Video 272 - Weldon Dodd on the differences in securing Apple and Windows devices

[00:00:00] Chris Sienko: Today on cyber work, I welcome Weldon Dodd of Kanji to the show. Weldon is the senior Vice President of Global Partnerships for Kanji, and he brought us an interesting report. They found that a majority of respondents said that Apple devices and systems were less likely to be affected by a global software outage like CrowdStrike.

[00:00:17] Weldon Dodd: there's two areas of concern here, right? One is the actual technical underpinnings of each of the platforms and how they operate. And there's some. Important differences there that lead to security outcomes. The other side is just the, like, the social part and the ecosystem

[00:00:37] Chris Sienko: Weldon and I dig into the report, we discussed the different challenges in securing Apple and Windows systems, and Weldon gives our listeners a lot of great advice for getting started in your career, whether it's committing to your areas of passion or advocating for yourself while not tearing down others.

[00:00:53] Weldon Dodd: it matters less what it is that you've learned over the last couple of years, because I can guarantee you that [00:01:00] whatever it is you've learned over the past 3 years, you're going to need to learn something different. In the next 3 to 5 years in order to keep moving along with your career.

[00:01:09] Chris Sienko: This is a very inspiring episode, and I hope you'll come learn more from Weldon and I this week on cyber work. The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

[00:01:43] Chris Sienko: You can use it to navigate your way to a good paying cyber security career.

[00:01:46] Chris Sienko: So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide [00:02:00] ebook.

[00:02:00] Chris Sienko: Your cyber security journey starts here.

[00:02:03] Chris Sienko: Now let's get the show started

[00:02:10] Chris Sienko: Welcome to this week's episode of the Cyberwork Podcast. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, and how those trends affect the work of infosec professionals, and we'll leave you with some tips for, and some advice for breaking in, or moving up the ladder in the cybersecurity industry. Weldon Dodd, is the SVP of Global Partnerships at Kanji. He began his career running a campus Mac lab, and Next Lab at the University of California, Kanji.

[00:02:37] Chris Sienko: Soon after, he then went on to wireless telecom, just as digital networks and the internet came to mobile. The next stage was automating large Apple deployments and running the Apple Authorized Training Center in Colorado.

[00:02:49] Chris Sienko: Baldwin joined Kanji in early 2020, where he has built and led several teams and now serves as the Senior Vice President of Community. Uh, and actually I [00:03:00] believe, is that right? Yeah, Senior Vice President of Community, right?

[00:03:02] Weldon Dodd: Global global

[00:03:02] Chris Sienko: partnerships. Yes. Okay. All right. I apologize.

[00:03:06] Weldon Dodd: No worries.

[00:03:07] Chris Sienko: Global partnerships. So yeah.

[00:03:08] Chris Sienko: So today we are going to talk about a report that that Kanji put out regarding the security, uh, differences, let's say between, uh, Apple and, and windows systems. Uh, and all of our listeners are going to be securing one or the other, or both of those, uh, in their careers. And so I'm sure they're going to want to know more about this.

[00:03:29] Chris Sienko: So, uh, Weldon, thank you for joining me today and welcome to cyber work.

[00:03:32] Weldon Dodd: Thank you. Yeah, it's really great to be with you today, Chris.

[00:03:36] Chris Sienko: My pleasure. So, uh, Weldon to give our listeners a chance to get to know you and your origins. Uh, let's talk about where you first got interested in computers and tech. What was the initial spark and how did it sort of come to this point where you were very excited about things like security?

[00:03:51] Weldon Dodd: Yeah, I mean, the initial spark was in 6th grade. We had, uh, opportunity to have a TRS 80 [00:04:00] installed at our elementary

[00:04:01] Chris Sienko: We're the same age. Yeah. Mm hmm.

[00:04:07] Weldon Dodd: had to save those programs to cassette tape and in order to play them back, you had to rewind the cassette tape and then play it from the beginning of your program to load it back into the computer. yeah, that was beginning of a really a lifelong obsession and interest in technology.

[00:04:26] Chris Sienko: I, I know that it was probably like 30 seconds that those things took to load up, but it felt like it took like 12 minutes to like load a program.

[00:04:33] Weldon Dodd: Yeah,

[00:04:34] Chris Sienko: know, you would, you would put on the, like the simplest game and it would say press play and then you would just like go in the other room and make a sandwich and it would still be a blue screen until you're ready to come back.

[00:04:43] Chris Sienko: No. Unreal.

[00:04:47] Weldon Dodd: how I had the patience to wait that long for computers to do things. But there we were. We thought it was amazing.

[00:04:53] Chris Sienko: Yeah, yeah, then the disk drive came and it was still slower than anything you would even find acceptable now, but it seemed like we were in [00:05:00] Buck Rogers time, so. Um, so yeah, so I want to talk a little bit about some of your past positions as well, because obviously your past creates your present, but uh, You've definitely had a foot in the technical space, even when you worked as a high school teacher.

[00:05:13] Chris Sienko: So you've worked as, As you said in your intro, a certified Apple implementation specialist, uh, you were a course instructor for Jamf before winding up at Kanji. Um, can you talk about some of these different steps on your career trajectory and how some of these varied experiences found you where you are today leading global partnerships with Kanji?

[00:05:31] Weldon Dodd: Yeah. Um, I mean, some of these, some of this backstory maybe is only interesting to my mother.

[00:05:37] Chris Sienko: Yeah.

[00:05:38] Weldon Dodd: I'd be happy to share a little bit. For me, I always wanted to be an educator. Uh, I was always interested in learning. I loved books and reading. And, uh, I, I really enjoyed school and, and learning new things.

[00:05:51] Weldon Dodd: And so I kind of had that in my mind. Well, I, I met my wife as I was finishing up the university. And, uh, [00:06:00] we, we got married right as I was graduating. then, um, I was looking for a job to, to move into after finishing university, we were fortunate, blessed to be pregnant right

[00:06:14] Chris Sienko: Mm hmm.

[00:06:15] Weldon Dodd: so I had a very clear choice presented to me

[00:06:19] Chris Sienko: Yeah. Mm hmm.

