Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security.


Kacy Zurkus:
Hello listeners, and welcome to this installment of our RSAC 365 podcast series, thank you for tuning in. I'm your host, Kacy Zurkus, content strategist with RSA Conference. And today I am joined by Paul Vann, who wears many hats but is currently a senior at the University of Virginia. We'll be talking with Paul about his depth of experience in cyber security thus far and all that he hopes to continue to do as he grows. Before we get started, I want to remind our listeners that here at RSAC we host podcasts twice a month and I encourage you to subscribe, rate, and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Paul to take a moment to introduce himself before we dive into today's discussion.


Paul Vann:
Hi everyone. I'm Paul Vann and I'm currently a senior at the University of Virginia, studying computer science. As Kacy said, I've been interested in the cybersecurity field since I was around 12 or 13, working in many different roles including threat intelligence, pen testing, and even some development roles.


Kacy Zurkus:
Listeners, I discovered Paul when I was listening to a podcast called Hacker Kid featuring a then 14 year old young boy Paul Vann, and as a mother of a nine and 11 year old girl, I found him so inspirational. So I invited him to join me for this podcast as we are on the cusp of celebrating cybersecurity awareness month. And I thought about ways that we can reflect on their theme of See Yourself in Cyber. And so Paul, I would love it if you could share with our listeners how you ended up featured on a podcast at such a young age, and at the same time founding Vann Tech Cyber Solutions. What got you started?


Paul Vann:
Yeah, definitely. I guess the best way to start out with that is to start from the beginning. My father is someone who's been a part of the cyber security industry for a little while, and when I was around 12 or 13, I started getting pretty interested in software development. Just started learning HTML, Python on some coding classes online. And then I wanted to look for an application of that and something that I could really apply that knowledge to and apply those skills to. And like I said, since my dad was in cybersecurity, I figured that might be something really cool to apply that too. And I thought it was also something that I would be really interested in. And so I started out there and after learning Python for a little bit, I wanted to try and experiment with a project maybe.
So I started out, I built a fake NSA login portal and created a honey pot with it, something that I learned about at a cybersecurity conference that my dad took me to. And I just was messing around with it, just seeing what I could do, seeing the kind of information and research I could gather with that. And I actually ended up applying to speak at DerbyCon down in Kentucky with that research project and was accepted. And it was probably one of the most, a pinnacle moment for me getting into cybersecurity as I was actually able to go share my research at such a young age with everyone who was already in the industry and probably a lot more experienced than I was at the time. And so that was something that really bolstered my confidence with entering the industry at a young age, as well as just propelling me to study and research more stuff that has to do with cybersecurity.
So I guess it all started out there. And then moving from there, I started working on projects like the cybersecurity of the United States Energy sector. And then again, moving on from there, I started speaking at a couple more conferences and decided I wanted to try maybe starting my own firm. And I will say I was 14 at the time, so did not have the best business outlook or business insight, but thought it would be a pretty cool way to learn more about cybersecurity and learn about that business aspect of it by starting my own.
And so I registered my own, I started talking to some contractors there, like penetration testing contractors, and started trying to figure out how to actually go about this business and ended up on that New America podcast actually. Was a crazy story, there was the Christian Science Monitor, a reporter reached out to me after I think just seeing... I forget what it was they saw, I think it was maybe a post I made on LinkedIn about my company. And she reached out and she was doing an article on 15 under 15 at the Christian Science Monitor. So it was 15 kids who were under the age of 15 doing something really cool in the cybersecurity industry. After that New America partnered with the Christian Science Monitor to have a couple of those kids come to do a podcast with them. And so I ended up going up to DC and speaking at the New America Cybersecurity Convention and ended up being on a podcast that same day as well.


Kacy Zurkus:
That's just incredible. And one thing that strikes me as I'm listening to you talk about all these different things that you were doing and projects that you were working on, is where did you learn these skills? So I would love to know what are some of the ways that you were able to develop and then hone these skills as a high school student? Were you taking these classes in school or how did you navigate your learning journey?


Paul Vann:
Yeah definitely. And I'll be honest, that's a question that I think a lot of people ask me all the time. They're always wondering where did all this information just come from? Especially since it's not something that's conventionally taught in school. So I actually started out when I was around, I think like I said 12. I started looking through Code Academy actually, it's a website. It was I guess founded around then, it's developed and grown a lot since then. But I just started looking at some coding tutorials. So I looked at Python and HTML were the two that I first started out with. And I liked HTML because it was a way you could design your own websites and stuff. But I liked Python a lot more because it was functional. It was a functional programming language that I could actually program different things with.
So I really delved into that one. And then as I just started thinking of projects, I would do more research on different aspects of Python. So if I wanted to build a web scraper for example, I would use the Python syntax I'd learned from these coding courses, and I would do research on what libraries are good for building a web scraper. And I guess as I worked on more and more projects, I became more and more fluent and better at those languages. The best way to say I got that knowledge is more a trial and error almost. So kind of going through and just learning the basics of it through a course or learning the basics through a book sometimes. And then really just delving into projects that were kind of above my head.
So I can even give an example when I was first starting out in Python, building a web scraper to build some web scraping bots to buy stuff online really quickly. And it was something that I was, I think 14 at the time, so I had no idea how those things even worked. But just knowing the syntax and having learned the syntax of Python from these coding courses, it was really easy to go through online and look up, okay, what library should I use to go scrape this website? Or what's the way I should go about this from other people? And then the more I saw those things and used those things, the easier it got to do those things and come to those conclusions on my own. Another thing too was also going to a lot of these conferences at the time. Around that time, I was going and speaking at a lot of these conferences, and one of the ways that I really liked to learn about a lot of these cybersecurity topics were sitting in on these conference talks.
So I know I mentioned that I built that honey pot, which I spoke about at DerbyCon. I actually learned about honey pots and found out what they actually were and how they worked from going to ShmooCon a couple months before. And that just really propelled a project idea for me. So I think it was a combination of factors, like I said, these coding courses, working on these projects. But one of the big things and one of the things that I think is not promoted enough to people who are young, are a lot of these cybersecurity conferences. Where there's also a lot of ability for people who are young to go for a lot cheaper or a lot easier than a lot of other people are able to go for. So definitely those conferences were a huge bolster there.


