The First Security Hire's Survival Guide

Hey, good morning everyone. There's way too many of you over here. You will not hurt my feelings if you stand up and go to any of the other talks because they're all going to be better. But I really appreciate you being here. Thank you very much. Um, so I'm Chris Honda. Extra points if you call me Kunda. Uh, that's that that is the I guess proper pronunciation, but you know, we're in America. It's Honda, so we're good. Um, I am visiting you from Utah, but this is also my fourth year being here. And I This is a fantastic community. So, I mean, thank you for having me out here. Uh, if you're not from here, I hope that

you also feel how great this community is and that you can continue to come back. Are you guys hearing me? Okay. >> Okay. Gotcha. My hearing is terrible. So, wouldn't help either way if I if Yeah. Thank you for the confirmation. So, this is a fun talk for me because historically I've given talks based on what I'm doing. And while this is still the case for this particular presentation, this is one of the ones where as a person, as a human being, I'm feel I I feel strong feelings for this. So I appreciate you coming here. And one of my rules that I usually write down and I failed to do so this time is I

appreciate and feel that your thoughts are going to be much more impactful than anything that I have to say that I could put on the slide. So if you have questions, if you have an opinion that you'd like to share, I'd really really like you to a wave me down because my eyes are terrible. Give a shout and I don't want to hear your thoughts. I do want to hear your thoughts. Okay. And also, you're going to see a bunch of QR codes. Not a bunch, a few QR codes. None of them are malware. Like we've been posting up throughout the facilities. I'm just not that clever. Um, so this one is for feedback on here. Please be

honest. I I know my presentations aren't the most attractive, nor are my presentation skills. Um, so please, I want to get better, and you telling me how I could do better is going to be really helpful. This is the first security hire survival guide. Um, I am currently in my second round and I'm in the thick of figuring out how to do it. I thought I could do it before and it's and the playbook would be the same and it's not. Um, standard disclaimer, right? I'm not really going to say anything that controversial or any hot takes as far as I know. I should have silent slack. That's my bad. Rookie mistake. Um, if you do anything and you

want to call me out for it, please make sure that it's a good thing. Make good choices. Talk to lawyers. These are my opinions. Nothing to do with my employer. I'm on my own dime and my own time. So, this is where it gets fun. A non-standard disclaimer. This is not technical. This is also where I expect like 20% of you to just get up and leave because this isn't a technical talk. I I'm just not the technical guy, but I do think about a lot of the human problems, the psychological things and in between the keyboard and our brain, those things that are going on. So, if you're expecting something different, I'm just giving you the opportunity now.

Otherwise, we're going to be talking about the people stuff, the human stuff. Um, a lot of the things I'm going to say are hopefully going to be somewhat obvious, but I think that a lot of times we miss things because we don't say the obvious things. So, I again, it won't hurt my feelings, but I like putting things out in plain, simple, unmistakable terms that are easy to understand. And also, I I I I want to give this presentation because I know that the way that the job market is, there's a good chance that people are going to be the first security hire. You just need to go and do the things. And I'm cheering for you. So, if nothing

else gets taken away from this, I want to support you and be a sounding board and when you have the hard days, I'm more than happy to hop on a call or a LinkedIn message or whatever and listen to you complain because I've done that to a lot of people recently and I'd love to do that for you, too. So, about me, not much interesting. Um, even less interesting one is put down to a couple of bullet points. Uh, at my last company, I started as a software engineer. I was really bad at that. So, they had me do compliance and then they had me do security. And I did that for a long time. I'm doing that again at my

current company, Plotley, who is doing a lot of really cool stuff, and I'm finding that it's just as hard the second time, doing new things is hard. Who would have thought? Uh, and in the very very spare few moments where I'm not grinding away behind the keyboard. Bad habit of mine. I am a dance dad. Um, my daughter's doing competitive dance. Normally, I'd say have you say hi, but this isn't being streamed, so that's just fine. All my extra spare time right now is spent chauffeuring, cheering, being supportive dad, and I love that. Also, if I didn't have to work, I'd be talking tomato plants. The the farming in me skipped a couple of generations.