[00:06:22] Weldon Dodd: education to get. Uh, and an advanced degree, a doctorate and teach at that level. and I was going to make about 28, 000 or so. That's what associate professors made at that time after finishing their or I was. Putting myself through school by working in the computer labs, and I

[00:06:43] Chris Sienko: Mm hmm.

[00:06:44] Weldon Dodd: classes to faculty and staff and taught people how to use databases and some elementary programming and Unix basics and things like this. And through that association, I was offered a job in I. T. that job [00:07:00] paid 42, 000 a year.

[00:07:01] Chris Sienko: Yeah.

[00:07:03] Weldon Dodd: I could go to school for another 6 and make nothing

[00:07:07] Chris Sienko: Make half of that. Yeah.

[00:07:08] Weldon Dodd: when I was done,

[00:07:09] Chris Sienko: Mm hmm.

[00:07:09] Weldon Dodd: could

[00:07:10] Chris Sienko: Mm hmm.

[00:07:10] Weldon Dodd: now. And because I had a child coming, I felt this real need to provide for my family that was coming. I went into it, and what I found was that my interest in technology that had started way back in tech and 6th grade, combined with my interest in learning new things, right?

[00:07:31] Chris Sienko: hmm

[00:07:32] Weldon Dodd: being able to teach other people really fulfilling within it.

[00:07:37] Chris Sienko: Yeah

[00:07:37] Weldon Dodd: was able to do all of those things with technology. And so it led to a really nice career.

[00:07:43] Chris Sienko: Yeah, well, yeah, you said that only your mother be interested in that in that career track But I mean that is actually exactly what our listeners are looking for because a lot of our listeners are just getting started They might still be students. They might be in their first job. They might be in their second job, but they're They're looking sort of ahead to things [00:08:00] and, and yeah, life always is gonna, um, make sometimes make change, you know, make decisions for you and, and it's, it's good that you were able to, uh, um, go after the thing that was, uh, going to allow you to, you know, raise a family in a, in a healthy environment.

[00:08:14] Chris Sienko: Now, uh, in, in the sort of ramp up of, of, of going from teaching, you know, people in the computer lab, you know, how to use databases to your first IT position, where you mostly sort of. self learning? Were you, uh, doing any kind of outside education, uh, you know, to sort of get better at sort of your IT skills?

[00:08:35] Chris Sienko: Or were you able to sort of secure this first job based on the IT skills that you already had working in the computer lab?

[00:08:41] Weldon Dodd: Yeah, I, I was fortunate in that I secured this 1st offer because I had worked alongside the owner of a small it business in town. I was in Santa Barbara, California.

[00:08:53] Chris Sienko: Mm hmm,

[00:08:55] Weldon Dodd: um, because I was working in the computer labs on campus and teaching [00:09:00] classes, we had outside instructors come in to teach certain topics. And so I got paired up with this. Person from the outside who have his own it consulting business and a lot of, you know, something like, we might call a MSP or

[00:09:16] Chris Sienko: hmm, mm hmm, mm hmm, mm hmm,

[00:09:20] Weldon Dodd: because he'd seen me on the job and we'd worked alongside of each other. In this university lab environment, he felt confident to offer me a job just based on his direct experience.

[00:09:32] Weldon Dodd: Um, now, for the rest of my career, you know, I did from time to time, invest in going to training courses. I spent some time at at KPMG, which is a very large global consultancy, uh, systems integrator. And they, they're quite good at investing in their people.

[00:09:52] Chris Sienko: yes,

[00:09:53] Weldon Dodd: was really, it was really fortunate for me to go to a large firm like that, that had a very well [00:10:00] established and developed program

[00:10:01] Chris Sienko: yeah,

[00:10:01] Weldon Dodd: funds set aside specifically to invest in. Their people, and so I was able to take advantage of that and get some Microsoft training, some Cisco training,

[00:10:11] Chris Sienko: mm hmm,

[00:10:12] Weldon Dodd: and other things that helped me gain certifications that, you know, built up my resume and helped me show not only that I could do the work, but I had some credentials to go along with it that that I'd spent some time learning and investing in my. Generally, when I think about certifications, um, and this is more on the advice side for other people,

[00:10:34] Chris Sienko: please.

[00:10:35] Weldon Dodd: as a hiring manager, you know, I, I don't necessarily look at certifications as. hurdle that a candidate has to clear in order to qualify for the job. And I don't even necessarily think of them as well.

[00:10:49] Weldon Dodd: This candidate is superior to other candidates because they bring these certifications, but it does show a commitment to their career and their interest in really [00:11:00] growing and developing in this field that they've chosen this area of or field of study. To invest in for themselves. And so that kind of commitment to working in I.

[00:11:12] Weldon Dodd: T. I think is a strong indicator of a potentially good teammate or good employee.

[00:11:19] Chris Sienko: Yeah, we're seeing a move towards that sort of one, two punch of, of, you know, people who think they can just, you know, lean on past experience and say, well, that's going to be enough to get me a job or people who just get 20 certs and say, all right, I'm ready for my job now. And, and neither of those necessarily being, uh, the right answer there.

[00:11:39] Chris Sienko: So the combination of you having done all this work, you know, and learning things on your own, uh, Uh, I guess I wanted to ask just very quickly, uh, with regards to the sort of professional development program at KPMG, uh, was this all sort of front loaded, like, did you have like, you know, for your first six months or whatever, did you have to like go through all these sorts of cert trainings [00:12:00] or were you sort of doing this while you were working with them and you were kind of like, you know, raising your bar every, you know, six months, a year, whatever.

[00:12:09] Weldon Dodd: Yeah, it was really more a consequence of working with them over time

[00:12:12] Chris Sienko: Okay.

[00:12:13] Weldon Dodd: advancing within the organization. So, um, had the opportunity to get promoted a few times. And for anyone that's not familiar with the global less I firms, they follow a pretty traditional model. And there's very. Rigid title levels.

[00:12:31] Weldon Dodd: And so you go consultant, senior consultant, manager, senior manager, and then partner. Um, and there's gradations within that, but there's those 5 levels. Right? And so I was. was lucky to be in a field that was growing really quickly. There's a lot of investment in Internet technologies and networking and the things I was working And so I got promoted from senior to [00:13:00] manager to senior manager to a potential partner.

