Theos Cybernova Ep. 3 - Craig Johnson: Cracking the Code to Cyber Talent and Recruitment

Show Notes

How do you find the right cybersecurity talent in a competitive and evolving market? In this insightful episode of Theos Cybernova, host Paul Jackson chats with Craig Johnson, founder of Route Five Consulting and one of the most respected recruiters in the cybersecurity industry.

Craig shares his journey from Singapore to the UK and dives deep into the art of hiring for cybersecurity. From the complexities of the Asia-Pacific talent market to the challenges of finding the right balance between skill, culture, and leadership, Craig provides a masterclass in recruitment strategies. They also discuss the rise of external experts in the hiring process, how to nurture emerging talent, and the impact of evolving regulations on the industry.

Whether you’re an aspiring cybersecurity professional, a hiring manager, or just curious about what it takes to build a world-class team, this episode offers practical insights and candid advice from one of the best in the business.

About Craig Johnson:

Craig Johnson
Founder and Managing Partner, Root 5 Consulting

Craig Johnson is the founder and managing partner of Root 5 Consulting, a strategic executive search firm specializing in the cybersecurity ecosystem. With over a decade of global experience in cybersecurity leadership recruitment, Craig has successfully placed more than 250 candidates into roles across the USA, EMEA, LATAM, and APAC. His clients range from startups to Fortune 500 companies, reflecting his expertise in aligning top talent with diverse organizational needs.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Transcript

Wherever you are in the world, hello and welcome to Theos Cybernova Podcasts. Before we begin, I've got a quick favor to ask from you. There's one simple way that you could support our show, and that's by hitting the follow or subscribe buttons on the app that you're listening to the show on right now.

It makes a huge difference in helping to get the show out there. to as many people as possible. So please, please give us a hand and click that button now. Thank you very much. 

The Theos Cybernova podcast hosted by Paul Jackson. So here we are with the second episode of Theos Cybernova podcast. I'm Paul Jackson and each week we are digging into the latest trends, challenges, innovations that are shaping the cyber security landscape, as well as talking to a fantastic mix of leading Industry experts, thought leaders, and technologists. 

So whether you're a professional in the field or simply curious about staying safe in the digital age, we hope that Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. So here we go, and today's guest is Craig Johnson, the best cyber recruiter on the planet. Is that a correct way to describe you, Craig? 

Well,  I've heard you say it a few times, but it doesn't often come from other people, Paul, so, , yeah, maybe, , in your opinion, which is, , is a good opinion,  , but, , yeah, I'm trying my best. I'm not, I'm not sure I am the best, but I'll, I'll always try my best. Great. Well, look, let's start by just, , you know, getting to know you a little bit, , or the audience to get to know you a little bit.

And, , the first question I'm going to ask you though is why the hell did you leave sunny Singapore to go and move to, where is it, Middlesbrough? Middlesbrough.  Well, not quite Middlesbrough. I don't think anybody would ever leave Singapore for Middlesbrough. , I'm, I'm, I'm in North Yorkshire, so I'm not too far from there. 

, but , yeah, good question. I mean, you know, we, we spent a long time in Singapore. We were there,  you know, near on a decade. , my  wife and I are from around here. We've, we've sort of moved back home. , and we left together and we, you know, we spent a bit of time in Manchester and then, you know, You know over to singapore.

So we've been away for about 15 years. We didn't necessarily plan on coming  back We , we knew we wanted to leave singapore, but we had , we had other things in mind.  , But you know as life often,  Does  you know the things didn't really go to plan? So we we sort of ended up back here by default but in actual fact, it's been great to be honest with you I mean, , you know, we're now living in the countryside and there's, you know, there's no traffic.

There's no, not many people. There's more, probably more sheep and cows than there is people. So it's, it's been quite a nice change. Well, you do quite a good job of selling it, but not enough to make me want to move back. I'm afraid,  but tell us a little bit about route five consulting. , cause I know you've worked within larger recruitment companies.