My my immigrant great grandparents were farmers. Now, I want to bring it back. All right. Um, just diving into it, right? I think most of us have worked on a team. Very few of us have worked as the first security person. This is kind of how I feel that even within the security ecosystem, this I feel this way, right? A lot of folks like to wait until the problem is big and then we get the shout out. And it makes sense, right? A lot of what we do in security is invisible unless things go wrong and and it's really frustrating. This is kind of how it feels if you've never been the first and only for an

extended period of time. You're doing as much as you can. The fires just keep getting bigger. So, if you felt this way, I really hope that you that that you understand and feel that I sympathize with you and that it's hard and sometimes that's all we can say while we continue to push forward and try and do a little better, make it a little bit easier. There is a period of survival. Um, just want to call that out again before we dive in how we survive this, how we make better of this. You got to just make sure that you're getting one day through at a time. Eventually, we do get to a point though where you know what, we're

going to come out of it, right? The only time where things just won't get better is where we quit. So, and that's what I want to really cover is look, these are survival tactics. I meant it when I said this is a survival guide. Um, but the hopefully by doing some of these things, we get into a better position where things get better, not just for us, but for the people that we work with as well. Um, community is important. It's not this kind of community. I don't know if there's any community fans, but I mean, who who who can skip a good meme? I I I I try and communicate almost primarily through memes. You're going to

be disappointed this time, so I'm sorry, but I couldn't skip this one. When I think of community, I mean, oddly enough, this local bides is one of the ones that I think of, right? Uh people here are really encouraging, really supportive. They love sharing and teaching and giving generally good positive criticism. Um and and and that's what makes us better, right? Listening to Ava's conversation, right? We we make things better by caring, by doing, by struggling, and by supporting each other. And that's one of the things that I think is is absolutely critical to getting through and and eventually getting to a good point when you're the first hire, when you're the first security person. So, I mean,

please read I I'm just going to ramble the thoughts, but I mean, there's just too much to do there. There there's too much to do, and we're good at a lot of things, but we can't be good at everything. So my encouragement for you is really I mean you're going to hit the roadblocks and then it's really essential. It's not a nicity. I I thought it was a nicity for a little while, but I found it to be essential that when you get into those positions where you know there's just too much going on and you don't know what's going what the most important thing is and you're getting shut down for the 10th time that day because there's this big

huge thing and no one's going to let you do anything about it. It's nice to go to people that can sympathize tell you okay this is terrible situation. it it's it's it's bad. Also, this is what you can do about it, right? Having both the validation and the suggestions and the support. Um, and and and it's really cathartic to be able to speak with someone that's been there. So, that's why I said I'm I want to be your cheerleader. I'm in the thick of it right now. And if you're ever in that position, I want to do that for you, too. But I I I've yet to meet someone that has been in that position where I

said, "Hey, look, like this is the situation I'm in. I'm tough. Can you listen to me? Just whine and complain or give me some feedback on this." And I've never had anyone say no. So, it's it's a tough situation. and we get better through it together. So I I have a differentiation between communities, right? So when when we talk about the besides community or the OAS community, the Isaka, the ISC square, those are communities and and lots of great examples, great places, right? And you go to events like these to get connected and get the initial connections. Um and and this is where something I didn't think about this before. So over on the right side, you got the SLCSO Salt Lake

CISO forum. um just security leaders out in the area where I'm at. Uh you don't have to be a CISO. A lot of the times you don't have to want to be CISO and I'll tell you I don't want to be a CISO. I don't want the liability. I generally like anonymity which I feel is contradictory to me being up here in the first place anyways. But here we are. Um I'm I'm just weird and a goober like that. But again, this is a situation where you know what it can only help to be in a room or be connected to people that have felt and done the things that you have felt and are doing. And it's

