[00:00:03] VO: Gather round, my little hackers and defenders. You must have heard of big scary terms like SOC save our careers.

[00:00:11] Chaahat: Not quite. It’s actually SOC Security Operations Center.

[00:00:14] VO: I wasn’t entirely wrong.

Speaking of careers, this lady who’s completely confused about which cyberpath to take is Chahat Bagla.

[00:00:25] Chaahat: Hey, it’s not that bad. I’m just curious.

[00:00:28] VO: And so she is giving herself 12 episodes to explore 12 cyberpaths by asking professionals the right questions. Just curiosity leading the way. And if you’re in your figuring it out era, come along for the ride. This season we’re talking red teams, blue teams, AIGRC and all the juicy stuff. So plug in, scroll less and learn more. This is Destination Cyber Season 2. Powered by KBI Media Press Play. Your cyber origin story starts now.

[00:01:15] Chaahat: Welcome back to Destination Cyber Season 2. To all my cyber explorers out there. We’ve gotten inspired, inspiring journey today. Joining me is Rohit Borakar, a seasoned IT and cyber security professional with over 20 years of experience and one of the few cyber officers in the Australian Defence Force. If you imagine a path that begins in India, winds through building a life and career in Australia, includes service in the army reserve where he rose to the rank of captain and branches into mentoring, entrepreneurship and even authorship. Your imagining Rohit’s story.

[00:01:51] Chaahat: So, hey Rohit, I would like to start by asking about a bit about your background. So could you walk us through your journey into the cybersecurity? When did you realize that was the stream you want to get into?

[00:02:02] Rohit: Yeah, sure. So this, I was actually one of the very early adopter in cybersecurity. I did my master’s in IT and Cybersecurity back in 2003. So that was way before cyber was a big buzzword and you know, catchy word that all that thing that it became now. And during that time very few universities was offering cybersecurity as a master degree. So that’s what I mean by early adopter. I was, I did all, all my units, I selected with anything that has security in it that always interested me and that sort of gave me a leg up in the industry because I was doing all the fundamentals, the basics, the networking, the IT operation side of things and obviously security being the big piece in it. And then as the years progress in last 22 years, upkept my education up to date with all the latest and greatest technologies and all the new vendors that came along. So yeah, that, that really helped me. But that master degree actually gave me a leg up. Not initially, not first five years there’s nothing really happened but it, after sort of six, seven years later it slowly progressed and then in last seven years just blew up.

[00:03:09] Chaahat: In cybersecurity itself, it’s quite fascinating how you mentioned that you always had an interest in security. So what is the specific thing that you know, piques your interest, your curiosity about going into the security side?

[00:03:21] Rohit: By trade I’m an engineer so I like to play things, I like to do the hands on, I really get, get my hands dirty. So it was more of the thing where I wanted to see what else the technology can do. And one of the, one of the unit that I did was a digital forensic and that really sparked my interest in security and how hackers looks at it. And if something happens, how do we go and reverse engineer to find out what happened in the back end? So that, that really sparked my interest.

[00:03:50] Chaahat: So when you did your master’s degree, were you always clear that you want to go in cybersecurity? And when you were applying for jobs as a recent graduate, what was your focus? Was it getting something into IT or going straight for the cyber roles?

[00:04:03] Rohit: Initially it was purely just getting into IT because as a fresh graduate we just want to be able to get that first IT job. I want focused on any IT job that I could get. Basically my first IT job was at iiNet doing tech support over the phone. So even though there wasn’t heavy technical stuff, it was basic level one, level two, maybe most, but it gave me the communication skill and the soft skills and that actually helped me in my career a lot more than the actual technical skills.

[00:04:32] Chaahat: So was it easy landing your first job after graduation? How many job applications did you apply for? Was it a lot of like getting cold? So like no reply at all when you were sending out your resumes or was the process easier back in the days?

[00:04:46] Rohit: No, it wasn’t easier. It was hundreds of jobs. So I think at one point I was tracking 20 to 25 day. 20 to 25 jobs per day that I was applying through Seek or any job website that I could find, get my hands on. It was actually a lot harder because back in 2003, 2004, because I came as an international student, I had a restriction of 20 hours per week that I could now work more than 20 hours. That limited my job option heavily. And the only reason I managed to get iiNet was purely because I applied during my breaks, when we had Christmas breaks and two months off. And then that’s the only time I could work full time. So challenges were there.

[00:05:26] Chaahat: Being an International student myself. I know how hard it is and listening that it wasn’t even easier back in the days. It just changes my whole perspective because I thought now with the advent of AI, most of the jobs are getting, you know, crossed off. But it’s not that it’s back in the days as well. It was harder. So what my point is being an international student, you said how you had the Christmas break when you applied for the job, but most of the job they list the full time requirements. So how did you convince them to that, oh, you had the holiday period and you could work full time. Was it through an email to them or did you just directly call them?