You've got You've been in house, of course, as an in house recruiter and also now an independent recruiter. , what are, what are all the differences? I mean, yeah, tell us first of all, though, about Root5  and how you came up with the name and what it's all about.  Yeah. So, so Root5 is, , is we're essentially a cyber security specialist recruitment firm.

, so we.  We operate across the entire cyber ecosystem. So whether that is,  you know, vendors providing products and services, , or, or end users who are looking to, you know, build CSOs and CSO teams and whatnot. So we're quite broad in our, in what we cover because cyber is quite a broad topic and there's lots of different functions that make up cybersecurity.

, but we're hyper focused on the cyber industry and that's kind of all we'll, all we'll ever do. , The Naive  Root 5 is, yeah, an interesting one. It kind of comes from a bit of a sort of mathematical type,  , theory,  , where it's all to do with the kind of square root of 5 and how that tracks towards, , a nber  called the Fibonacci sequence, which is kind of a, , a sequence of nbers that you find in nature and things like that.

So, you know, you'll see,  , You know, the, the, the, the petals on a, on a, on a, on a flower will be typically account to a Fibonacci sequence or within leaves and things like that.  So,  the, the  square root of five,  , is, is a nber which, The Fibonacci, the ratio between the leading two Fibonacci sequence nbers tracks towards in a mathematical sense.

So the concept is that you're working towards perfection. Right. So let me put you on the spot. I never quite get that. What is the square root of five?  Oh God, I don't know what that is. It's something like 2. 2 or something like that. So yeah, that's, yeah,  something like that.  But you also have external external experts, , you know, with working with your company on contracts and what is the rationale behind that? 

Yeah, well, I think,  you know, having spent a couple of years working internally when, you know, when I was at Kroll with, with, with yourself, Paul, , you  know, I kind of, for the first time in my career, I got exposure to, you know, competitors, essentially other companies out there doing recruiting in cyber. , and look, I'm not commenting on every, everybody here, because there's some cracking recruiters out there, but the large.

Majority of the industry didn't fully understand really what they were doing or what they were looking for and what cyber really was. And  having  worked in inside a cyber company and working very closely with cyber professionals, you know, my knowledge, I think, improved significantly in those couple of years, , about what I was actually doing, but there's always,  there's always a limit to what I'm going to be able to do in terms of,  you know, assessing a candidate. 

You know, I can do my bit and I always imagine it like, you know, recruiting is like a funnel. The top of the funnel, you've got every possible candidate who could get that job. At the bottom of the funnel, you've got the candidate that gets the job and there's a whole bunch of processes that you go through.

I'm really good at the top of the funnel. You know, if a company comes to me and they want a certain candidate, I know who to go after. I know which companies to target. I might even know some candidates that I think would be good  and I can get a rough sense of how good they are so I can bring them so far down that funnel but then at some point they need an expert to look at.

They need someone who can, who's been in that position before, who's recruited for those people before, who's managed those types of people, who basically come from,  you know, a technical background. , so that's, that was a rationale around bringing in external contractors who can work with us on searches so I can.

Bring the candidates so far down the funnel, then hand them off to an expert who will do a real thorough technical screening on them. So by the time the candidate hits the client,  they,  they've been validated far beyond what they would do if they just went through a recruitment agency.  So that, that was the idea.

, and I think it,  yeah, it's, it's take, you know, we haven't done a huge amount of searches involving  the external contractors, to be honest with you. We it's something we're pushing quite a lot. And. You know the clients that we've had who have gone through that process. They've got better results. They've spent less time and They've they've probably got better candidates.

So  Yeah, it's a new model, but I think I think it's the right, the right way to go. Yeah. Nice. Nice. No, it kind of leads in nicely to, to my questions for you. And I've got some real thorny questions around the complexities of hiring when companies get it right, when they get it wrong, as we've seen and, , how the best approach is.