[00:13:03] Weldon Dodd: And at each of those inflection points, you know, KPMG was willing to invest quite a bit to give management training, leadership training, other kinds of skills that would help you not only within your technical field, but as a team member. As a leader, as a people manager and other things. And so that was really beneficial. Now, I'll, I'll say also that I was really interested in that. I wanted to progress my career in that direction. I wanted to learn new things. And so learning things about managing and leading people was interesting to me. And so I was able to take advantage of that. I think other people in different circumstances will find that, you know, they're, if they have that desire and that. need to learn new things and grow, they'll find ways to do it. Um, I was very lucky to be in a position where I had the desire, but also the resources were being provided by my [00:14:00] employer.

[00:14:00] Chris Sienko: Yeah. Okay. Yeah. The great answer. Now, I want to talk about specifically your time at Kanji because obviously there's the career roadmap that happened on your way here. But like me, who I've been at InfoSec for 12 years, and you've been at Kanji for a very long time as well. I want to talk about some of the various roles that you've had at Kanji.

[00:14:17] Chris Sienko: You've gone from solutions engineer, product strategy, community, global solutions, and now global partnerships. Can you talk about how one of these Positions flowed from the other and if there were certain skills or experiences you needed to Advance or promote along the way that would allow you to sort of climb up that next step there What were what were some of the major steps in this in this journey?

[00:14:39] Weldon Dodd: Yeah, I think part of the answer there is I joined congee when it was still very young and it was quite small. So, uh, there's about 1516 of us when, when I came on at congee, we just raised a seed round and we're starting to fill out some more positions. And there was there was a need [00:15:00] for someone who really deeply understood, um, the apple ecosystem and how the apple device management worked.

[00:15:08] Weldon Dodd: That's the space that kanji operates in. We make software tools to allow companies to manage. And secure their Apple devices. So I had a colleague, Nick McDonald, who was the first, was serving in this role of having a really deep background and expertise with Apple. Um, I had also worked at Apple and done a bunch of things with mobile device management. And so the, the two of us were there to, you know, really bring that expertise into the company and help share that with the engineering team that was building the product and help with support, who is answering questions from customers and Really be subject matter experts for the company. And so I came to it with that mindset that I was going to be an individual contributor, a subject matter expert that would apply sort of my narrow [00:16:00] expertise to a very specific. And one of the surprises when I, for me, when I came to Kanji was that I met a group of people, like minded individuals that I really enjoyed working with. And so, uh, I was presented with 2 opportunities, right? One was to build a great product and to apply. You know, my background and expertise and experience with Apple to a specific problem, I was also presented with this opportunity to build a company to build teams of people that could work on these problems. And so, because I felt like I found my tribe in this group of people at Kanji, I became very interested in adding the 2nd problem to, um, you know, [00:17:00] my repertoire or, you know, my list of things to work on. Right. So I continue to contribute to our product and what we were trying to build for our customers.

[00:17:08] Weldon Dodd: But I also became very interested in helping to build the company and to build of people. So the titles that you've listed us listed off there, it's really a progression of me moving through roles where I would try to build a team of people to work on a. a problem or solve an issue for Kanji serve a function right for our customers or internally and develop leaders for that team.

[00:17:36] Weldon Dodd: And and and then, you know, very, very fortunate, but, uh, the leadership of the company saw that I could do that for other teams and for other areas of the company. And so I was able to move. a bit to work on some different areas within congee and help build a whole company.

[00:17:58] Chris Sienko: So I want to make sure [00:18:00] that i'm understanding correctly it almost sounds like Uh positions that you have held like global solutions and global partnerships Weren't necessarily there before you, but you've kind of built them around yourself, is that the case? You were not stepping into someone else's shoes, it was like, we need someone who can handle global partnerships now.

[00:18:19] Chris Sienko: And you said, uh, Weldon Dodgerman.

[00:18:24] Weldon Dodd: it's been a bit of both to

[00:18:26] Chris Sienko: Oh, okay.

[00:18:27] Weldon Dodd: there's been some greenfield spaces where there wasn't anything at all. And so, um, we helped put that together. There was a, there's a particular problem within our, um, our product where there's a, there's a of what we do is we provide patch updates for applications that are installed on devices to make sure that they're always up to date and on the latest version. And that's a really strong first step towards securing a device is to make sure it's fully patched and updated. And [00:19:00] that was an, that's an engineering function to get the latest app installers packaged up and checked and make sure that they're ready to go out to customers. But it works on a very different cadence than the rest of our engineering team, who's building functionality within our product, where they might be working on a scale of, um, we operate on 2 week sprints here at congee and so, uh, project that they're working on a feature that they're developing, you know, could be anywhere from 1 to 4, 6, 8 sprints.

[00:19:32] Weldon Dodd: They might be working on something for. A couple weeks, a couple months. Um, the the auto apps, we call them these application installers. There's updates every single day, and they need to be processed quickly and get get out to customers almost immediately. And so, because of that difference in the cadence of work, we found it necessary to build a different team to work specifically on the auto app [00:20:00] installer packages and make sure that those were being handled quickly. And so that was a separate team that we built systems engineering. It's led by a very capable colleague of mine, Noah Anderson, that came out of target and was doing device management for them. We had another colleague, Daniel Chapa, who came out of Nike, um, and was working on automation and engineering for them to do it, built a really great team and those two became the core of this new function that we built that.

[00:20:30] Weldon Dodd: So that's an example of something that was. Greenfield, we, we hadn't done before. We needed a team to go do that. That team has continued to grow and develop and they're doing great things in some other areas, like, with partnerships. I, again, I'm in a fortunate position where I, I've had some very capable colleagues who have started that program and built it up and have put congee in a really good position to work with channel [00:21:00] partners and some outside consulting firms and integrators. other kinds of partners. Um, and and now I have the opportunity to try to take that team and to new heights with it. But I definitely owe a huge debt to The people that have come before me and got that part of the company started.

[00:21:19] Chris Sienko: So what does an average week look like as a Senior Vice President of Global Partnerships? Are there certain things that you're doing Each week, uh, regularly, or is it completely different from day to day? But for, for people who are window shopping their future, what, what, what exactly can you expect, uh, in a role like the one that you have?