[00:06:00] Rohit: I actually just applied straight away, even though it’s job set full time and it was, I think just before getting into holidays. So I knew that it’s gonna be interview process, two, three rounds of interview process. And by the time we get through that process, it will be already December. So it was advertised as a full time role and it actually was a sales role, not even a technical role. And they just wanted someone on the call center to do the sales bit of selling and all that. And because I said look, they asked me, can you work full time? The only answer I said was yes. And after two months, once I got in, then at the moment my uni started, I said going back to them and said, look, I’m going back to uni from January or I think mid Jan or something whenever the university opened. And they were happily converted me from full time to part time.

[00:06:45] Chaahat: So you mentioned there were two, three rounds of interviews. So what happened these days is we do like a video interview first and then there is. They make us play those, those games, the technical games, the math questions. And then we do another interview around which is more of a behavioral questions and then another one which is a coding one. But all of this is done online these days. So was it the same back in the days or were those two, three rounds in person?

[00:07:09] Rohit: First round was just over the phone, the second was in person and the third one is a group session in person as well.

So sitting on the round table, they gave us a scenario and then half the team was pro and half the teams against. They gave us a topic and we really have to show our communication skills and little bit of debating skills as well. So yeah, that time, but that was the, that was back in obviously 20 years ago. But even now a lot of things that we apply for, they have that math component, the aptitude component, the online and they’re also asking a Video as well nowadays. So yeah, I’ve seen both side of this in 20 years. I’ve seen how it’s just changed.

[00:07:47] Chaahat: So you mentioned that you did like a group session for an interview and while going into the interview, what was your approach like? What were you thinking? That how could you stand out in a group? How did you prepare for it essentially?

[00:08:00] Rohit: So to let you in a secret, I’m actually an introvert and that is a big challenge for introvert to put in a group discussion. So my thinking was I knew my strength and my weaknesses but the thing that I went in the mindset was look. So I was very lucky to go get into up to the round three. I was very fortunate and very lucky. So I said look, I’m not going to miss this opportunity and I have to suppress my introvert and really come out as an extrovert type person during that interview or during that group session. So yes, you have to sometimes shift your thinking. You’ve got to really get into that mindset because they’re looking for communication skills, they’re looking for really that outspoken person and yeah, that’s what I had to be for the job.

[00:08:45] Chaahat: Yeah, the deterministic approach, that’s definitely essential for anyone. Like you have to have the mindset of going after it and not just like brushing it over. Oh, I’ll do the other one. No, yes, this is my chance, I have to go get it. So that’s quite interesting. Thank you for sharing that. So after you sort of did that sales job, when did you went. I saw a bit about your background and you have served in army reserve for over 15 years. So how did you approach, how do you went to the army side of things?

[00:09:11] Rohit: So army side of things is a bit of a family background. My dad was an ex army, my brother is still serving in the army. So that was. I grew up in the army environment and lived in army quarters all my life until I came to Australia when I was 21.

So that was already there in the back end. But because I was international student I couldn’t just go and join the Australian army here straight away at least. So I had to do my get a PR and citizenship and all that first. So once I managed to get the PR and citizenship the day I got a citizenship, pretty much the next week I went to army reserve and said sign me up because that was my personal interest and from a fitness side of things I was really into fitness and yeah, and a bit of a family history as well. So that really helped. So now I’m 17 years actually in the Army Army Reserve. I’m still active army reservist.

[00:09:57] Chaahat: So how has the like the discipline and the structure from defense shaped your approach to cybersecurity in the civilian world? So do you see any similarities?

[00:10:06] Rohit: Yes, massive similarities actually. So when I joined, I actually joined as infantry. I was doing, you know, a lot of running around the bush and doing all the infantry stuff. And then because I had an IT degree, they said hey, you’re wasting your time, why don’t you go to SIG unit? We’re doing all the IT stuff and satellite communication. So then I transitioned to satellite and comms and last four years ago I transitioned to cyber because cyber wasn’t a big thing back in the defense, now it is. So we transitioned to the cyber unit. All the discipline, the procedures, the standards and formats that I’ve learned, we try to use that in the civilian world as well and especially in the cyber because it’s very similar because you’re still fighting a enemy. In defense at least you know who you’re fighting, who your enemy is. But in cyber it’s actually harder because you don’t know who you’re fighting. It might be a state sponsor hackers on the other end or it might be 18 year old kid who just wants to try a few things or it could be mix of both. Or now because of the rise of all the AI products, there are a lot of hacking tools out there, the AI based hacking tools. So you might be fighting against them. So you really have to broaden your horizon and thinking when you’re looking at from the enemy side of things, it’s a digital enemy that actually can do a lot more harm than a bomb or a bullet for example. So yeah, it’s very similarity but it’s actually harder in cyber.

[00:11:38] Chaahat: That’s very true. When there is a mystery involved, it also creates, creates like an interest. Oh yeah, there is someone out there. But yes we can. The ability to have the defense in place and the strategies and the policies. I think security always comes first and it should come first in all the cases. Even in like the development phase of things. If you think from a security perspective you’re just reducing any risks, chances and I think that’s what companies need nowadays, especially with all the businesses, business mostly going online. So what I want to ask next is what was the turning point where you realized that cloud would dominate the industry?

