CG - The Technical Trap

this is the technical trap given by josh and leave just a few reminders i would love if you silence your cell phones secondly um if you have a question please use the audience microphone that i am holding so that youtube can hear you and with that let's get started please welcome josh and lee [Applause] well hi everybody uh welcome to the technical trap uh as with every good meeting we're going to have an agenda so we'll go through so many directions then we're going to go into the meat and potatoes for this which is we want this to be very interactive so you know everyone we're gonna have a session of back and forth discussion

please don't hesitate stand up yell things throw things not at me um and let's have some fun with this uh we're gonna go through some survey data and kind of something that inspired this discussion and we'll talk about uh the the technical trap and the impact of it and really the goals for today just awareness around the issue and discussion and some strategies to handle it when you find yourself stuck in it and whiskey if there's not whiskey here there should be soon all right awesome so my name's lee um by day i'm a principal security engineer and what does that mean i deal with super large super complex ambiguous things that other people have not solved

specifically in security different areas by night i'm a conference organizer so i am a b-side seattle organizer um i also was helping out with the diana initiative and um i have my own conference larry which is a ocean and social engineering conference i have stickers so after we talk if you're a sticker person please come get some we're virtual this year in october so if anybody wants you know to join us please do awesome and real quick so i'm josh i work as a senior director of security architecture and application security for uh one of the signing companies in the world you may know uh by night or by the next four days i run the

security team here at defcon so spend a lot of time over there so if you see me over there please don't hesitate to stop and you know say hi why this talk it spawned uh back probably in the may time period where i was actually working with one of my peers and we were discussing uh reviews and she was uh having a difficult moment where someone in another org had gone up and said well it's great but your team's not technical and this has been the fourth or fifth time they continue to hear that statement and we started to just have the discussion like what the hell do we mean when we say technical so

i did what everyone does on the internet i posted it on linkedin and we did a survey so we're going to go and talk through some of that before we get through all the survey data and that goodness we want to know what you all think so a little fun time when someone is described as technical in cyber security what skill or skills does that individual have there's a couple of rules for this time period because we only have you know 45 minutes these are thoughts not a debate and keep your mat your answer to max of five words so you know it's not the you know the story of crimea yep please i think that they have knowledge within

one of the domain spaces of the system what's that when you say what's technical security i think they have knowledge within one of the domain spaces of this cassp okay domain knowledge the issp hands-on keyboard

understanding of the technical stuff knowledge is thought understanding of the technology the what's that technology stuff okay

they can script they can patch system they can build systems they understand network concepts so scripts they can patch and what was the last one network knowledge okay

curiosity and willingness to learn so what was that curiosity curiosity and willingness to learn oh curiosity and i can't spell what else do you say the word technical in cyber security we've so far oh

subject matter expert in a platform subject matter expert in a platform

okay

anything else any other skill sets y'all are yeah trying to phrase this in five the words to quickly learn to an enter at least an intermediate level some single task quick learn new skills skill adoption the ability to produce the right answer the ability to be right okay i guess like in the weeds practical experience so in the weeds practical experience okay

okay yeah i'd say a troubleshooter a troubleshooter

read and understand code read and understand code like enigma

okay so like a packet level understanding yeah

anything else your your technical and cyber security what skill do you have

being able to be able to explain the uh the mechanism through which the security control functions being able to explain involved con complex explain how a security control functions and operates i think it's the fans let me come this way sorry what was it being able to explain how a security control operates uh security controls aha being able to explain how security control operates being able to talk to

engineers did he get it all right and i heard um talk to engineers can conduct a vulnerability assessment and or the pin test and understand the results can conduct a vulnerability assessment can conduct i'm going to separate those uh but

conducts vmss conducts pen tests

all right so this is a really uh really good uh selection from our from everyone here i want to ask though are there any up here that you look at and uh you would put over in the and i like to call it the vi or nano level fight like you disagree i would say read and understand code would be that kind of a fight because you can be very technical at like packet level understanding you can be very good at that but not know how to write code or vice versa so are you saying that either of those skills are not necessarily required but they would both be considered technical okay is there anything else up here though

you know you look at you're like well that's not a technical skill uh not to muddy it more but like maybe like the ability to use like reversing yeah so yeah the ability to use i uh either pro or reversing reversing tools so thanks for being part of this exercise and actually participating because this is the type of discussion that you know we've been having leading with our teams as well around you know what does it mean when somebody comes to you and says you're not technical enough you know are you have are you advanced you're technical all of these skills like you you look across and i loved um i believe you mentioned the domains um sorry who

mentioned sorry you mentioned the domains always go across to the multiple csv domains as well as skills outside of cssp um so when we think about this from you know the the next question that we asked we asked this question to start of what does it mean to be technical in cyber security the next question we asked was sorry of these which of these are engineering skills

which these are not engineering skills let's start with that we'll go to the negative security controls and operations because my assistant team does not want to do controls

pen tests for an engineering team conducting them okay i don't know

does anyone have an engineering team that conducts pen tests yeah this is why this topic is so much fun because we have what you know 30 people in this room and we have 30 different perspectives on a definition of a term that we're holding people accountable to

oh

that's a very good point yeah sorry the question was what do we mean when we say engineering team because there are there's physical engineering there is our software engineer there's all the domains of engineering so let me get back into the slide there so i want to turn back over to lee to talk about the the data that we pulled out