[00:21:38] Weldon Dodd: Yeah, it's, there's a lot of meetings. Um, so sorry for anyone who

[00:21:44] Chris Sienko: It's, it's true. If you're a manager, you're going to be in, you're going to be in meetings. Yeah, absolutely.

[00:21:50] Weldon Dodd: there's a lot of meetings, but you know, it's, that's a consequence of, you know, the role is a lot more about enabling and empowering [00:22:00] other people to do their best work. And a lot of times. What I've found is of the keys is allowing people giving almost giving people permission to do the things that they know they should do, and the things that they already want to do, and the things that they're already good at and and just giving them, uh, maybe small bits of advice that are helpful along the way. I tried to be helpful. But a lot of times it, it just comes down to, uh, being the person who's trusted within the organization to make a decision so that people can move forward. And I have a great team of people working with me in global partnerships. they do great things every day. And so I find a lot of times my role is to give them encouragement and say, yes, you're doing the right thing.

[00:22:58] Weldon Dodd: This is great. Keep [00:23:00] going every now. And then there's, we identify some things that could be better. That might be, uh, there might be gaps in what we're doing that we need to try to address, but most of the time it is simply decisions so that the team can take action and move forward instead of waiting, either for direction or permission to take the next step.

[00:23:24] Chris Sienko: I'm just thrilled, first of all, that you didn't do the thing that a lot of the C suite people I interview say, uh, well, there is no average day in what I do. You know, and I'm, uh, but yeah, I mean, there is, there has to be some consistency in that regard. And, you know, I'm in the marketing department and we talk about, you know, The importance of not doing random acts of marketing where you, you have to have someone at the top saying like, this is, or this is not important.

[00:23:47] Chris Sienko: I don't care how much fun it is or how you think it might look good or whatever. Like, does it make sense or whatever? And so you're, you're kind of orchestrating that on a, on a global scale. It sounds like.

[00:23:57] Weldon Dodd: Yeah, absolutely. There's only so much that [00:24:00] any 1 person or any team can take on, um, in my experience, you know, you can have 2 or 3 initiatives running at any 1 time. If you've got more than that. You begin to lose track of what was really essential or important that caused you to take up that initiative in the 1st place and your effort becomes too diffuse to have any real impact. And so sometimes the job is. Saying, you know what? That's really good. That's a really good idea. That sounds very important, but we just don't have room

[00:24:40] Chris Sienko: Yeah.

[00:24:40] Weldon Dodd: do that right now. And these other things are more important at the moment. We need to focus our efforts there because ultimately, like, don't just want to work on things that are important. We want to deliver change to the organization. That's going to have impact. That's going to make a difference in [00:25:00] what we do and, uh, to do that effectively. You really have to create focus so that. As a team, you can not not only take some steps, but you can a few steps that substantially change or have a substantial impact to the team. To the team or to the org that you're working with.

[00:25:22] Chris Sienko: All right. Uh, now, as, as we suggested at the top of the show, we wanted to have you on Weldon because, uh, Kanji recently released a report that says, quote, Apple products are far less likely to be impacted by a global software outage. Such as the CrowdStrike event from earlier this year. So I want to start by asking about this from a technical perspective.

[00:25:39] Chris Sienko: What is it intrinsically about Apple security systems that make them more proofed against these types of mass attack effects?

[00:25:45] Weldon Dodd: Yeah. So these, these findings were from a survey that was conducted by a research firm, which commissioned and the findings that came back are from, you know, a few 100 different it leaders [00:26:00] across a pretty wide section of the industry. so these are their words, right? That they feel like Apple devices are. Easier to secure than windows or other platforms. And I think that's true primarily for, there's two areas of concern here, right? One is the actual technical underpinnings of each of the platforms and how they operate. And there's some. Important differences there that lead to security outcomes. The other side is just the, like, the social part and the ecosystem of what's happening with each of those platforms. So, from the, from the technical side, I think. Right windows really we're talking about the PC ecosystem with more or less open design hardware, um, from a variety of different vendors with components from several different competing [00:27:00] vendors. And while that variety in the ecosystem has led to a lot of innovation, a lot of progress, there's wonderful things that have come about because of that more open PC ecosystem and the many companies that participate and push each other. Forward. also means that Windows sitting on top of that hardware has to be more accommodating to allow a ri, a wider variety of device drivers and other kinds of software to run, sometimes with privileged access to the system to to be effective. And so that's a really broad surface area for people who manage Windows devices to try to protect. Apple has a technical advantage in controlling the whole widget, the hardware and the software together, and being able to design their devices with that thought in mind that [00:28:00] things like the enclave portion of the Apple silicon processors that we're using. Run those devices have fully integrated security features and processes that the operating system is tightly coupled with in order to protect, um, you know, cryptography secrets and other kinds of essential foundational pieces. So, that that's 1 important difference, but we could talk about more

[00:28:29] Chris Sienko: Sure. Oh no.

[00:28:30] Weldon Dodd: to talk about next?

[00:28:31] Chris Sienko: Oh no. I, I, I sort of have a, uh, uh, An image in my head, like the difference between say, like, if you had two sets of plumbing and one was just like a one entirely, uh, unbroken piece of piping, uh, versus one that's made up of, of small segments that have to be sort of like sealed and put together.

[00:28:50] Chris Sienko: Like with, with Apple, you just have this sort of unbroken, uh, chain of machinery that is all sort of working with each other. Whereas Microsoft, you're, you're essentially kind of. [00:29:00] Uh, chaining all these different things, uh, together. And it's, I suppose it's at all of these sort of chaining points that, um, um, people can get in.

[00:29:08] Chris Sienko: So, I mean, uh, what, are there certain things that you're seeing hackers regularly exploiting, uh, in one system versus the other? Are there particular common attack factors that people in your, your survey talked about?

[00:29:21] Weldon Dodd: Yeah, I've just come back from, an Apple focused security conference. Um, unfortunately it was in Maui, Hawaii. It was honestly, it was terrible, uh, having to, to go there and attend. I might be kidding, but, um, uh, Patrick Wardle puts on a conference called Objective by the Sea, which is probably the premier, uh, Security conference for folks that are focused on, on Apple.