[00:12:14] Rohit: I think the first time when I realized that was I can’t remember the exact year, but when Microsoft launched 365 product and that was a really a mental shift from a lot of people to going from a traditional software base that gets installed on your computer and all that to a software as a service that you can buy a subscription and you still get the same product. So that was the mentorship that happened. I think it’s about eight years ago. Eight or nine years ago. That was from my experience because we’ve been doing a lot of IT on traditional IT servers, building servers, putting in the data center rack and stack, all of those and365 came along and said hi, this is cheaper and better. Plus you can move around to any user in a click of a button compared to a standard desktop application. That was the first time I realized and since then it has just taken off like a rocket. Everything is in cloud. I mean there are still few people hanging on to the old physical servers but I think they’re short lived now.

[00:13:15] Chaahat: So between securing the nations and securing the enterprises in the cloud, what are the differences? From a government perspective it differs versus in a private sector how do they both approach cloud security?

[00:13:27] Rohit: So in the government space it’s heavily focused on compliance. Heavily. So in Australia the essential aid one of the biggest one that’s pretty, it’s mandatory for government agencies and said governments and that is the same model the enterprises are looking at as well now. So we’ve got essential aid, we’ve got NIST, ISO standards or if you need a SoC2 all of those certification and accreditation are getting really really important if you don’t have one of those.

The even government as well as government definitely won’t work with you if you don’t have those compliance in your organization. But even enterprises are now putting that requirement. So if you look at any tenders or offers that comes out they all have that requirement that you must be maturity level 2 or maturity level 1 at best at minimum to be able to apply for that opportunity. But if you every country has their own so if you go to us they have their own set of, you know, NIST mostly if you go to UK they have the old server essentials but in Australia essential 8 ISO and bit of SoC2. And the other part was the IRAP assessment being a data sovereignty that’s a big thing in government space. So those, those three or four certification are heavy, heavy on government but enterprise are just following the lead basically.

[00:14:44] Chaahat: Now that’s quite fascinating you mentioned that because every single company recently, all of them there’s a big buzz around all of them are getting ISO 2, 7001 and that’s right, even IRAP is very important for all because if you want to work with government from a defense side of things, you only want the best and therefore it pushes the pressure on enterprises to get those assessments and those accreditations get done. So as you mentioned that cloud security isn’t just technical and it’s also about compliance and governance. So how do you see frameworks like Essential 8 or NIST Shaping cloud couriers? So from a person who is still graduating, what sort of information do we need to have about all these frameworks and how can we stand out when we’re talking in interviews?

[00:15:26] Rohit: Okay, yeah, great question. As I mentioned, we have to move according to the technology and the requirements. So I will give you a bit of a hack where I use that in my career as well is if you’re a fresh graduate, you’re looking for jobs, you go and seek or whichever website find those 10 or 15 jobs that you think you are suitable for or you want to apply and find what are the common skills they’re looking for. And you I can guarantee you will find a common thread that they’re all asking for either essential aid or particular certification or particular skill set. So you just have to work out what is out of those 15, what are the common denominator skill sets and go and learn that skill. If you don’t have that skill or certification, go and learn that. Coming back to the essential aid part of things, there’s also a short course now available from some of the university they they’re offering essential aid as a course I believe.

So that will really put you in front of a normal master degree in cybersecurity, for example, because and as an employer I also look at what you’ve done extra. Yes, you got masters in cybersecurity, but what have you done extra? Have you done any labs? Have you done any CDFs? Have you done any vendor certification like pen testing or Microsoft or Fortinet for example? Those are the extra skills that employer wants more than your piece of paper that you got master in cybersecurity.

[00:16:47] Chaahat: It’s good that you mentioned the certification and the practical labs because my next question is around it. So a lot of the students, they ask whether they should focus on certifications from big companies like aws, Azure Security, or they should focus on practical labs. So what’s your take? Given that someone has a limited time, what should they prioritize? Should they go by certification then practical labs or should be more around practical labs and then focusing and streamlining towards the certification, I would say a bit.

