team or some kind of team if I have no lived experience understanding what I'm asking them to do or the challenges they face? 00:33:58:02 - 00:34:18:17 Jeremy: So I really like that you just painted a picture of, you know, to be CISO, here's a really good opportunity in SEC ops, right? Where you can kind of move forward. Analyst is a great place to start as you're kind of moving in. What's the skill, if you're hiring a junior analyst in a market filled with people wanting to get into the field? 00:34:18:19 - 00:34:40:18 Let's assume they have a couple of years of professional experience somewhere so we don't get into that kind of territory. What's the specific skill that you're looking for? You're going to an interview. What separates out people right off the bat? What matters to you? George: Persistence, Persistence. So if you're an analyst right, you're going to call it like the 90/10 cycle, right? 00:34:40:18 - 00:35:04:05 And people have all sorts of different nomenclature for it. But 90% of your job is, honest to God, boring as hell. You're dealing through alerts. A lot of false positives, reconfigures, dealing with clients, clients annoying. That's okay. Deal with your supervisor. Supervisor annoying. That's okay. But then that real incident happens, right? And let's say it's tough. Let's say you can't find an immediate answer. 00:35:04:11 - 00:35:27:19 Pressure's coming from all over. Your board wants to know what's going on. CEO wants notes going on, the client wants to know what's going on. It feels like the entire world is crashing. You have to be the calmest, most persistent person in the room to solve that problem because you're the one that's actually enabled to do so. If I see someone that, you know, they're persistent, that means they're probably, they have some degree of mental resilience. 00:35:27:20 - 00:35:48:13 They have a tenacity to them. They're curious, they're go-getters. These are the types of people that, you know, if you don't have that persistence, that's intangible. You can't really teach that. So if you have someone that has that, I can teach you cyber, I can teach you ops. Every shop kind of does things differently anyway. But can't teach someone that just has that dog in them. 00:35:48:15 - 00:36:06:10 Jeremy: Are you evaluating that through a test in an interview? Are you evaluating that through looking at what else they've done like that in their life where they've had persistence? George: Yeah, I think first of all, there are tests and things that you can put into an interview process where you're seeing how they would respond. 00:36:06:12 - 00:36:33:13 It's really trying to determine what their decision making process is. So you can go through the typical interview question of like in your career, can you provide an example where you have blah, blah, blah, or you posed them a written challenge or just like, “Hey, here's the scenario. How would you deal with this?” You really want to determine what their decision making process and logic is so that you can kind of figure out, okay, given this scenario, I kind of know how this person will react. 00:36:33:15 - 00:36:56:21 This is the person I want in the team. Jeremy: I love that. How about you, Dominic? Dominic: Coachability. And the offshoot of that would be humility, right? So, especially someone and starting out their career, you want them to be coachable, right? You don't want them to be someone who just thinks that they know what all their hotshot to me might think of security people I've come across over my career. 00:36:56:23 - 00:37:17:01 We need to see fewer and fewer people with hero syndrome. There's a lot of people who just sort of do it alone and they don't communicate with anyone else. We need teams. We need high performing teams or highly efficient teams that to George's point, that can stay calm during the crisis. You're not going to get that if you're grounded in coachability and humility. 00:37:17:04 - 00:37:43:06 Right. So and that to me is the type of stuff that is very apparent in the first few minutes of a conversation. You know, especially in an interview session, you're able to tell if someone's humble or not, you know, And that to me is what I certainly look for when I'm a solopreneur, I'm hiring people. But as I'm getting my clients through their hiring process, virtually every time you start or grow their security team, that's one of the things that I'm looking for, right? 00:37:43:09 - 00:38:05:13 And George mentioned earlier, I think from a cultural perspective, I hope people will use the term cultural fit. I look for someone who is going to be a cultural enhancer. Are they going to make the culture even stronger as a result of their presence here? Jeremy:I mean, there's a fine line between humility and confidence and that balance of what you need when you say you're looking for it right off the bat. 00:38:05:13 - 00:38:24:11 I imagine you need some confidence as a junior level person coming in to go, I can figure this out, but the humility to go, I'm not above not knowing how to figure it out. Dominic: Yeah, right. And that and I'll give an example. A friend of mine is a very high up in the security function health authority. 