the same thing with like the CISA society that they're they're organizations where they're they are committed to helping you feel and be supported. Uh and and like I was saying, right, there's a difference between being part of a community and the community, but then also building your own community. Um I mean, you could call it networking, but I think we're all sick to death about hearing networking in the non-technical sense. So that's why I'm not going to call it networking. I mean, go make friends is one way that I put it. go talk to people, tell them what you're working on, and chances are really good. They'll say, "Yeah, I've been there." Or, "Yeah, I've I've

experienced some of that." And that's how you build a community that's meant for you and understands you and is willing and prepared to support you. So, that's my thoughts on community. I mean, and and and when I talk about partnership, right, this isn't like, hey, go and find great other companies to work with, right? We're that that's how we usually think about it, right? Especially at these events. Well, when I mean partner, I mean this is where it's it's tough because you have to be more giving of yourself. Um, this is where sometimes you have to get out of the security mindset, right? Like you are the security person, you're the compliance person. Um, a a lot of what I

think is is well what a lot of what I think is not so much how we handle our job, but it's how we handle what the business needs. And like I was saying before, there's just too much to do. I mean, a how many of us actually only work 40 hours a week, right? Like nobody. So, it's going to get to the point to where you can only do so many things. And I mean, we're going to talk about prioritization as well. I mean, not really much of a spoiler. I feel like, like I said, obviously, duh. But there's only so much that we can do. And it's important that we focus on the most important things,

which is what the business needs. And I'm not a corporate shill. I'm not saying, "Oh, well, the business is asking us to do this, so we do it." But if we do certain things because we want to protect the business, but it's not what the business needs, then we're going to get really frustrated because there's not going to be any buyin, no support, no one's going to want to work with us because we're doing this in their eyes very pointless project. So, um, like I said, memes. I'm I'm I'm making my own now. Uh, I repeat a lot of things in my conference presentations. One of them being what businesses care about, which is money, right? Surprises

everybody. Nobody, right? Um, right. This is a Honda classic. Again, I know this isn't my idea or my concept. And I know it's really obvious, but businesses care about making money. They care about keeping money and they want to pay us as little as possible to do it, but as we show the value, we get more to help us do what we want to do. And that's really important, right? I don't know if any of you have ever had a budget issue, a budget discussion where you just keep getting turned down for stuff. Probably because the business doesn't think it's important. And that's something that we can address. And a lot of that is done

through partnership. So, for example, uh how many of you worked on goodness gracious, what's the term abstack, right? Any vulnerability management stuff? Hopefully some of you, right? A couple of you, right? How frustrating is it to hear, hey, the devs want to address some of these things, but also they're worried about velocity, right? Is a lot of those terms get thrown out, right? So, what we do to address that is, well, of course, there's going to be security implications there, right? We're managing vulnerabilities. What we do with that isn't saying, "Oh, well, this is how we're going to secure it." Is this is going to make developers lives easier. Instead of them having to triage

and hunt down a bunch of stuff, we just say, "We'll build this out for you, and it's going to take 40% less time. Code is more secure. It gets shipped even faster. Everyone's happy." Right? So, that's what I mean by partnership. It's pointing out obvious problems, not so much in the context of how we feel is important, although that is important, but it's framing it and putting it in a way with the words and the presentations to the right people that this is how it's going to be good for the business. And again, nerd moment. I I I spend a lot of time doing everything but security. I work finance and sales and all the other things that I'm really bad

at, which is why I'm not doing those and I'm doing security, which I'm also not great at. But I'll tell you, there's something magical to sitting in meetings with your co-workers. I don't know what it is. I don't know if it just makes gives this feeling of like team. I think that's part of it. But also show it shows I think that we care enough to be part of the solution and not just waiting for someone to tap us and say, "Hey, we found that this is the problem. Go figure out an answer for it." Right? The more that you sit on these conversations to say, "Hey, I have thoughts on this. I've experienced that.