[00:17:13] Rohit: Of both because I’ve seen both sides of the story where people have great certification, vendor certification, they’ve done it, but they haven’t actually have any practical skills or they haven’t done any work experience to actually really use those skills. So in it, if you don’t use that skill, you’ll forget very quickly and the technology will change and you’ll become redundant within two years. So it’s a bit of both. And on top of that I would also recommend is go do internships. All these companies are offering internships. Some are paid, some are unpaid, but it’s whatever they are, it’s still better because you’re getting a hands on experience. And if you got that certification already, then you actually applying the theory to that practical lab and it really enhances your learning skills because you’ve now read it, read about it, yes, you got the answer right, but you’re actually now doing it and you’re getting your hands dirty. So personally I learn more by actually doing it than just reading a book or, you know, reading something online. So that’s just me. But I think it needs a mix of both. And also find a career because cybersecurity is a big word. Cybersecurity is a big industry. You really need to find what, which stream of cybersecurity you want to go. You want to go towards offensive or defensive or pen testing or grc. Find that sort of pathway within the cybersecurity and try that for at least two, three years. If it doesn’t work out, you can always switch. But at least if you’re doing one pen testing, for example, certificate here, one GRC certificate here, all over the place, then you’re going to get too many things, you’re going to get confused and you get too many things in your plate. So try to find a niche and stick to it. At least. I will say give it at least two, three years before you decide to move. If you like it, sure.

[00:18:56] Chaahat: So how did you yourself decide what your niche was? Because I know that you’re very right in saying there’s so many domains and that was one of the main reason I was doing the podcast, because there’s so many domains and I want to know everything a bit about everything. Because when we apply for normal roles like junior analyst, it doesn’t particularly say something like, oh, this is going to be, your interview is going to be focused on cloud security or grc. It’s kind of a mix of all of those things. And today the Entry level roles that we see on LinkedIn or any other stuff. It’s like more than a hundred people, they just click apply in less than four hours. And the entry level, so it raises the bar. Basically it’s not entry level anymore. If we have a lot of competition, then they want someone who’s more experienced. So how do we get that experience? And how did you decide what was your like niche? Where did you want to get into the cyberspace?

[00:19:44] Rohit: That’s a good question. And I can see why people get confused and they’re struggling to get a job. There’s no one simple answer or there’s no what right or wrong answer. So it’s we going come back to my scenario. How I managed to find that niche is because I’ve been doing a lot of infrastructure work, actual hands on implementation, end user computing, firewall at Rack and stack, all of that. So all of that sort of related for me to go to defensive side of security. And that’s how I found my niche because I knew everything that’s happening in the server. I knew about the firewalls, I knew about the data center or any infrastructure itself. So I started doing that lot of it first. And then when the cybersecurity really became a big thing then now, okay, this is my environment, this is my crown jewel. How do I protect it from getting hacked or getting attacked? So I specialize in defensive first and now I’m going slightly on a little bit of GRC as well because I’ve been doing for so many years now I’m looking at grc, ISO certification Essential eight. We specialize in essential aid for last eight years. And we didn’t go too much into the offensive side of things like pen testing and all that. We didn’t go into that because we said if we go into that, that’s a whole lot of another skill set that we need to learn and all that. So we sort of stayed away from it purely because we that’s not our key skill set, key core competency. But we need to know, we need to know at least the basics. So after 20 years at Citi as an architect, you need to know a bit of everything. It’s so be it to be able to advise and a consultant on a particular project or technology. But all of that 20 years experience will help you now. So it helps us. Now coming back to your question about the job on LinkedIn and all that, look, yes, it is very challenging and it is getting high competition because all this news in the media, they’re talking about cybersecurity. People are getting a lot of money and then everyone’s all of a sudden interested in cybersecurity. Right. They want a piece of the pie. But you really have to find, you have to provide something more than the other candidates. What else you’re doing more that will differentiate you from that 400 candidates. And even employers are now they know there’s a lot of talent in the market. So what they’re doing is they’re also putting two or three roles together to come up with a one role title, job title and hoping they will find a unicorn that knows everything you know. So yeah, it’s no right or wrong answer. You just have to find your different stand out from the crowd basically.

[00:22:12] Chaahat: Those are some great insights. And also you mentioned something about internships and how doing internships they help you stand out because they give you hands on experience and companies want to have someone who does have experience. So you are a founder of Solution Tech and you’ve worked with interns and grown talent. So what is Solution Tech about?

[00:22:30] Rohit: Yeah, so SolutionTech, we started as an MSP called Managed Service provider, looking after it for small medium businesses. And now we’re also doing government as well. So we started with doing a lot of the traditional managed service and then we specialize in cyber where we putting cyber component on top of it, mostly defensive cybersecurity. Now being in Canberra we also got into government so we started doing a lot of essential aid implementation, a lot of cybersecurity, uplift, cloud migration, cloud security. So we’re doing for federal government as well as private sector. So we’ve got 50, actually 80 to about 90% is private sector and about 10% we’re doing for federal government at the moment. And we also offer internship as well. So in fact actually I stopped hiring people From Seek or LinkedIn or anywhere place like that. We actually go put out internship opportunities twice a year. When we get candidates, we actually select the candidates like an interview process for the internship. They come in, they do 12 week internship and if they are good, they learn. We both like each other and we see the value. We then hire them through that internship process as a full time staff.

[00:23:36] Chaahat: So you said that you do the internship rounds once or twice a year. What time generally around the year do you pursue your internship?

[00:23:42] Rohit: So we usually do it from February and July.