So let me, let me start off by just talking a little bit about Asia. Cause I know obviously you, you, you've Primarily focused on Asia until your recent move back to the  UK. And, , we've seen some interesting changes out there, haven't we? I mean, , you know, with, with Kroll and, , Talos withdrawing from the, , the APAC cyber, , cyber consulting market, , question for you, what does it take for a consulting firm to succeed out in Asia because, you know, there's been so many withdrawals. 

Yeah. And I, I don't think it's just consulting, you know, it's, , it's  across the board, I think.  Asia's complex as you know, , you know that there's a  it's it's complex from a cultural perspective but it's also complex from a  You know, market maturities, you know, you've got Singapore and Hong Kong that are, you know, very mature markets, you know, they're as modern  as anywhere in the world from an infrastructure perspective.

, I think the talent is strong in both of those markets, but they're both small markets,  you know, they're very, very small.  , so you've, you know, when you're  building a business in Asia, you've got to take into account all of Asia. If you want to grow a significant business, so you've got to start recruiting people in Malaysia and the Philippines and And then all different nuances come into play in terms of, you know, the, the maturity of the market, the culture and everything like that.

And so I think  companies don't often take all of that into consideration when they look at it, they look at it as a, as a region and they look at it as an opportunity as a region, but then they don't maybe think about what are all the different nuances within it. that are going to make us successful. , I think long term against short term thinking as well is is a big challenge we see.

I think in reality you're probably going to lose money for a few years in in Asia if you if you're launching a business. , and  you  know the way companies work these days they often want results fast and you can't always get them in Asia, , which is  a bit of a problem. , I think rate as well I hear is  It's quite a challenge because I think Asia is maybe compared to other markets, maybe a bit more price conscious, , which.

means that it's hard to kind of get,  you know, be competitive.  , and  it's hard to develop talent, you know, it's hard to do because you've got to develop talent in, you know, it takes time to develop talent. You've got to have a program in place, you've got to have support, you know, and, , and companies often just don't have that appetite for long term thinking.

And I think that's the, the overarching problem. So, yeah, I mean, you've, you've nailed it there. And my experience has been exactly that, of course, and, , what we're trying to do at Theos. Is built on a, , on a practitioner or expert base in lower cost locations so that we can afford to be competitive. We can pass on those savings.

But here's a question for you. I mean, is the talent really there in some of these low cost centers? Is it as good as it, you know, as it needs to be for the market? Do you think, you know, cause you've obviously looked at the, , the talent available in some of the lower cost centers in Asia?  Yeah. I mean,  I would say most of the time, no, to be honest.

, I think it's,  There's definitely pockets, you know, like when we were building out the, , the sock, for example, a crawl in the Philippines, , you know,  which was a pretty sophisticated MDR solution. And, you know, the, the type of analysts that we were looking for were not your typical sock analysts,  you know, they were more aligned with, you know, proper incident responders.

, so.  In, in that sense, it can become very, very difficult if you're comparing the region with the US or you're comparing it with certain parts of Europe, then you're always going to be underwhelmed, you know, and that's not to say that  that's nothing against anybody personally within those markets, but it's just, it's just a maturity of the market, you know, like having been back in the UK now, I mean, there's 60 million people here. 

, you know,  there's 5 million people in Singapore, for example, you know, so  the size of the markets are completely different, the maturity of the markets are completely different. So you're always going to struggle, but I think the important thing is to not compare it with other areas and try and look at what the potential is and what you need to do as an organization to get that potential where you need them. 

Yeah, definitely. And I do agree with you about the pockets because we've obviously at Theos, we found pockets, steep pockets actually of talent. So, you know, that we've been able to mine here in the Philippines predominantly. And, , it's a matter of maturing and mentoring those folks, I think, and getting them to, , you know, to world class standards and when they've got the thirst and the passion.

Yeah. It's not that hard to do, but it's finding those people with the thirst and the passion to, because it's hard yards, a lot of hard yards to learn this business. But you know, , on that sort of note, I mean, is education system to blame perhaps? I mean, in Asia, you know, this is quite famous for academic brilliance, but in terms of rote learning and memorizing rather than lateral thinking, do you think that's possibly one of the hindrances? 