[00:29:48] Weldon Dodd: And it was really interesting to see some of the latest research that's come out. Um, people were there to present their findings in the, in the security research that they've done. And there's been a pretty large increase [00:30:00] in, uh, what we call info stealers. So software that's designed to gather private information off of a device, you know, so think of. card numbers, but also email addresses, passwords, social security numbers, credentials, anything like that. And then find that data, collect it, exfiltrate it out to a server, usually running in some part of the world that has less stringent laws and control over cybercrime.

[00:30:37] Chris Sienko: Yeah, a lot less oversight.

[00:30:39] Weldon Dodd: yes, um, and so the Mac has become a target for some of those. type of software, it's been prevalent on windows for a long time. There's lots of well known examples over there, but we're seeing some attention coming to the [00:31:00] Mac platform as well. So, I think it's important to understand with both of. Well, all the available hardware platforms, whether that's desktop or mobile, if it's windows, apple or Linux, if it's Android or.

[00:31:14] Weldon Dodd: IOS or iPad, there are opportunities to, um, for malicious software to. Either steal information or disrupt the operations of the company that's using it and so on. Um, and so that's that's true for all of them. Um, so some of the things that we're seeing are, know, the kind of growing interest in some new innovation in these info stealers, but, um. The scope and scale of that is still quite different to what we see on windows. And so that goes back to my 2nd point, which is around some of the more [00:32:00] social aspects or, like, the ecosystem aspects of it. There simply are more windows devices out in the wild. And so, for a group that's interested in these to collect credit cards or whatever information, Windows simply presents a bigger target and an opportunity to collect more of this kind of information more quickly. Um, and and combined with some of the vulnerabilities that exist in. within these platforms, right? You put those two together and okay, well, I know about a vulnerability that I could exploit to to get the info that I want, and I have a larger pool of targets to go after. I'm going to put my time and energy and effort into going after

[00:32:50] Chris Sienko: yeah,

[00:32:51] Weldon Dodd: Um, Mac is a little target, and it represents a bit of a smaller opportunity. And so I'm going to invest less [00:33:00] effort in there, but. Um, that that's led, I think, to the kind of the difference that we see between the 2 platforms and why this opinion is coming out in the survey that you're referring to. the truth is that Apple is growing and the Mac footprint within the enterprise continues to grow. And if you look at unit shipments, the PC market as a whole is on the decline and unit shipments year over year. Been going down and Apple shipments have been going up so I, you know, it's really one of these things where it's a continuum, right?

[00:33:41] Weldon Dodd: It's not all one way or all the other, it's a continuum. It's has traditionally been a bit more, been a bit more focus on the cybercrime side on Windows as a target, but I think it, you know, Mac is becoming more of, of more interest as it continues to grow and become more popular within the [00:34:00] enterprise.

[00:34:00] Chris Sienko: are there particular sectors that are more apple focused in the sense that if you are going to go for the higher risk, you know, higher challenge of trying to break apple systems, is it because you're trying to hit different types of targets? Because I imagine PCs or windows have sort of an intrinsic layer of people who just home computers, you know, a lot of like fishing, a lot of like, you know, versus like certain enterprises that might be, uh, you know, all Linux or all windows or all, all apples.

[00:34:30] Chris Sienko: Does that, does that sort of change the, uh, the, the sort of target shape for the, for the hackers?

[00:34:36] Weldon Dodd: yeah, I mean, it traditionally, it's been true that Apple has a really strong presence in marketing, creative, design departments, things like that, um, less prevalent in departments and, know, other kinds of functions like that. But we've also seen Apple become really popular with [00:35:00] executives. And so a lot of organizations have brought either Mac or iPhone into their org because the senior leaders or executives want to use those devices and they've kind of insisted on it. but there is a, a breed of company, particularly in tech and software startups, SAS companies, where. Their business is building software generally for the Internet, you know, software as a service companies that will run or deploy their solution on, generally Linux, but, um, increasingly that's becoming more abstracted with technologies like Docker containers, Kubernetes and so on, building on Apple for that kind of target platform for your software makes a lot of sense. Apple's built on a foundation of Unix. Um, most of the Internet [00:36:00] services that you interact with are built on top of or Unix like services. And so software teams, a lot of them use Apple devices to write other software to do engineering work. So, um, I, I definitely think that's a good example, you know, a modern SAS company that's starting up today. They might be doing security, they might be doing AI work, um, they're going to deploy Apple laptops to their employees. And it might be that the entire company is running on Apple.

[00:36:37] Chris Sienko: Yeah. As we go towards, uh, SAS companies and so forth as being a larger and larger part of the, uh, you know, uh, Overall economy, I suppose that's probably going to increase everything. Um, what do you think the ramifications of this report will be? Have people been saying anything about these findings? Or have you received feedback or say rejoined ears from either Apple or Microsoft?

[00:36:58] Chris Sienko: And do you think this is going to [00:37:00] change anything in a large scale way in terms of the way operating systems are built and secured? Or is it more just like they all sort of looked at it and were like, yeah, we know, we're working on it.

[00:37:11] Weldon Dodd: Um, I think it's indicative of a trend. Right, that there's a growing interest in adopting Apple within the enterprise. Um, a lot of orgs are mixed, right, where they have both. I think that's increasingly common to see an org that has multiple platforms. Uh, I think SAS is a part of that trend. You know, the fact that many company operations run in the cloud with software as a service solutions means you, you know, you're less tied to the specific desktop platform that you need to run those. Productivity applications, and that allows for employee choice with whatever platform they feel more comfortable with, or where they feel more productive, right? They can pick windows. If they prefer that, they could pick Apple if they prefer that, and they can [00:38:00] be immediately more productive in their role and the applications and tools that they. Need to use for their company access through a web browser, and they don't necessarily need to run them on 1 platform or the other. so that that's allowed it. I think. You know, we have talked with Apple about the findings, um, gave them a look at the survey results and, you know, they enjoyed it, right?

[00:38:27] Weldon Dodd: It's generally favorable towards Apple. It shows a growing interest and in it more and more companies. Looking at it, um, you know, 1 of the statistics is around you see. Apple usage increasing within your org, and there's an overwhelming majority of respondents say. see Apple increasing in, uh, size and importance within their org over the coming year. So that's, that's good news for Apple. Um, but I, I generally think the survey [00:39:00] itself is showing people that it's possible. And so it might open some, open some eyes to the possibility that look, I hadn't considered supporting a multi platform ecosystem previously, but I see other companies are doing that and being successful with it. And so that might be something that I could consider.