[00:23:45] Chaahat: That would be great to know for all my fellow graduates. And while you are hiring those early professionals, what are the gaps that you see within like what could be improved in all the graduates and if you want them to have one, must have skill. For the students in 2025, what would that be?

[00:24:02] Rohit: Look, everyone’s focusing on technical skill, which is great, but I think there’s a lot more to technical skill as well in cyber. So cyber is all about shared responsibility.

So the other skill you need to develop is soft skill and stakeholder engagement. Because in cyber you will get disagreement, you will get in a meeting where people won’t agree with your thoughts or your proposal or your code or pricing or whatever. So you need to work with the stakeholders to show them maybe a couple of different options or work with them, listen to their problem.

Because every time as a cyber expert, we want everything top end, greatest product to secure them. Our intention is great, good behind that. But when you’re talking to a board members or senior managers, they’re looking from the financial side as well and they’re looking from the risk side of things. If X happened, can we take that risk or can we mitigate that risk by doing something else? So we were going, okay, no, you got to be central aid, you have to be maturity level 2. But they were like, oh no, we don’t have a budget or we, our data is not as, as confidential, as secure or as private as some medical sector, for example. They might be in a transport, for example, or something very low end. Where cybersecurity guys, you know, they don’t think cyber as their top priority. So that’s why coming back to the skills that you need is soft skills, stakeholder and vendor management as well, because you will get every single vendor trying to approach you and trying to sell their product. So you need to really do the analysis and work out which product fits that particular customer’s requirement better.

So those, those other skills are very important other than on top of the actual technical skill.

[00:25:45] Chaahat: So that is a very interesting point that you mentioned. So financial side of a business and the cyber side, they both need to go hand in hand because you need to convince someone that house security is the priority nowadays. So how does it do, how do you actually do that? Is it more of a research on your end and then presenting sort of a presentation to the company? Was there any particular story or a challenge that you faced while you were doing sort of like pitching to a company? Can you share us a little bit more about it?

[00:26:12] Rohit: Yeah, sure. So I’ll go to a mostly a small business scenario where most people can actually relate to. So we’ve been selling cybersecurity, we’ve been telling all our customers and whoever will Listen, that you need XYZ cybersecurity, you need to be actually maturity level one or two. And to do that, yes, there’s a cost involved. There is depending on how big the environment is. Cost really depends on that. What sort of how many users, how many computers and servers and all that. But the business owner will always come back to the financial side. He will only go straight to the page where it says pricing. He’ll go straight to that point. We will start from the page one saying, explaining this requirement, the solution and everything and then come to the price. But that owner will go straight to that price point and then he’ll work his way up from that price point. Page from down to up saying, let’s say for example, it’s $20,000 quote, for example. He will look at it as a, okay, first thing, do I have a budget? And second, what risk am I mitigating? What’s my risk if I don’t do this, what can go wrong? And if something goes wrong, can I recover? And how quickly can I recover? He’s looking from that point of view and we having this conversation pretty much every day we’re trying to say, look, you have to have it, you have to have it. But they’re saying, oh no, we don’t, we don’t think that’s not a priority. So they don’t spend money and then something happens, the sub incident happens and all of a sudden they find the money and then things get implemented pretty quick. But then it’s already too late because they already had that incident and you had to spend all that money. So it’s better to spend that 20,000 to save their business interruption, which would have cost them 50, 60 or more thousand dollars. It’s always a battle. And that’s why that, that engagement, working with them really works. That skill is a niche skill.

[00:27:59] Chaahat: So we need to have like a, a skill that can show the company what are the trade offs versus like what are you gonna, what are you thinking versus what you’re actually gonna get in a long term on a long term basis. So it’s not about the short term and paying for it, it’s about getting in a long term. And what are your thoughts on cyber insurance? You see a lot of companies going into that.

[00:28:21] Rohit: Yes. So that’s coming back to my next point. For the same example, same customer, we proposed a code. They didn’t decide, no, it’s too expensive, they don’t have a need and all that. And then they reached out to, they tried to get a Cyber insurance because cyber insurance actually cyber insurance is becoming a one of the requirement from a lot of the tenders and a lot of the work that coming out that you must have cyber insurance because the company, if somebody wants to give you a tender to do a piece of work, they want to make sure you’re compliant, you got all the right certification and skillset plus you have cyber insurance just in case something goes wrong. So that is getting very, very important in the market at the moment. We working with a lot of cyber insurance companies as well. Cyber insurance company have these cyber questionnaires. So if you go and apply for cyber insurance, they will send you a cyber questionnaires where you have to say do you have mfa, do you have backup, do you have recovery? All of those. And if you say no to all of those then they will either they refuse to give you the insurance or your premium will be very high. So then it’s a balance you have to find should you implement it and get your lower cyber insurance and get a cyber insurance to begin with so that you can apply for those tenders or work or opportunities. So it is getting, we can see that it’s getting very popular at the moment. Cyber insurance.

[00:29:39] Chaahat: Yep. Even NGOs these days, they do have a cyber insurance which was quite surprising to me and I was like cyber insurance is in the market.