Yeah, well, you hear that a lot, don't you? I mean, that's one of the The common things you hear, you know, particularly in Singapore that,  you know, kids are incredibly academic.  , sometimes, you know, the, the people say that, you know, they won't get that well rounded, that critical thinking type approach. And it's,  it's an interesting one because it's like, where does that come from? 

You know, it's often cited that it comes from adversity.  So, you know, you look at people who come from, through adversity.  , what make their way to a certain level in their career, they've, you know, they've had to think their way through and they've had to overcome problems, but people will often say, you know, Singapore doesn't have any problems,  you know, and you can grow up there and you don't, you don't experience any issues, any hardship, you know, life is, it's fairly straightforward, but I don't think that's always the case.

And particularly if you go beyond Singapore into the Philippines and Malaysia,  Thailand, you know, these are, you know, tough places to grow up, , and tough places to kind of make it.  I don't know whether it's the education system, what, you know, what it,  what it is where you struggle to get those critical  thinking kind of skills that people often say is lacking in Asia.

But I think sometimes that, you know, a lot of people are a victim of taking that kind of Western mindset and applying it to, to Asia and saying, well, you know, we don't, we're not finding this specific type of skill set. And that would be an abundance in  If we were recruiting in the US, for example, and  sometimes I think that's a bit of a mistake within itself.

You know, you spend your whole time focusing on something that's not there rather than saying, well, let's pivot our business and let's think about different delivery models or maybe the problem is us. You know, maybe we're not asking the right questions and not, not looking in the right places maybe.  , yeah, because I think the talent's there.

, you know, that was the sort of lower end, if I should really call it the lower end, but the working level to, to find it.  Oh, sorry, I talked over you a bit there. Sorry,  at a working level. Okay, that's fine. But what about at the senior level? , so what we're seeing, and you know, we've seen it happen recently in our industry, is that CEOs are struggling to hire the right leaders in cyber.

Why is that process failing and what could they be doing better?  Yeah, I think there's a few aspects of this. And I think one of the reasons why we, we brought in the external advisor model is to kind of help with this.  , you know, we, we, we recruited a head of information security for a tech company recently.

There were a couple of hundred people had no internal security before, and this was their first security hire reporting into a CEO and a CTO,  none of them having a security background, you know, so  we were able to help them because we brought a technical advisor in who could actually. Help them find what they wanted. 

So I think there's an element of that where people just don't really know what they need.  , I think ego comes into play quite a bit as well.  , because in reality,  a CEO, if they're going to hire a CSO and have them report into them,  , they're probably going to hear,  you know, you can't do this and you can't do that more often than they would like. 

, and so I think to hire.  The right seesaw to give that CSO the kind of the runway that they need to do a proper job. Ego needs to be put aside and the CCEO needs to be prepared to, to have some tough conversations. Mm-hmm.  , it's a little bit like, you know, have you ever seen the show Billions? Yes. Yes.

So, you know, you remember the Spearo character, right? Yes. The, the head of compliance, he's like the ex SSEC.  . investigator who kind of goes internally and he's their head of compliance and he's constantly telling them you can't do this, you can't do that, you know, and he's hated in the office because of it. 

, now I'm not saying that all, you know, that you should hate your security guys, but I'm saying that, you know, you need to hire people that are going to have tough conversations. And I think there's maybe a bit of  a bit of that is often not in play when, when, when, when CEO's are making these hires because they don't want to be told they can't do this and they can't.

They want yes men.  Yeah.  Interesting. So, but you know, when we talk about hiring,  , What's the right balance to be taken when you're hiring in cyber? Because I'm guilty myself of doing this, right? I've hired people that I know and I trust, rather than going through, say, yourself or a, you know, a formal recruitment process, because I know they're good at their job and I trust them to do the job.