[00:39:21] Chris Sienko: So the key benefit for cyber work for our listeners is to sort of provide them with tips or advice for choosing their career path and achieving it through learning and study and hands on work. And, you know, I think we, we have certainly heard from students who talk about, uh, wanting to sort of go down one path or the other, or fearing that if they go too far down one path, they won't be ready for the other.

[00:39:42] Chris Sienko: Can you talk about the difference in skills at a cybersecurity professional at the student or entry level? Would need if they wanted to focus on securing either apple or windows for enterprises that they'd eventually be employed by

[00:39:53] Weldon Dodd: Yeah, I think there's a few different roles that are possible [00:40:00] within an org. So, um, there, there's a whole area around governance, regulation, compliance. And, um, those GRC functions are, I think, increasingly important to organizations. It's not necessarily that, you know, adhering to a particular standard or framework is like a golden ticket to securing your devices, but it definitely teaches. Good practices, and it gives you the ability to create a baseline for your organization that you're going to measure yourself against to say that, like, look, we intend to manage risk within our organization by. these security controls, those controls are defined in well, known industry standards that we can borrow from and assemble. You know, a baseline that [00:41:00] makes sense. For our organization. So one area. I think that's really important. And increasingly, I think I. T. Decision making is going to be driven through that lens of looking at what baseline are we going to adopt as an organization in order to manage risk? Um, there another area is just around threat research or detection engineering. Those are different disciplines, but I think they both fall within this area of being directly security focused where you're either as a detection engineer, right? You're looking for ways to build rules and systems. Increasingly, we're seeing the adoption of AI tools. To help aid with detections, um, in finding malicious software, you know, either, uh, you know, a virus or some kind of malware or an info stealer, right?

[00:41:59] Weldon Dodd: [00:42:00] What techniques can you apply to find those? Find that software within your org, right? Uh, research a little more focused on, uh, new techniques or new ideas to do that. And detection engineers often pick up that research to apply it to a specific problem. Right? But that's kind of another area of concern. And then there's the, the folks that actually manage. And run our administrators of practitioners with security software tools, CrowdStrike, Sentinel Kanji, et cetera, that organizations deploy in order to meet the baseline that they've set for themselves to apply. The research that detection engineers and things are coming with, but then, you know, take action on any problems that are found. So, if you detect software, right? What do we do about it? we isolate [00:43:00] that machine? Can we quarantine it? Can we cut it off from access to any sensitive resources? able to integrate with it to accomplish like conditional access that's based on not only having the right credentials, um, presenting your username or password, or maybe a pass key to get access, but in the right place.

[00:43:24] Weldon Dodd: Right? In an expected place. At an expected time of work from a coming from a system or an endpoint that is managed and secured and is verified to be free of any known software viruses, et cetera, being able to couple the security piece with the piece. So that you could conditional access, say, you can only get access to the sensitive resource.

[00:43:51] Weldon Dodd: If not only do you present the right credentials. But you're in the right time zone. You're coming from the right country. You're coming from an endpoint that's known [00:44:00] and managed and is known to be in a good, secure state. It has the right security posture. Now we can allow you to have access to whatever this resource is.

[00:44:10] Weldon Dodd: Maybe it's a payroll system. Maybe it's accounting. Maybe it's R. and D. research that is essential to the lifeblood of the company. Um, so that would be another area.

[00:44:22] Chris Sienko: now. Uh, that's, that's awesome advice. Now, uh, you've, you've given us a, a, a number of different kind of, uh, uh, buckets of, of knowledge or areas that are going to be important in the coming years, uh, for people who are just getting started. Uh, you started obviously right with, uh. Uh, you know, working in a, in a, you know, computer help desk, basically, or computer department and went into an IT job.

[00:44:46] Chris Sienko: Um, for people who are doing that sort of thing now, who are, uh, maybe have a baby on the way and need to get into the industry quickly, uh, or whatever, like, what are some of the types of skills or certs or hands on activities or projects that you [00:45:00] think entry level young people, students, job changers need to be focusing on now?

[00:45:05] Chris Sienko: Uh, to sort of help them prepare them for these different types of, of rules, you know, whether it's GRC or whether it's implementation or whatnot.

[00:45:12] Weldon Dodd: Yeah, I think, um, for what we've done here at Kanji is. For folks that are coming through some, some, some kind of cyber security program, you know, whether that's a credential certificate, or maybe a 4 year degree from a university, we're hiring those people into junior roles in our security team to start out either as a detections engineer, or maybe a junior researcher. And so that provides some entry level opportunities. I think if you go the IT route. And you're working help desk, or, um, maybe you're working on back end systems as a junior within your team, getting [00:46:00] experience with tools like, um, device management, congee, but or other tools like in tune on the window side, crowd strike sentinel 1. Um, some of the getting experience with those tools and seeing how they work, uh, that will open up a lot to, um, you know, it's 1 thing to deploy the tool and look at the dashboard and kind of, you know, see the reports and whatnot. as you spend time with it and dig into it, you'll understand why it's doing what it's doing. Uh, what this means and what is significant. this is kind of a tangent, but I think 1 skill that comes over time is learning to discern what's important from what's not important when you're presented with. long list of or a big corpus of data or a long list of material. This was something I was introduced to actually, when I was studying [00:47:00] history in university, like, that that was my other potential career path.

[00:47:04] Weldon Dodd: Right? It was to be. A history professor and I had to read a lot of books and, uh, um, and sometimes I'd have to read a book a week or something for a class and give a some kind of report on it. Um, whether it was written or just oral, but there's a skill there to if you're going to read a long book, there's a lot of information in it. But the skill that I was supposed to be learning was find the important information in this book. Like, what is the critical idea or the new idea that's being presented in this book? That's actually interesting and important. And I. T. practitioners have the same opportunity. Because there's lots of data available to you about a device or about a system, learning to distinguish, okay, which of these [00:48:00] log entries are actually important or significant is a skill that you gain over time as you become familiar with the system.