This is how I've addressed this in the past or other ideas, it helps." So again, not a corporate shield, but I'll tell you there's something magical to sitting in meetings, having conversations, sharing ideas, and being a solution maker instead of just pointing out problems. This is an area that I'm really, really bad at. I mean, like I said, I made the poke of like none of us ever work 40 hours a week, right? It's probably nudging up closer to 60 80. I know I I see a couple of founder friends in here. I know that like y'all are laughing like sleep, what is that? Right? Um, but it's really important to know what the most

important things are. And the way that we do that is saying this is what I'm going to work on. Right? You got to say no to a lot of things. I'm still bad at that. Hence the hypocrisy meter going off the charts. Um, sometimes you just have to say this is unreasonable. I can't do this in a reasonable amount of time or with my current setup, with my current tool stack, with the current load of priorities. It is okay to say no. And no is a complete sentence. I'll also say from a business context it's really really helpful to say no because right so for example I mean I'll I'll give you a live example uh we went through the

ISO trifecta so we did security privacy and AI I did that twice last year don't recommend it pretty awful experience as as as a human being but I'll tell you it's doable to do that with no foundation if you grind through it'll also burn you out one way that I wish that I would have looked back and addressed and said yes I can do that no I cannot to do it this calendar year. There's just not enough in place, right? So that that's where I mean and and I'm going to address in just a second, but there there's ways to say no without saying no, right? As soon as people say no, right? There's something that switches in our brain,

flips in our mind where you know what it puts up people's defenses and and and that's where we have to again take that more human approach of okay, how are we going to solve this problem? Not I'm not willing to do this. I'm not going to do this, but these are some of the issues. this is how I plan and propose to solve this problem. Uh and and right there's going to be easy wins. A lot of times it's this is something that people have been begging for for a long time like just a simple white paper or a onepage policy, something to help the sales process, right? Because everything comes back to money. Anything to help people make

money faster is going to make really quick friends and is great for us. Um, but sometimes there's going to be other more difficult things like getting people to do things that they should be doing and aren't, right? And and let's get away from things like um security awareness training. This is a conversation that I've been having right now as well. It's like, oh well, we got to do the manual training. Look, like let's talk about how we're going to do it. I'm not saying let's not do it, but let's take a less resist a path of le a path of lesser resistance because there's just too much other things going on. We have to do the really high

impact, high value things. If we only have a couple of people doing a ton of things, do the most important things. You do the other things when you have the when you have the bandwidth. And a lot of times, right, instead of saying no, you say yes, we can do this if, but isn't it isn't quite as ideal. But if you say yes, if we do these other conditions, if we can meet these conditions, we come into really good situations or better situations because when we're not putting people on their defenses by saying no, I can't do this. This is unreasonable. Right? Which is, I think, the gut reaction, right? If someone says, "Hey, you got to go stand

up a really robust compliance program. You have eight months and by the way, there's nothing in place." You're you're going to feel defensive and that's reasonable. Instead of I I think starting that spiral by saying, "No, this is unreasonable." It's like, "Yes, we can do this if this is the only thing I'm working on for the rest of the calendar year." Or, "Yes, if we can hire another two people in the next two months, or yes, if I can put off a lot of our security operations onto our IT team, our devops, our our engineers, right? there's solutions and and and and that's I think one of the cores of of what I'm putting out is look when you're

the first security person no that a lot of people don't know how to work with a security team and you have to teach them that right there's a culture that comes with that and a lot of that comes with very slow arduous intentional development of this is how we do things because it's good for everyone not just good for me right security isn't meant to be hey let's be good because it's good for security it's this is going to be good for the business for many many reasons and it's not something that can be forced. I should have had an aside on that. My goodness. But um I have a bad habit of adding to slides

very late. I present to you in the last 24 hours my shower thoughts which I still think are highly relevant to the topic and just things that I wish I'd thought about before. So if if you're a team of one, it happens, right? I mean, you got to start somewhere. very rare that you're going to get hired on with a CISO and a full ABSSEAC team and a couple of sock analysts and a GRC team, right? No. Who has money for that? That's going to get to that point without that, right? Chances are you're going to be the first one. I would highly encourage you if you're ever in a position where you might be hired as the