So it's kind of an easy, an easy fit. But to what extent should we be doing that without going through an open recruitment process? Where do you draw the line on that?  Yeah, it's a funny one because you know, you kind of go into this world of DEI a little bit, right? It's like, you know, you we haven't  we haven't gave everybody the right opportunity because we haven't run a recruitment process  , I can I can understand that to a degree but also my advice, you know If you know someone if you know what you need to achieve With this hire and you know, someone and you trust them. 

, and you don't need to go through the rigmarole of a recruitment process and spending money on advertising and,  and what, just get it done in my opinion, make the hire, make it happen.  , but  maybe sometimes, you know, it, it pays to kind of run a proper process and maybe get some, some comparison comparisons in place as well, because I think sometimes when people hire people that they're comfortable with,  It might be more because they're comfortable with them and not because they're the right person for the job  , so I think you've got to you've got to ask yourself right?

What what do I need this person to do?  And your recruitment process should always work back from the business objectives, right? We want a  double revenue in the next five years or whatever, you know So who who do I need around me to get that done? Right? And it you know, you might say look Yeah, well i've got someone who worked with me in the past and they did this but were they really , someone who drove Significant revenue, you know, maybe they were Did to a degree, but maybe they didn't do it at the level that I now want them to do it.

And I think the easiest thing would be to well, let's get them involved because I've worked with them in the past and You know, we work well together and we'll figure it out ourselves But sometimes you know, you maybe need to say well actually maybe they weren't the right person for what I need now And maybe i'll give them an opportunity to interview But they're going to interview alongside other people in the market and we're going to run a process that is designed specifically To draw out that That's skill set that we're looking for.

So I think it all always pulls back to  what, what, what the business goal is and what you're trying to achieve from the hire.  Yeah, no, this is great advice. It's good advice for me because I continue to grow the team here at Theos because obviously I don't want to just be bringing in people just because I know and trust that they can do a good job, but I do feel like there, there is a balance to be struck because you know, you, you've got people who you know are good and to your point that can drive revenues, that could drive customer success, et cetera. 

, but from then on, once you've got that foundation, I think from then on, it should be an open recruitment process, you know, for further hires. Once you've got that. , you know, the leadership bench that you trust and you're, you're comfortable with. Is that fair? Yeah. Yeah, definitely. Definitely. It's,  you know, if you, if you always recruit people that you know, you're going to run out.

You're going to run out fairly quickly. And, and I think also what, what, what  can be a challenge is when you're recruiting people that you know,  , you know, you, you,  you're almost on a bit of a back foot sometimes because they, when they get that cut, like if I got a call from someone now that. that I'd work with in the past.

And like, you know, Craig, I want you to come on board and,  you know, we've got something here that we need you to help with, you know, my mind would initially think of, right, what's the bigger picture opportunity going to look like for me, you know, what, what, what's this move going to look like for me? And sometimes you can't always deliver that for somebody. 

, so when you're hiring mates and old colleagues, I think they sometimes come in with a bit of a, I'm,  you know, this.  They might think more, I'm not quite sure what I'm trying to articulate here, but I think they, they probably come in with an expectation level. Right. , I, I guess is what I'm trying to say, which sometimes is not always the case.

 Good, good, , great advice there. So let's, let's take it back a little bit and, , and, and, and start talking about how you go about your job. How do you find the best talents? I mean, they're so rare out there, aren't they? How do you actually find them?  Yeah, it's, it's, it's, I think time recruiting in a market helps, you know, when you, I've been recruiting in cyber now for about 10 years, so that, that helps,  , because over time you get to know who's good and who's not. 

, but it, it, it is hard because, you know, I'm speaking to new people every day,  , you know, probably on average  10 new people per week will kind of come into my network.  So, and all of them are selling themselves, you know, they're all, you're having a call with them and they're all telling you all the great things that they've done in their career. 