00:38:24:13 - 00:38:49:05 And you know, like many public sector organizations with security, I mean, that's very transient. There are people that just stay for a short time and the wants are costly, you know, hiring. And he's looking for non-traditional areas where he's brought people in and he is someone who's part of his cryptography team who knows nothing about security. And in fact, his major, I might be betraying him here. 00:38:49:05 - 00:39:09:19 But he basically majored in playing the oboe. But with musicians, they know numbers. And so when the guy interviewed, he was very humble. He said, “hey, I know tech, like playing around with this type of stuff. But this is what I don't know but I'm willing to learn if you're able to coach me and I'll bring you up to speed. 00:39:10:00 - 00:39:43:08 He has a fairly large and he's a big believer in knowledge transfer, that type of stuff. And like I said, I know numbers and that's why I think I can do really well in cryptography. Jeremy: It's so funny, you know, as I say it, it's a little bit of a sidetrack. But at Lighthouse Labs, we've seen so many musicians come through our programs and be successful in software and data and cyber, and it actually goes back a little bit also to the point that George made around this idea of dedication, reliability, and persistence, because in music, the idea that you are like the feedback of you being good or bad is literally sounding out of 00:39:43:08 - 00:39:56:21 the instrument and your willingness to kind of learn it and practice it and go through it. I mean, it's a very humbling thing to start, right? Like you have to be able to go through that downtime before you get to good. And every time you get good, there's a new level of, this is what I'm actually not good at anymore. 00:39:56:21 - 00:40:15:11 So it is really interesting. We've seen that quite a lot. I'll save you from saying that Lighthouse Labs is the best program to get into this field. Obviously, we know that to be true. But beyond that, I guess, what are you seeing in education opportunities? What do you like that you're seeing in the field that is helping people actually prepare for coming into this space? 00:40:15:11 - 00:40:53:06 You kind of took a dig before where you said, you know, information security still maybe not taught in schools the way it should be, but where are you seeing the good education come from, whether it's on the job or before the job? George: For me, I'm seeing a lot of these like easily available, like Hackbox type platforms that are accessible to everyone where you don't even have to be employed in the field to be able to learn the exercises, to get practical experience, actually doing the thing. You know, like there are a lot of people sometimes they want to get in the field, but it's like, “Cool, dude, do you want to set up 00:40:53:06 - 00:41:11:00 a virtual environment?” And they have no clue what to do? And you're like, “Okay, so how are you going to test anything? So how are we going to employ you?” Like you have to go from the world of theory, which is a lot of what the post-secondary programs love doing, and get more into the practical of like, all right, you're day one on the job. 00:41:11:02 - 00:41:32:05 Here are some of the tasks you're going to have to encounter. And I think if you can look for educational experiences or OJTs, like on the job training opportunities, I really hate unpaid internships. I don't agree with them. But even if it comes down, if you have enough savings to go through an unpaid internship, if that's your only shot, at least it gets you real working experience. 00:41:32:07 - 00:41:56:12 Jeremy: Do you value that? Like do you? So you see someone go through it. Are you twice as inclined to hire them coming out of something like that? George: Yeah, if someone tells me that, hey, I have these use cases and these practical exercises that I've completed and I can show you like the receipts of everything versus like I have these certs. In respect to our friends at Sans, I could care less about the certs. 00:41:56:12 - 00:42:16:23 I want the guy that's done the exercises. Jeremy: Yeah. How about you, Dominic? Dominic: I'll do both sides. So I completely agree with what George said to me. The best. The best is the, the hands on stuff like that, the practical stuff, that stuff that you're actually doing. And it's, it's come a long way, you know, it's like it's incredible stuff. 