Kacy Zurkus:
That's fantastic. So I'm curious, you probably had a lot of options when it came to choosing a college. What was it about the program at the University of Virginia that won you over?


Paul Vann:
Well for one, UVA is one of the top public schools in the country right now for computer science and engineering. I actually didn't really realize that. I grew up an hour and 15 minutes away from Charlottesville and before I started applying to schools and everything, and before I was even decided where I wanted to apply, UVA was near the bottom of my list, if I'm going to be honest. Just because I had never even been out to Charlottesville. I had never really taken a look at their computer science program and had made the assumption that, again I didn't really realize that their computer science program was that good. But doing more research as I was applying to these schools, I saw a ton of statistics that UVA was just a really, really well renowned school for computer science, especially in its engineering program.
But what drew me more honestly is the cybersecurity courses and extracurriculars at UVA. Probably the biggest factor for me coming to UVA was the CCDC and CPTC teams here at UVA, which I joined my first year. I'm not a part of it this year, but I joined as my first year. And those teams compete nationally every year doing defensive and offensive cybersecurity. And the year before I came to UVA, UVA had won two or three years in a row at these conferences and apparently we're just a crazy team, really smart people. And I figured that would be a really, really cool way to learn and grow in these defensive and offensive fields that maybe I wasn't that good at at the time. There are also, I've looked at a lot of the coursework before I came here, there were also two really cool classes in cybersecurity, and now there's even more, which is really awesome.
And now they're doing a cybersecurity focus if you're a computer science major. But there was a really cool class that I saw called Defense Against the Dark Arts, which sounds pretty crazy, but I actually ended up taking it my junior year and I was really excited about it. And it was all about actually being able to manipulate assembly code to perform stack overflows and actually hack software at the assembly level. And so that was a really interesting class that I saw on there. And again, the cybersecurity teams were a huge draw for me as well.


Kacy Zurkus:
That's fantastic. And so in addition to being a full-time student, you are also a developer at Cyborg Security. Can you share with our listeners some of the work that you're doing there? I believe you said that you're working on a threat intelligence tool?


Paul Vann:
Yeah, definitely. So I've worked at Cyborg for a little bit now, as mainly a developer, but a developer in a cybersecurity type role. And so essentially what I've been working on there is a tool that's able to generate SIM content based on using article content and making it easier for our content team at Cyborg to produce SIM content for tools like Splunk and Elastic Search.
So what I focused on there has not just been development, this is probably one of the coolest things I've liked about this role. But at this role I've also learned a lot more about how to actually deploy a full tool on my own and actually write tests and set up all of the infrastructure needed to actually deploy a full cybersecurity tool, which has been a really valuable learning experience. Because not only is it a cool tool that I'm building and something that I think is going to help a lot of what we do at Cyborg, but another thing is that I'm really getting a lot of knowledge on how to actually deploy a full scale tool to production and actually produce not just code, but produce an actual tool that can be functional for other people. So working at Cyborg has been an awesome experience.


Kacy Zurkus:
That's great to hear. And so when you think about your professional development and your career path, where do you see yourself in five years, in 10 years? What's your goal in this industry?


Paul Vann:
That's a question I've asked myself a lot over the last year, especially coming into my senior year at UVA. I think I've bounced around a lot with where I want to end up. But in a general sense, I know I really want to be at the forefront of almost like the future of what we're doing in cybersecurity. There's a lot of new stuff coming out. Obviously there's quantum computers are huge, talk of the town right now. And a of couple years ago I did a little research on the impact that quantum computers are going to have on cybersecurity. I know one thing I'm really, really interested in is looking into the quantum encryption methods that are going to arise from quantum computers actually coming to fruition. And I'm really interested in blockchain security. Blockchain development, and blockchain security have been a huge topic I've been focusing on and researching recently.
And so, like I said, I'm not quite sure where I want to end up. I'm thinking about starting something on my own, maybe pursuing that. But I also really like working at the startup level, and that's something that I've enjoyed throughout all of my internships and all of my jobs as a student. And so really working in a startup type environment, whether that's a company that I'm running or a company that I'm working for. And something that's really operating at the forefront of cybersecurity, and the forefront of development, is really where I want to see myself in the next couple years. Especially leaving college and entering the workforce for real the first time.


Kacy Zurkus:
Well, I certainly do hope that you stay in touch with us at RSA Conference and maybe even have the opportunity to speak on our stage someday. Paul, thank you so much for joining us today. Listeners, thank you for tuning in. To learn more about solutions and products related to professional development and workforce development, we invite you to visit RSAconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels using the hashtag RSAC and be to RSAconference.com For new content posted year round.