, and  it's very easy as a recruiter to just believe it all and take it as face value and then. Try and sell those people to your client,  , but more often than not, people are not in that top tier. They're not in that elite level and it's hard to kind of find out who's who. I think in time you get to know  What a good incident responder looks like or what a good pen tester looks like and you know What the right questions are to ask to kind of get that information out from them But I think also over time you start to connect dots as well Also, that person works for that person, well I know that person really well, so I'm going to give them a call and just see what they think of this person.

You know, those kind of discrete reference checks I think help to try and determine who is top and who isn't. And I often ask people as well, you know, if I ask,  If i'm recruiting for a client,  they will probably know who's good in their market They will know who their dream person is, you know in the same way as you know A football manager knows which striker they'd like to have right in reality whether they can get that striker with a different a different question, but they know, they usually know who's good in their market.

So I think asking the question, who is really good? Who you've, who've you worked with in the past that you thought they're a superstar, they're going places and making a bit of a mental note of those people is a way, but it's, it's time in a market above anything. There's lots of different nuances to find the right talent, but  you've got to commit long term as a recruiter, I think.

Right. Well, you know, I don't want to inflate your ego, but there's nobody better asking those questions than you in my experience, but yeah, that's, , you know, , you, you, you're absolutely right with your points there. So let's, let's, , switch up a little bit and, and talk about new entrance to the cyber market because obviously I'm a quite high profile out here in Asia and I get asked a lot, how do I, how do I break into this?

I've done this, you know, a university degree, I've done X, Y, Z, but nobody will hire me because I don't have any experience. And it's kind of a chicken and egg situation, isn't it? And you know, what's your advice for a, for a new starter in the cyber field?  Yeah, it can be really hard.  , because you know, you hear and frustrating as well, because you know, you hear all the time that, , there's a skill shortage in cyber, you know, we're missing 10 million people and all this sort of stuff. 

So people go and they'll get a degree in cyber security or they'll do a master's or  maybe do a couple of searches and then they can't get a job and they're thinking, well,  you know, all that bullshit about the lack of people, I'm ready to go and I can't get a job.  So I think right place and right time is, is, is a big thing.

, you know, I think, , you've got to network, you've got to, and one thing about the cyber community, it's very open to networking, you know, You know, there's, there's, I was having a conversation about this on New Year's Eve with, with a friend who's in a, he's in biotech from a completely different, but we were talking about communities and we talked, I was specifically talking about the cyber community and how open it is and how,  you know, there's certain,  you know, for example, like the Cape product, right.

It's like an open source tool. Right. That is for the good of the industry. You know, where that tool could be commercialized and then, you know, some people could make a lot of money out of that, but they don't because it's the right thing for the industry. So I think the cyber community is very open and it's very willing to kind of bring people in and give them an opportunity.

So I always advise people to network and don't be afraid to connect with somebody and ask them some questions about what they're doing. You know how how to get in and do you have any advice for me and because those questions lead to opportunities people like that People like people to be on the front foot and to put themselves out there But I think  from a kind of technical perspective one  good thing that that I hear people Being advised that that i've had people being advised to do before which seems to work is to build a home lap  You know if you want to be a blue teamer or you want to be a red teamer  You know, go buy some old equipment and build a lab at home and, and, and, and, and start running some simulations and start figuring out what, what it might be like to work in a SOC or work in a pen testing team and, and, and get some, some real world experience in them and then publish your work, get your work out there, even though it might be.

You know, not cutting edge or it might not be,  , you know, anything game changing, but, but it's going to show people that you're really trying to get that experience because search is one thing, but getting hands on with stuff is another thing. And you can't exactly go out there and start hacking systems in the real world and saying, look how good I am.

I've just hacked into your system. Cause you might get into a bit of trouble, but you can't build a lab at home and you can start working on that type of stuff. And I think that. That goes a long way.  It definitely does. And whenever I ask questions of,  , , excuse me, potential candidates, I always ask them the same questions.

What's, what have you built at home? What systems do you have at home? Which, which blogs do you go and read? We, you know, whose research, whose books have you read? You know, just to show demonstrate that they have a passion beyond being spoon fed. In whatever course or wherever, whatever program they have attended.