00:42:16:23 - 00:42:38:23 But to me where I think there's still a lot of feeling. I see a lot of people still going towards that traditional post-secondary route where even like CompSci degrees to me and in Canada, I'm not aware of any that big in cybersecurity. Right. There's sort of electives, to me, that should be right in the curriculum. 00:42:39:01 - 00:42:57:17 Right. And this is all these years later, not enough change has happened there. And another thing which infuriates me, I know this happens in Vancouver, I imagine it happens out here in Toronto as well. There are several institutions that I will not name. Basically, they tout the masters of cybersecurity, and I guarantee you this is going to fast-track you. 00:42:57:22 - 00:43:18:15 You're going to get success and all that stuff. And they generally cater to international students. So international students pay a ton, a ton of money to these institutions. And I can't tell you how many times I field calls from people who say, I pay all this money to go to this institution. I have my masters oincybersecurity? But unless I get a job in six months, I have to leave the country. 00:43:18:21 - 00:43:37:23 And they struggle to get basic security rules. And basically these institutions hang them out to dry because they already got their tens of thousands or hundreds of thousands of dollars from the students. And you don't need a masters of cybersecurity. If you want to do that, that's fine. There's certain fields where you need to fast track your success. 00:43:38:01 - 00:44:05:23 You need a masters like an MBA, someone with a business degree. If they want to become like a CFO or something. Your MBA business degree is going to get you there. In cybersecurity, you don't need a master's to get up for the CISO role. You don’t. It's just the way it is right now. And I'm not trying to downplay the masters, but a lot of these institutions are taking advantage of, I'll say, the hotness of the industry and basically doing bait and switches with people. 00:44:05:23 - 00:44:24:17 So there's a lot of negative forces I still say, that are pulling the field back. George: Can I build on that? Jeremy: Yeah, absolutely. George: So you brought up a really good point about the post-secondary, and I have a major beef with them. Like I just recently put a post about this. That CompSci program should have mandatory information security components to them. 00:44:24:17 - 00:44:59:03 The fact that they don't in an era where, like ransomware is king and we're trying to teach people about secure DevOps, it blows my mind. If you want to talk about something like when I'm doing a resume review, if someone's at an academic program and, you know, we all know the colleges and universities do it. If their program has a phase in it where they're actually embedded with an employer, right, where there's an actual like on the job training component that they get credit for, I will immediately respect that program infinitely more than all these other folks that are just selling tuition for a piece of paper. 00:44:59:05 - 00:45:22:00 But again, look at this man. We were talking just now. You're talking about your background, your history. It's super cool. You're an operator, right? You saying that to me automatically gives me or it makes me give you an additional layer of respect because you've done it, man. You've done sticks in the weeds, you've gotten your hands dirty. Everything you say going forward, I now can consider a little bit more valid as a result of that. 00:45:22:00 - 00:45:43:17 It's the same thing you might have a massive academic background, even a PhD in it, but if there's no point in that time we actually did the thing, protecting a real environment, I can't employ you. Jeremy: Yeah. What I really do like, you know, when you bring this kind of stuff up and obviously I have a vested interest in the education space, but you bring up something that's really in the news quite a bit. 00:45:43:17 - 00:46:08:18 The new Canadian side, people coming, the visas being handed out, all that. There's a lot of stuff within our governing policy that kind of affects the cybersecurity world. Talk to me a little bit about do you believe stuff like recessions, layoffs, different stuff like that are having an impact in the cybersecurity world? Do you see any impact on you know, I mean, we can get into A.I. if you want, but what are you seeing out there? 00:46:08:20 - 00:46:31:06 Dominic: Well, first of all, this has already been a success. My whole goal is to get George to like and respect me. Jeremy: Shut the cameras. We're done with that. I hope he invites you to a podcast. Dominic: But from my perspective, you know, where I've seen, I'll say pinches of the recession. 00:46:31:08 - 00:46:54:05 It's more so with smaller organizations. So for me, I do a lot of virtual or fractional work with organizations that don't have internal cybersecurity teams. With organizations that do have internal cybersecurity things. I haven't necessarily seen them laying people off from the security team. I've seen maybe hiring freezes, maybe they haven't expanded the team plans to expand, the team has slowed. 