first one that you have some clear expectations and discussions around if I'm going to be the only person, how long will I be the only person? And I had a light conversation. I'd be I'd be happy to talk about this more out in the hallways. probably better since it's going to be on the internet. Um, but something that I wish I had done was uh I I I I started this role under the assumption that I was going to build out a team with a key word being assumption. I mean, it was it was part of the discussion, but nothing was ever finalized. And now I'm having a different experience than what I was expecting. Right? This is where we go

between expectations and the communication that fixes that into a a shared understanding and agreement. Right? Reality will always change, right? budget requirements, business needs will always change. So, right, you have to be flexible with that. But if you just kind of go in thinking that, oh well, I'm going to be the first guy, the first gal, I'm going to be the first seeso or head of, and then I'm going to have the budget immediately to go fill out whatever I want, you might be sorely disappointed. And it's a lot better to have that conversation before than after. Um, burnout's a real thing. I wish I could tell you how to deal with it. Like I said, I'm I'm in the thick of

it. I don't say that for sympathy, but it's it's a real danger and and and and I think the way to handle this, like like I said, this is an open mission. I don't know how to deal with this, but I would encourage you to take care of yourself, hence all the please say no. Protect your time. Protect your boundaries because it takes a lot more time and effort to get out of it than it does to get into it. And once you get into the point to where you're dealing with that, you're a lot less effective and it it a steep spiral. So take care of yourself. You're worth taking care of. And I think this is the last extra

shower thought that I had. But there's I think there's different first, right? So when I was the first security person at Wistic at my last company, small company, like 20 25 people, I was not a good software engineer, which is why they let me take this so I'd stop building bugs. Um and and and and and it grew very much from a builder, we don't know what we're doing. I didn't either. They said, "We need you to do sock two." I said, "Great. What does that mean?" Um, and and and and I figured it out. We figured it out as a team, as a company. And we built around that and and and built a reasonably robust and scalable

program from there. Um, at my current company at Plotly, they've been around for like 12, 13, 14 years. I should know off the top of my head, but I don't. Sorry. Sorry, Ben. I love you. Um but but Blotley's been around for a long time and they've never had a security person which is why I refer to the culture of building that just because the company is robust and experienced and mature. A lot of people have been around 10 plus years in my company which is wild but they've never worked with a security person before and that takes on a different approach and communication style and requirements for the business. So it's important to think about when

you're stepping into these roles, what's going to be required of me? how much culture am I going to have to build or instill or adopt, right? You have to be flexible in your thinking. And I think that's something really worth thinking about. Again, when you're looking at these opportunities, be aware of what's going to go into that questions. I think no. Okay. I was going to say another Honda classic, right? I mean, there's going to be way more to do than you're really going to have time to do. And I love referring back to this. I call the Jurassic Park rule. Someone else, I'm sure, came up with that before, but there's always going to be a

lot to do. Pick the most important things and ask yourself why like three times at least. Because if you can't answer why you're doing something, if it's not the most important thing, you probably need to reconsider, rep prioritize, and give good reasoning and support and planning and coordination with other people that you're working with cuz you know what? You have two hands. Hopefully, you're not going to work yourself into the ground. And that's going to take some planning and preparation. This is why this is falling apart, right? I've had that conversation recently. If there's a lot that's not getting done, and this is why it's not the most critical, I want to do this. this is going to be good for us, but we

have other more pressing things is is a line that you may find yourself saying. So ask yourself, why are we doing this? Because if you can't answer why, it probably isn't that important. Now, questions. Yes, now it's questions. Um, so I'm going to go I'm going to go to this just so you have the QR. Like I said, it's not malware, but I I'd love to have your questions and your thoughts. This, like I said, this is a tough situation to be in, and I know more some of you have been in it, and many more of you are looking into it. It's really really fun and I hope that however it turns out that a you'll

you'll you'll think of me and and I'd love to be your cheerleader, be a friend, be as supportive as I can and that you can and that you also can take from this you can do it. It takes a change in thinking, right? You don't have a team to tell you this is what we're going to do, but you can do it. I believe in you. Thank you for coming. Please enjoy Bites. This is such a great event and I hope to see you in the hallway. Thank you everyone.

Thank