, but on the subject of courses and certs, which ones do work best though, in your experience, which one gain folks the most traction?  Yeah. So I, I, I think,  , it depends on what area you're, you're, you're in,  , I think if you, you know, if you wanna be a CISO or you're going in a, a, a general sort of, you know, head of security type role or,  , C-C-I-S-S-P is probably right, the, the, the way to go.

, it's hard to do, I mean, there's a bit of controversy about it. Some people think it's a waste of time, other people don't. I, I actually started  to, , my, my study, C-I-S-S-P, because I thought it might be a bit of a differentiator for me as a recruiter to have a cissp.  So I'm, I've got some experience with it and it.

One thing that I felt from the CISSP was it's so vast,  you know, there's so many different topics in there.  If somebody has got their CISSP, you know, they've got some grit and some determination  and commitment, which is a big aspect of being a security leader. So even if the content is  maybe not to everybody's taste, at least it shows that somebody is really committed.

To their career to kind of go and do that in their spare time  , so I think cissp is very good for a kind of broader security leadership type   person,  , if you're going into the blue team space, I think sans are probably the best search to get gcfe gcfa They've got some good offensive search as well like gxpn and gweb and things like that Which are really really good, but sans are very expensive very expensive probably eight and nine thousand dollars you know per   per course, but  you know if people can find the money they should do those courses because They  Firstly, they show commitment.

Secondly, the content of the courses are fantastic.  , and thirdly, that they will get a bit of a network doing those types of courses, because usually it's people being sent by their organizations and they're usually quite experienced. So you'll get a, you'll get a bit of a network from that. On the offensive side, it's usually Crest and OSCP, I think are the better ones.

OSCP, I think if somebody's,  , somebody's got that, then, then usually they're, they're fairly capable pen tester. I think that that shows but  , yeah, so there's a few in there, but I think blue side you want to be sans  Or sans, correct, sans, and then on the red side you want to be OSCP or CREST. Got it, got it.

So, looking forward, last question really,  , on cyber anyway.  Looking forward,  , are you optimistic about the cyber recruitment or cyber security industry in Asia?  Obviously I'm here in Asia. So specifically about Asia, , bearing in mind that, you know, we're seeing a bit of a shift in the laws and regulations that, you know, across the region, there's new laws coming in everywhere, Hong Kong, where I am, you know, there's a, , there's a new critical infrastructure. 

, security, cyber security, , law coming into place. Is this going to be driving firms, do you think, to find better talent or increase their, increase their, their staffing on, , cyber security, or do you think it, yeah, won't, won't, won't, won't make a difference?  Yeah, you know, you would hope so.  , You know, I launched route five in, in December,  2023.

So we, we just literally turned a year old about a month ago. And  at the time it was around when the SEC launched their new regulations around filing 8k,  , rulings, you know, when you've had a material cyber breach and that type of stuff. And we looked at that and I, you know, I thought, well, that's going to have a knock on effect everywhere, you know, because, you know, it's  It's a major change in the regulations.

There's been loads of stuff in Europe as well. With this DORA regulations and all this sort of stuff.  It's not just happening in Asia, it's happening everywhere. But, so far it hasn't really, from what I've seen, it hasn't really resulted in Oh, we better get some people in to get our heads around this new regulation.

Right. The general theme  certainly in 2024 was do more with less.  , you know, we seen a lot of security leaders being let go to be replaced by younger, cheaper talent.  , I don't think that will persist for the 2025 because  we're already seeing an increase in DFIR cases around the world. I think that that is more likely to drive. 

, recruitment than the regulations are, because you know, regulations are not maybe as in your face as what,  , the ransomware  is. So I think that's going to drive recruitment a bit more than what the regulations do. Cause I've just historically, I've just not seen  big recruitment drives come off the back of regulatory changes.