00:46:54:09 - 00:47:19:06 But where I've seen the greatest pinch is with organizations that are small enough that they're either about to grow their team or start a team or have stopped engaging cybersecurity consultants, fractional leaders like myself because they didn't have the money. And in 2023, I can't tell you how many calls I field from people, executives, business owners who said, “Yeah, we know cybersecurity is important, 00:47:19:06 - 00:47:37:21 I see ransomware all the time in the news. Our competitors just got hit by ransomware, but we're scared about whether or not we're going to have cash six months from now. So we're not spending on this”. As an entrepreneur, I said, as a security professional, I think you're an idiot. But as a business owner, I get where you're coming from, right? 00:47:38:00 - 00:48:01:07 And that being an entrepreneur, allows me to get that sort of perspective. But that's very much why I saw through all of 2023. So far, you know, with each passing time when the rates don't go up, it's finance. Every time the Bank of Canada says rates or rates are good, I usually have a great few days in terms of closing business, but that to me is where I sit. 00:48:01:07 - 00:48:36:04 I saw the greatest pinch last year again with those small organizations that they're getting slammed, but they don't have internal cybersecurity teams. Jeremy: And I know we're going to be a little tight for time. And so, George, I actually want to move on. I'm just going to ask a separate question here, which is that, you know, you have mentioned a system within your company of how people are raised and developed and how you think about, you know, yourself as a performance coach. As companies and programs like what I what I really is companies that are thinking proactively about how people are growing in their company, whether that's cutthroat, 00:48:36:04 - 00:49:02:20 whether it's like training and development dollars, like whatever it is. But they're really considering how someone comes in and what they need to do. You mentioned kind of your first what people are doing in their first two years and coming into your company and how you view that. Can you talk a little about that? I would really want people who are employers or companies thinking about how they're bringing in different talent and securing their companies more, how they do have to consider what it is to bring talent in and what it is to evaluate on the job. 00:49:02:21 - 00:49:26:12 You mind talking about that a little bit? George: The way that I kind of look at things and then thankfully the company's bought into my vision of doing this. You have to ultimately attain retention by providing succession planning from day one. So when you hire someone new and they're part of your team, my philosophy is I'm not going to get the most out of you while I'm working with you or whatever. 00:49:26:16 - 00:49:46:02 It's not a resource extraction mentality. It's Hey, we're working together. I know we're probably not going to work together forever, but I want you to be as successful as you can be in your career. Like my job as a leader is to see them be as successful as possible. If you go into it with that mindset, then it's like, okay, cool, what are you good at doing? 00:49:46:02 - 00:50:07:16 What do you like doing? Then you build a kind of a performance plan around enabling that, and then you give them tangible goals where it's like, Hey, if you've shown competence in A, B and C, I will give you this opportunity where it's like, you really want this cert, cool, earn this cert. Or you want this promotion, coo, show me that you can do this, this and this, and you'll have this promotion by, you know, roughly this time. 00:50:07:16 - 00:50:25:02 I like giving it a deadline so it's real. Obviously, business conditions can change and people can understand that You have to be transparent, your communication. But if they know, like by the carrot and stick mentality, if I work hard and I achieve the performance I need to, I will get this carrot. People will immediately begin to work harder. 00:50:25:02 - 00:50:43:13 They'll be more committed, they'll be bought into the thing. They'll stay with you. If people reach a point where either one, they just don't have the performance to meet the goals that you set for them in your one year or two, especially if they're early in their career. I'm sorry to say this, this probably isn't your jam or this isn't the right organization at this point in your life. 00:50:43:15 - 00:51:05:14 I think any junior analyst should be able to try for a senior analyst job within two years. It is not a place where you're supposed to linger and stay in the industry. As you continue to have the succession planning approach. From a management perspective, I tell my people, like there are a couple of my team leads: I look at them, I'm like, I'm training you to be able to replace me tomorrow because I don't want this job forever. 