[00:29:48] Rohit: Yeah. And there’s other part to that as well is the government has put out the rule now. So if you’re a business owner, if you’re the director, you’re personally liable for your incident and there’s a reporting elements to it as well. If something incident does happen, you have to report to asd, you have to report to a certain agency regarding those incidents.

So insurance really helps in that component as well to give you some safeguard and safety net as well.

[00:30:16] Chaahat: So coming back on to AI, how do you think AI is shaping the industry, specifically the cyber industry these days? And what could like graduates focus on looking at AI.

[00:30:28] Rohit: So AI is every conversation. There’s AI now. There is not a single conversation I’ve been to in cyber which AI has not been mentioned.

AI is a double edged sword. Double edged sword where there are good things that we can actually even we are using some of the AI components to help us optimize and automate and also in a cyberspace where we can actually sort through those logs and events within our SOC. But it’s also becoming there’s the evil ChatGPT and there’s the evil twin of WarmGPT.

And I also heard today there was a spam GPT.

So now those are actually getting out of hand where anyone with the, you know, basic IT knowledge skills can go in or doesn’t even have to have a IT skill. They just need to know what prompt to put in and they can actually generate a virus or a spam email or something malicious. They can come up with that. So yes, we are using to fight those but it’s like AI fighting AI. We really have to be on our toes because every day there’s new thing coming out.

So that skill is good. So prompt engineer is another skill that all the new graduates and you know, they should be looking at really focus on prompt engineering because chatgpt you can, it’s good as what your prompt is. If your prompt is good, it’ll give you better answers and a lot more detailed research and in depth answers that you’re looking for. So that, that is another skill set that we also looking for. You know, saying who can actually do better prompts.

[00:32:00] Chaahat: That is very good point that you mentioned. The prompt is in and I think with the companies adopting AI these days, they want to have someone on their team who can get the same thing done even by using AI, but in a shorter amount of time. Because at the end of the day it comes down to how much work you can get done in less of a time. So having a good prompt is what a graduate should be looking after. But do you think that AI driven cloud defense that will redefine the role for the junior analysts?

[00:32:28] Rohit: It already is, already is. So look at the older job ads. They’re always mentioning AI engineer or prompt engineer or AI analysts and all that. It’s happening quite a bit in us. It’s already started. Obviously Australia is slightly behind but it’s coming and it’s happening already. We know it’s already happening. A lot of AI tools, it helps you. As I said, we are using it to automate a lot of things. And from a business point of view, when I look at it, I’m also looking for AI employee, actual AI employee, not a physical employer. Because from when I put a business hat on, it makes more sense for me to buy a AI product subscription if that can replace one of the staff, for example. And this is already happening. Microsoft said we investing I think 80 billions or something in AI and they put out the target that they’re going to reduce the workforce BY I think 50,000 or something. It’s Microsoft just announced. So it’s already started. It’s already happening. A big, big end of the town. If you don’t do it, you’re going to be left behind. You won’t be comp. If you don’t do it, you won’t be competitive in the market anymore. Because whoever’s doing it first, they’re lowering the operation cost.

[00:33:38] Chaahat: And it is quite scary to think because we are sort of in a phase where AI has not completely taken over, it’s just in the process of taking over. And now is the time to get that sort of mindset shift.

So what do you think the students, like me, for example, can do to update themselves on AI or. Because cyber is one thing. Yes. But AI is shaping it as well. So how do we stay in touch with both of these things?

[00:34:03] Rohit: Okay, so let me go back to my point. I don’t, I don’t mean to scare people saying you’re going to all lose your jobs. With AI, it’s not nothing like that. Look, there is a bit of that as well, but it’s like going back to the industrial evolution when that happened. Right. When the industry, all the technology changes, a lot of people lo lost their job. But it also created new industries as well along with it. That’s exactly what’s happening with AI as well. So, yes, a lot of people are going to lose their job. Which are more repetitive tasks that easy AI which can be resolved or which can be done by a simple prompt, that role definitely will go. But then also these AI products are coming around. So AI engineering, prompt engineering. If you are a software developer, for example. Yes. Now you don’t have to spend writing codes, 10 hours writing a code. You can actually put a prompt. It’ll write the code for you, and then you have to then proofread that code to make sure the code is right. There’s no bugs, there’s no backdoors and all that. So instead of focusing on or I’m not, I’m losing my job. No, you need to work on those skills to how to proof proofread or validate somebody else’s code. Become that. So that’s one skill. The second skill is obviously the prompt engineering. Learn the prompt engineering. Because there’s so much into it, even I’m learning every day and start thinking from 10 years down the track from a long term, let’s say if AI comes in, what are the things? What are the things that AI can’t do? I mean, it can do most of the things, but the soft skills will always be there. Right. You still need to go and talk to a customer or someone face to face AI can’t do that. Yes, you can create an avatar and put it on the website or on a phone or app, something like that, but people still prefer face to face social interaction, those sort of things. This is just an example. There are a lot of other things that you can do to think from a 10 year point of view, what things AI won’t be able to do or what the missing link will be. Because whatever AI produce, somebody has to be physically there to validate that answer or that response to make sure that is the right before you publish it.