You know, I think people see regulations and they like, Oh, well, you know, yeah, we'll look at that. You know, someone will take a look at it, but they don't necessarily think recruit. Whereas I think if they get hit.  They're under the cosh then I think recruitment will come so I do think this year is going to be much better than it has been the last couple of years.

Okay, do you think this will also drive work towards high quality consulting firms like Theoscyber?  100%. Because one thing about,  to be fair, going back to the regulations, where I think  it will have an effect,  which I guess is a bit of a talent play, is that  The trend in regulations over the years seems to have gone down the food chain in the sense that, you know, the top organizations, the banks, the health care companies, they've kind of always been under the spotlight. 

And because of that, they've got big sophisticated systems in place. You know, you know that from your time at JP Morgan. I mean, you guys have massive budgets, huge teams, you know, you could do whatever you wanted, really.  , Now, more and more smaller companies are under the spotlight as well, you know, through, you know, when you look at critical infrastructure, critical infrastructure is now not just the first tier of the, of the infrastructure, it's suppliers into the critical infrastructure, and that could be anything from, you know, a company, someone like me, you know, if I'm recruiting for a big bank, you know, and I've got, maybe my system is connected to their system, Applicant tracking system, you know, am I now under the spotlight?

So do I need help from a company like a Theos?  Probably, you know, and I think that's the way it's going to go. So I think it's the SME space. It's the companies that have not had to think about cyber anymore, where the regulations are now impacting them, where they're going to, they're going, they're going to have two choices.

Do we build an internal security team? Which is hard and competitive and expensive and  not guaranteed to be successful. Or do we go to a company like a Theos, , where we can outsource it and  get them to run it. And so I think that's going to be a big trend moving forward. I think companies offering MDR, DFIR type solutions are going to be big winners moving forward.

Well, certainly hope so. And I certainly hope that you'll be around to help us, , you know, staff, staff up should we need that. , so, , hopefully. Yeah. All right. A couple of, a couple of last questions away from cyber, you know, I'm a music fan, don't you, Craig? And I've got to ask this,  what are you listening to these days? 

Do you know what I went through a period of time where I was a massive music fan as a kid, I think like most people are then, you know, was off it for quite a long time. And then I've Moving back home or sort of reignited the passion a little bit. My little boy has just started playing the guitar and we bought him a piano for his birthday the other day, and he's now playing that. 

, so your neighbors must love you.  Yeah. Yeah, they do. They're over the moon.  , and it's sort of reignited the passion a little bit. And  so, yeah, I've started to listen.  To some of the stuff that I listened to years ago, and I'm a big fan of,  , of, of, of what I would call proper rock and roll, like The Stones and Hendrix and Deep Purple and The Kinks and Friedens  Clearwater and all that sort of stuff that, , that I've been listening to a lot recently.

Brilliant, brilliant. And lastly, a time of recording anyway, it's just moved into 2025.  What's your New Year's resolution?  You know, I never try, I never really do resolutions because I'm, I'm always,  , I'm a big believer in like balance, you know, and, and don't cut stuff out. Just, you know, get like, don't quit drinking, just  maybe go to the gym and balance it out a little bit.

You know, I think people are constantly trying to look for, for ways of, of,  you know, drastic improvement. But really it's just kind of small improvements to make but one thing that  I've wanted to do for a long time and we live quite close to an airfield about 20 minutes away. And you see people flying over the top of the house all the time and learning how to fly in these little airplanes.

So I'm hoping to start that this year. I've always wanted to fly so I'm hoping to start learning to fly this year. Brilliant. Well, don't crash cause we need you.  , all right, great. Thanks very much. That was,  , cyber recruiter extraordinaire, Craig Johnson. And, , what a great conversation that was. Thank you very much. 

, so Theos Cybernova was presented by myself, Paul Jackson, the studio engineer and editor was Roy DeBonte. The executive producer was myself and Ian Carlos. And this podcast is a co production between Theos Cyber and W4 Podcast Studio. 

The Theos Cybernova Podcast.