00:51:05:14 - 00:51:31:02 I want to do different things with my life. I am trying to build people who can step into my role, whether I get sick, I die, heaven forbid, or if I just want to move on to do something different. They can step in and maintain the legacy of what we've all built together as a team. So knowing that there's the potential for them to attain that, you know, D-Suite C-suite kind of executive role from where they started based on the work plan that we've put together for them, they’re bought in, 00:51:31:02 - 00:51:55:10 And they're giving maximum performance every day. You're getting maximum output from them. You're showing return on investment for the hire and your team is cohesively staying together because they're invested in seeing each other succeed. This is the difference between a culture of growth versus, you know, a cutthroat cutting culture where we're going to cut 10% of all the poor performers, poor performers across the company every year. 00:51:55:12 - 00:52:13:21 I think that's how you approach things and how you look at your people as growth resources, as folks who even when you don't work together anymore. The majority of people I've worked with in my past career, I wish them nothing but the best success, even if they surpass me. It just means I did my job when we were working together. 00:52:13:23 - 00:52:35:00 Jeremy: The growth versus the cutthroat in a policy that allows you to kind of let people go after a couple of years, they're not reaching that potential is a really interesting nuanced piece that I'm sure, like you had to explain a couple of times as you kind of go through it, but it makes a lot of sense. And I think starting with the first principle of growth as opposed to just, you know, cut low performers is a very major difference to me. 00:52:35:00 - 00:52:55:11 So I love that. Knowing we're kind of getting close here. Let me ask you a couple rapid fires. I know you guys are verbose, so let's go. Let's go. Single words. Okay. Or as close as you can. Advice to a job seeker who is trying to get through this market with a lot of different people, a lot of different certifications. 00:52:55:11 - 00:53:19:16 If they were doing one thing, if you were recommending one thing, they do while trying to get this job, it's what? Dominic: Network George: Build friends, not just network, like learn how to network. There's a difference between like, I'm going to introduce myself or just add everyone on LinkedIn versus like, I'm going to create a substantive relationship with you as someone who I potentially want to work with. 00:53:19:18 - 00:53:44:18 And if it works out, it works out. Jeremy: I'm giving Dominic the point for word. But it was a good answer, if you're talking to employers who are struggling to find talent and ignoring the junior side of things, what's one thing they can do better to improve that ability to bring in a junior level person? George: Invest. Jeremy: Inves? Yeah. Nice. 00:53:44:20 - 00:54:07:20 Kept it to one. I want to know what I want to invest in. What? But I won't ask. Go ahead. Dominic: Two words: think differently. Or hire differently. Jeremy: Okay. I like that. And to both of you believe that Canada in the next three or four years, do you see any world where Canada's going to need less cyber talent than it does now? 00:54:07:22 - 00:54:29:13 Is this a career that has a cap coming at any point on all these roles and jobs? George & Dominic: No. Jeremy: Okay. I think that's an important point for people just listening and watching. And because I do think that the market is a very difficult one to penetrate and get into. And sometimes it's not linear you know, we see it all the time at Lighthouse, it's not linear. 00:54:29:13 - 00:54:47:10 You apply for 20 jobs, you get zero answers, you apply for 30, you get one, you apply for the next ten, you get five. But it's kind of like this. But the key is, is that long term goal back to goals, right? This feels like a field that you might take some time getting into. Once you get into though, there's a lot of room to grow and a lot of room to do here. 00:54:47:12 - 00:55:05:02 I'm going to thank you both so much for everything you just contributed here. I know everybody listening and watching, guaranteed, they took some immense things away, if anything, for sure that Dominic loves his mother in law. I really appreciate you sharing all your time and thoughts with us. Dominic: This was fantastic. Jeremy: Thanks, guys. Appreciate it. 00:55:05:06 - 00:55:05:19 George & Dominic: Thank you. Funded by Upskill Canada [powered by Palette Skills] and the Government of Canada.