[00:48:09] Weldon Dodd: With that system, and you'll you'll learn like, oh, yeah, these log entries are normal expected behavior. They don't really signify anything of importance. But this log entry right here. Maybe it's a, you know, like a log in right? Or someone's privileges. were elevated from a standard user to an admin user. Well, that log entry is significant. That's important. And being able to identify like those important, significant pieces of data out of a large body, I think is a skill that you can gain over time. Uh, but it requires practice, it requires repetition. And so back to my earlier point, If you can get introduced to tools like CrowdStrike or Sentinel 1 or Kanji or [00:49:00] others, it's useful to learn those tools because Over time, you'll see what's normal and expected behavior, and you'll begin to identify, uh, this is unusual, right?

[00:49:12] Weldon Dodd: This is different, and it's potentially significant and important, that skill is something you'll be able to take with you through the rest of your career as you encounter new systems and new areas of and or new functionality, right? Being able to gain an understanding of. Okay, this is what's happening.

[00:49:35] Weldon Dodd: I can see the regular of behavior, the regular cadence of information, but this stands out as being new or different. Um, that's something that you'll need to apply over and over again throughout your career.

[00:49:48] Chris Sienko: Yeah, that's awesome advice. Uh, and I want to sort of add on that. You said you, you, uh, do occasionally hire. Entry level people to do things like threat research and and sort of uh, sort of lower level research [00:50:00] functions like that What what sort of things do you want to see on someone's resume not in terms of necessarily their Credentials or whatever but like things that indicate that they have done the work or they have interest in it.

[00:50:11] Chris Sienko: Like how do you sort of I Make yourself known in a pile of resumes As someone who has done the work or can do the work or has that inquisitive mind, what, what are some of the, the, the green flags that you see

[00:50:26] Weldon Dodd: Yeah, green flags for me would be, um, focus would be 1, right? You can see a real intent. By the candidate to grow and develop in a particular area, and it's not even necessarily important that focus perfectly matches up with opportunity that that we have, or the need that we need to fill. But it indicates to me that this person has ability to sustain, you know, not only interest, but effort in a [00:51:00] particular area in order to grow and learn.

[00:51:02] Weldon Dodd: I think that's a great indicator of future success. someone's been able to focus or, uh, and apply themselves to a specific set of problems or an area of problems. Um. When I speak to someone, I learned this trick from a leader that I really enjoy working with, Nathan Sparks, who's at Kanji with me. He'll often focus his interview questions on trying to bring out something the candidate is passionate about, if he can get someone speaking about a topic that they feel strongly about, that they're passionate about, it reveals a lot about. Their character and like who they are as a person. And again, it's like it, it might be formula 1 racing or English Premier League football or something.

[00:51:54] Weldon Dodd: Right? And maybe it's dancing or crochet or [00:52:00] macrame or something. Right? Woodworking if you can get someone talking about a topic that they're interested in. They're passionate about that. That I find is really important because working in I. T. can be very challenging and portions of it are tedious at best.

[00:52:21] Weldon Dodd: Right? But if you have that passion and interest in right? Um, it shows you have the capacity for, um, feeling strongly about something. It indicates that you might be able to bring that to your work as well. So, uh, the company that you're interviewing with and your own interests happen to align in a way that allows you to bring, you know, a bit of yourself, a bit of your own passion for what you care about to your work, that's probably going to be much more impactful than. [00:53:00] Whatever class you happen to take or whatever credential you might be able to bring to the organization. So 1, I think you should consider if you're you are that type of person who has that passion for learning and technology and trying new things and always being challenged to pick up something new because that's what it is. Right? You should consider if you are that kind of person, but also you should think about how can I demonstrate that to a potential employer that do have an interest here? I love to learn. I can apply myself to. Learn something quite deeply, because it matters less what what it is that you've learned over the last couple of years, because I can guarantee you that whatever it is you've learned over the past 3 years, you're going to need to learn something different. In the next 3 to 5 years in order to keep moving along with your career. And so I [00:54:00] care less about what specifically you've learned in the past, but I care a great deal about your ability to learn and your ability to sort of passionately apply yourself to a new problem.

[00:54:13] Chris Sienko: that is great career advice for, for anyone, whether entry level or otherwise. But I think it's, it's just great career advice all around. So before we go weld, and I want to ask you though, uh, did you get a piece of career advice that you received that's been influential in your life? What's, what's the best piece of career advice you've received?

[00:54:29] Weldon Dodd: Um, yeah, I, I'm thinking back to, um, um, I don't know if this is the best career advice I've ever received or the most important, but

[00:54:40] Chris Sienko: That's fine.

[00:54:41] Weldon Dodd: the incident or moment that comes to my memory is really early on in my career. I was just a couple of years out of university and I remember. Being, um, don't know what the right emotion is.

[00:54:56] Weldon Dodd: Annoyed, uh, disturbed, [00:55:00] distressed that, um, a colleague in a slightly different department, you know, wasn't really in the equivalent position to myself, but a colleague had received some recognition and some, some pay that I had not. I went to my boss and said, you know, like, I've been working hard and putting in hours and here's the things that I've done.

[00:55:25] Weldon Dodd: And, and, but instead of asking for what I wanted. pointed out that this other person got something. I wanted, right? And his advice to me, I think was really sound. His was like. Hey, look, I was with you while you were talking about how you've been working hard and. putting in the effort and you've contributed these things to the company, but as soon as you pivoted and pointed to what someone else had and that you wanted what they had and felt that you deserve something that they had [00:56:00] received, you lost me. I don't want to hear from you about has something that you want, right? If you want something, come and ask for it and tell me why you think you deserve it, but deflecting and being kind of expressing

[00:56:19] Chris Sienko: Yeah.

[00:56:20] Weldon Dodd: right? That someone else has something that you would like diminishes you, right?

[00:56:28] Weldon Dodd: It makes you less in

[00:56:29] Chris Sienko: It,

[00:56:29] Weldon Dodd: my eyes. Thank you so much.

[00:56:30] Chris Sienko: it carries with it this, this sort of notion that you're asking that thing to be taken away from them almost.

[00:56:37] Weldon Dodd: Almost, right?

[00:56:38] Chris Sienko: Yeah.