[00:36:05] Chaahat: I think that is quite correct. A human element is always needed no matter what. So if you were starting your career in let’s say 2025, how would you prepare for the future in cloud security specifically and where do you see cloud security heading in the next five years and what does that mean for today’s graduates?

[00:36:24] Rohit: That is actually very interesting question. Even I’ve been thinking about that one as well.

So first thing I would say is follow the big provider keep and subscribe to their news or you know, their website or their channels or whatever to see what are they doing. Because whatever happens in the cloud space will be these big guys will do it first. Right? Because they already starting investing. So follow find what if there’s a pattern if they’re all following one sort of stream or one particular product. ChatGPT was for first example. OpenAI was all these big Microsoft AWS, Google see what they’re doing. So just subscribe to the newsletter and see what they’re missing, what they’re missing. So that could be your opportunity to go and build a separate product for example that they’re missing and then you can sell it to them or you can create a whole new industry that will actually, you know, work for you with those cloud providers. So if that that adding a human element or you’re adding some another piece of technology or it could be any something else.

[00:37:30] Chaahat: So coming back how you moved from India to Australia and do you notice any difference in how cloud security careers are built here versus overseas? And do you think international students can actually leverage cloud security as a strong entry point?

[00:37:45] Rohit: To be honest, I don’t think there’s much of a difference. It’s the same because even in India and Australia, us everywhere they’re using the same big vendors. The only differentiator is the price factor. So it’s India light might be the cheaper same product will be cheaper software licensing and the labor cost. But they all following now a baseline. So ISO for example is the Standard across international Indian government also started really heavy, gone heavy on cybersecurity and they, I’m not sure they have something similar to essential aid, but I’m assuming there will be something similar or equivalent to essential aid. But we talk to a lot of the graduates and also Indian companies, they reach out to us to they want to partner and we find out what their capabilities and their statements and they’re very similar, so very similar than what we’re doing here. Yes, there’s few bits and pieces are different but I think majority overall is the same.

So education wise I think it’s the mainstream universities might be a little cheaper but the vendor side of things are exactly the same because all the vendors are going to India as well and they’re coming here and working together. So yeah, I think it’s very similar.

[00:38:54] Chaahat: And do you think that there is any entry point role in cloud security or do we have to climb our way up to the cloud security roles?

[00:39:02] Rohit: That’s the interesting one. So that would say you have to climb to it purely because a lot of the things that in the clouds you need to know the fundamentals, you need to know the basics, you need to know the networking, how the networking works, how the firewall works and all that before you go in the cloud because cloud is nothing but somebody else’s computer sitting in the data center, right? That’s all it is. But how is exposing to the Internet which via the port, via the firewall, what the IP address from the DNS and all that. You still need to know the basic requirement. So the networking skills are still important in cloud because if the service is running in the cloud, it’s gone down or something happened, you still need to log on, you still need to troubleshoot, you still need to know that basic troubleshooting skills to be able to get it back up and reverse engineer most time to see why it happened, what happened and all that. I don’t see entry level cloud jobs just yet, but maybe in the future they will be because when Azure came out with all the networking, they virtualized the whole networking stack, right?

And then people are questioning do I still need the CCNA certificate, do I still need to know all that physical side of things, Cisco routers and all that. And I was like well you still need to know the basic, even though you never may not never work on that Cisco skill or ccna, but you still need to know what a VLAN is, what a routing is, what an IP address is and all that.

[00:40:25] Chaahat: So with multi cloud strategies on the Rise. So how do professionals sort of balance the breadth versus the depth? Being good at aws, Azure, GCP versus specializing in just one.

[00:40:38] Rohit: That, that is a career question actually. And I, I actually went the Azure route most of my, you know, skills and I ended up working for Microsoft and since then sort of became biased to Microsoft because I worked there. Now that’s my skillset was but it’s not no harm in specializing if you specialize. I would say give at least five years in that field in that release skillset and once you come back after five years you will notice a lot of things are very, very similar. So they just name different. They’re exactly the same thing in aws. In Azure they just call it. In Microsoft they call it Storage. In Amazon they call it storage bucket or S3 bucket. But the concept is the same. But at least you specialize in one then it gives you more, you look more credible and more attractive for that particular customer who’s only using Microsoft for example. But then once you have a bit of an experience you can transition to AWS or Google for example because you know how things work. Know the basic. It’s just the terminology and the definitions are slightly different, that’s all.

[00:41:45] Chaahat: I think that’s a very valid point. So looking at the breaches and the misconfigurations, what’s the most underestimated risk in cloud security today?

[00:41:54] Rohit: Underestimated risk. Okay so that’s a tricky one because you, when we look at the risk it is you have to look at everything from a top to bottom level to see if it’s a high risk, critical risk and all that. I would say network going back to my networking point and the basic fundamentals.