[00:56:39] Weldon Dodd: um, it has had this negative feeling and he was really sensitive to it, right? That was part of it. But that stuck with me. I realized that, yeah, like I don't need to build my success around stepping on top of other people, right? I don't need to gain something by taking away [00:57:00] from someone else, right? That I could my career and I could get the thing, the things I wanted and grow in the ways I wanted to grow by focusing on and what I was doing, what I was contributing. And trying to earn, um, the things that I wanted to receive and that, that, I think it was really important for me to hear that early on when I was young to learn that lesson, um, at that moment, because it really served me well my interactions where I could approach not only my own growth, but my interactions with my team. And from that standpoint of, look, we can all win. could all grow, right? You can have success and I can celebrate your success and recognize your achievements and celebrate that and applaud what you've done. I can [00:58:00] also advocate for myself and the ways I want to grow and be recognized diminishing anyone else.

[00:58:08] Chris Sienko: That's literally the first time we I've asked this, this question for probably 75 people, and that's the first time I've heard that very specific one. And I think that's awesome advice. So I appreciate that. Well, then, so as we wrap up today, uh, tell us a little bit about Kanji and the things you do and the services you provide for your customers.

[00:58:24] Weldon Dodd: Yeah, so, um, we are a device management solution with security tools so that if you're in an organization that has Apple devices, know, MacBooks, other Mac, iPhone, iPad, Apple TV, whatever it might be, um, we allow you to automate the deployment and configuration of those devices. And to monitor and secure those devices ongoing so that you can protect the organization. from any threats, but also [00:59:00] make sure that all your colleagues that are using these devices can be productive with the tools that they need the software that they need configured correctly up to date patched. Um, and we, we do that with a platform that's really focused on automation. So my experience previously working with Apple is. I did a lot of professional services work out in the field, helping companies deploy large numbers of devices, sometimes hundreds of thousands of devices. at that scale, we would do this over and over again with different customers. And what I found, my experience was that I would do the same things. Over and over again with every customer, um, certain, you know, making sure disk encryption is enabled, um, setting up tools to name devices correctly, according to

[00:59:53] Chris Sienko: Mm hmm.

[00:59:54] Weldon Dodd: that we wanted to, um, escrow, the recovery keys, things like [01:00:00] this. And, uh, you do this over and over again enough times, and you the question just naturally is raised, like. If I have to do this every time, why doesn't the tool just do it for me? And that was the spirit that we brought to Kanji when we built it was we wanted to build a tool that would do the things for you so that you could move on to other problems. Like, I really believe in it as a career. I believe in, um, you know, admins having an important role within the organization. And I, we wanted to create a tool that would allow people to get past, like, Hey, look, I need to update Chrome again, like, 3 times this week. be able to focus on some, like, higher level contributions to their

[01:00:47] Chris Sienko: Yep.

[01:00:47] Weldon Dodd: Like, I doubt there's companies that have their, you know, their mantra or their mission statement, you know, up on the wall is like, I'm going to keep Chrome patched.

[01:00:59] Weldon Dodd: Right?

[01:00:59] Chris Sienko: [01:01:00] Yeah. Yeah.

[01:01:04] Weldon Dodd: uh,

[01:01:04] Chris Sienko: It's at the very bottom with like a little asterisk. Yeah.

[01:01:07] Weldon Dodd: Yeah, I mean,

[01:01:08] Chris Sienko: also, please do that.

[01:01:10] Weldon Dodd: It is part of the job, right? But we

[01:01:12] Chris Sienko: Yeah.

[01:01:13] Weldon Dodd: this focus on automation so that those things you could design your deployment and say, look, I always want Chrome to be patched within a few days

[01:01:21] Chris Sienko: Yep.

[01:01:22] Weldon Dodd: configure that once and be done and then move on. Right?

[01:01:25] Chris Sienko: Yeah. Right.

[01:01:26] Weldon Dodd: whatever that mission statement is on the wall, whether it's. you know, people who are sick or managing people's money or building great software or whatever it might be, right? You could go work on that mission statement instead of the tedious parts of the job.

[01:01:43] Chris Sienko: Drop everything and think about a thing that's gonna get you out of your flow. So, it's awesome. So, one last question for you. If our listeners want to learn more about Weldon Dodd and or Kanji, where should they look for you both online?

[01:01:54] Weldon Dodd: Yeah, I mean, I'm on a lot of the socials just at [01:02:00] Weldon, but probably the best place to find me is on LinkedIn.

[01:02:03] Chris Sienko: Okay. Great. Mm hmm.

[01:02:05] Weldon Dodd: don't think there's very many of us.

[01:02:07] Chris Sienko: Yep. That's where I found you.

[01:02:08] Weldon Dodd: put my name in, I think you'll find me

[01:02:09] Chris Sienko: Mm hmm.

[01:02:10] Weldon Dodd: Kanji and I'd love to hear from you. And, and,

[01:02:13] Chris Sienko: Great.

[01:02:14] Weldon Dodd: if I can. Be helpful. You know, I've, I know you have some listeners who are in their career.

[01:02:20] Chris Sienko: Yeah.

[01:02:21] Weldon Dodd: I've really enjoyed mentoring young people as they enter their career. And so if I could be helpful in any way, I'd, I'd love for people to reach out.

[01:02:29] Chris Sienko: That's awesome. Thank you so much for your time and insight today, Weldon. It was great talking to you.

[01:02:33] Weldon Dodd: Yeah, absolutely. It's really a nice conversation. Thanks, Chris. All

[01:02:48] Chris Sienko: slash free. Uh, there's a whole bunch of free and exclusive stuff for Cyborg listeners over there.

[01:02:51] Chris Sienko: You can learn about InfoSec's new career immersives, which can take you from complete beginner to job ready in six months time by a combination of [01:03:00] live instruction, hands on practice. Personalized career coaching that can fit any schedule also go to infosec Institute comm slash free for the free cybersecurity talent development playbook You can download this and find in depth training plans for 12 most common security roles including sock analysts penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS professional, and more.

[01:03:24] Chris Sienko: One more time, that's infosecinstitute. com slash free, and as always, the link is in the description below. One last time, thank you so much to Weldon Dodd and Kanji, and thank you for watching and listening. Until next time, this is Chris Senko signing off, saying keep learning, keep developing, and don't forget to have a little fun on the way.

[01:03:41] Chris Sienko: All right, bye for now.