So if you know those things you will you can find out where that coming from at least a good, fairly good idea which way you need to go and investigate more rather than if somebody’s, let’s say if somebody passwords got hacked or something, you’re not going to go down straight to the server. You first start with the authentication problem, look at the MFA and the password sort of thing. So it’ll give you rather than everywhere. It’ll give you a certain point to start with and then you work your way through it sort of thing. So I think it’s critical mind the critical thinking is very important. That’s one of the underrated skill.

[00:42:45] Chaahat: And we see zero trust is everywhere, especially prominent in cloud having the least privilege and verifying explicitly having all those MFA and stuff. How realistic is it? So do companies actually adopt zero Trust do they all have the role based access control or are there still some loopholes in the companies?

[00:43:03] Rohit: So zero trust is a framework. Is a, it’s a framework, it’s not a technology on its own. So when you say zero trust it’s the concept, it’s the framework that you follow. So never trust, always verify. Right. So those, those are getting really popular now and that is the 2025 actually started from 2022 or three I think but now we are looking at that as a first. So we look at that every time we designing an architecture or planning something we look at zero trust. We put that security in mind whenever we design. So zero trust always at the front of mind and it’s a valid reason why.

[00:43:39] Chaahat: And for the companies that are already sort of they have their systems established, are they adopting that as well or is it very hard for them to now transform to zero trust framework?

[00:43:50] Rohit: It is harder for some organization. It depends how big is. If it’s a federal agency it takes them longer. But yeah definitely everyone’s thinking about it, everyone’s planning for it. If it’s a small agency it’s a lot easier to do because we can move around a lot quicker. The bigger you are, the longer it takes but it’s definitely in front of mind everyone now.

[00:44:11] Chaahat: So that’s pretty basically what I wanted you to ask you now it’s time for some rapid fire questions.

So if I have to ask you AWS Azure or GCP your go to.

[00:44:22] Rohit: Cloud personally for me it’s Azure but I would say mix and one of.

[00:44:26] Chaahat: The most underrated tool or skill in.

[00:44:29] Rohit: Cloud security Critical thinking soft skill critical thinking and analytics skill need to be.

[00:44:34] Chaahat: Able to analyze and one book every.

[00:44:37] Rohit: Grad should read From a graduate point of view the Blue Ocean Blue Ocean will actually became very old book but it’s actually very relevant now because of the AI and everything. So this is what I was saying think what you can do is different. Have a look at Blue Ocean strategy of Blue Ocean I think it’s called Blue Ocean Strategy. And if you want to look at from the business side of things Emit have a look at Emit.

[00:45:00] Chaahat: Thank you for that one. And is that book behind you India to Australia. Is that the one that you are the author of?

[00:45:06] Rohit: Yes, that’s my book. Yes, correct. So that’s my journey. That’s my story of my journey from 20 plus 22 years. I documented everything for mostly for my kids and for international students actually. So they became. I didn’t, I didn’t wrote specifically for international students, but it actually became very popular among international students because I documented my 20 year journey from day one.

[00:45:29] Chaahat: And how can we find that book of yours? Is it through like Amazon?

[00:45:32] Rohit: Yes, it’s on Amazon. Just look for India to Australia and you’ll find it on Amazon. It’s on Kindle as well. It’s a hard copy as well.

[00:45:39] Chaahat: I’m definitely getting on to that one. And coffee or tea? So during late night cloud projects, what’s your preference?

[00:45:45] Rohit: I was on Heavy Coffee Drinker but now I’m on tea.

[00:45:47] Chaahat: And if you weren’t in Cyber, what career would you choose?

[00:45:50] Rohit: I would have gone full time in the defense and the reason I’m in reserve is because I couldn’t get into defense when I came. So I joined when I could get in. I was too late because I was already established in IT and cyber and all that and I wanted to do so Reserve was a better option for me. So I went reserve route. But yeah, I would have been full time otherwise.

[00:46:09] Chaahat: That’s all from my side. Thank you so much today, Rohit. Those were some valuable insights and I think listeners would be quite happy to hear all of that.

[00:46:17] Rohit: Pleasure to have me. Thank you. Thanks for your time.

[00:46:22] Chaahat: Thank you for tuning into this episode of Destination Saba Season 2.

[00:46:26] Rohit: Knowledge is a gift, but its true value is in how you use it.

[00:46:30] Chaahat: Whoa, where did you come from?

[00:46:32] Rohit: Just dropping by to remind everyone. Learning is great, but doing is even better.

[00:46:37] Chaahat: Timely advice.

[00:46:39] Chaahat: If today’s episode left you with questions or sparked new ideas, please feel free to connect with me on LinkedIn. And don’t forget to follow the podcast so you’re always ready for the next stop on our cyber journey. This is Chaahat signing off. Until we re encrypt another conversation on Destination Cyber Season 2.