all right cool so we actually did a survey um and one of the questions we actually asked was tell us what you think you know technical means tell us what you think engineer means and then just tell us anything else you think we should be aware of like just give us your open feedback um which is in a different order let's i'll get there eventually i'll go a different order so here's the open feedback we got um i'm not going to read all of them but we highlighted the parts that we thought were relevant right so greater than zero knowledge writing about code limited to no coding experience soft slash people skills personally i prefer leadership skills but you know

that's me uh gatekeeping gatekeeping all right so let's go back a little bit so it's an open survey anybody on the internet could answer it it's probably people we know let's i mean there's a little bit of that going on um so we did ask people for demographic information i always think that's helpful you know just to set the tone like who's answering these questions we mostly got a bunch of men answering these questions like we were joking like what does that say about our all the people we know um and we actually got a ton of people with a lot of experience which i actually i read all the data lying by painstaking line

and you could really see some interesting changes that we're not going to go into for this talk but as you went through years of experience that i thought was really really fascinating so everybody just gave us open-end uh comments like way more than five works in case you're wondering and so i tried to group things because i wanted to create like those word clouds so for example if somebody said you need to be a pen tester you need to know cloud security you need to be an infrastructure person um anything in like the assists domains i put together all as security domain um just because that was easier because i mean otherwise you just get like

the world's largest word cloud that would mean nothing to anyone um so you saw a lot of people say security domain a lot of people actually said systems so you you both the systems concept and systems design i broke them apart please don't hate me um some people didn't actually go into security domains you just say security all up and i didn't really know what to do with that so i left it alone um i mean coding's up there like it's pretty big right and somewhere there's scripting not as big much smaller but i thought it was really interesting where the number of people who said you have to understand you have to have knowledge

um sometimes people might use the word expertise even right so it's like you have to understand okay cool so what did they say for engineer then i mean it's similar but it's different right like coding is probably the biggest word out there which i thought was fascinating and then build which makes sense right like we all build something um again you got security domain you got systems i think someone said hands-on at one point that got up there i saw a lot of people call out tools and tooling um and controls and so like all the words we use right so we already hit the comments of no but i want to bring it back up again right

so i think the bottom two are the most telling for me right like i love the not technical is almost always a gatekeeping way of saying not technical in the same way i think that was brilliant it's such an easy way to capture kind of what we're discussing okay so we've talked about a bunch of words you all participated you're all awesome um so what's the solution to the confusion well i mean we're nerds so we like went to the dictionary and we're like what does a dictionary say about the word technical what does the dictionary say about the word engineer um so does anybody in here like maintain public works like build bridges or

anybody anybody maintain engines anybody like electronic engineer no i was kind of hoping there'd be one structural engineer no wait there are no engineers in this room so i thought this was really interesting i also love the fact that engineer is both a noun and a verb that kind of cracked me up when i was doing the work i was like oh i can i can i mean it makes sense right we talk about engineering a solution we also talk about humans as engineers so that's what the oxford language dictionary says um so why do we not know what to call things and why do we have this problem i'll be really honest i do think a lot

of it is unconscious bias right like we don't mean to stereotype but we do and we've all taken like well maybe i shouldn't have seen things a lot of us have taken some sort of bias training at work right we all talk about it so i do think that is definitely a problem there's the affinity bias like we like people like ourselves i mean it's really funny if you ever go through your network to spend some time like my network is obviously more heavily weighted towards women even though i'm obviously in an industry that is more heavily weighted towards men but that's an affinity bias um you got confirmation bias hey i do pen testing so i like the person who does

pen testing because they're cool i actually don't do a pen testing but that was an example um there's also time pressure right like you've got to make decisions quick so when you think about your interview experience right you're trying to make a judgment you've got 60 minutes to figure out is this person the right human for the right job there's a time pressure there and i also think this one's key we've got a lot of really hard problems to solve that we don't know how to solve there's just too much ambiguity and so we say oh we just need someone technical to solve our problems so how does that impact our industry well i think this data is at a date right

we but they estimate we'll have 3.5 million openings in cyber security now i know there's a big debate whether this is accurate data or not but look even tech recruiters say there's bias like let's be real like this is a real problem for us and we know that there's bias and performance reviews and promotions and unfortunately they impact women and underrepresented more minorities much greater than folks in the majority and if we want to be an inclusive industry we've got to tackle this so i'm going to turn it back to josh for how we're going to tackle this tackle i used to play football i know this oh wait so this technical trap is a huge impact

and anyone can be trapped in this you think about throughout your career if you've ever had a review where they the review feedback was you know i really want you to be more technical you know i really want you to code more when you're working as a network engineer these things act as gates these keep individuals from you know progressing in their career and if you're that individual getting told that over and over you're not technical you're not technical you're not technical what are you going to start to believe so i tried to generalize the addressing this for something for both ics and folks who have management so i run a team of about 25

and the first thing that i tell folks to do is it's all about sitting with the uncomfortable and getting ready to be uncomfortable because there are times that you are the person being held back by this trap and there are times that you're the person implementing this trap we all can have biases so acknowledge that there is bias in our language there is a lack of clarity in a lot of our language and how we apply it and how we measure others against it and take that time to intentionally ponder what that means so when i say intentionally ponder it's really taking a moment to to sit quietly and think about your own life experience and do you have an

example in your life where you're like yeah i got told i wasn't technical and i'd like kind of shrugged and went what do you mean question so as a trapper am i making assumptions about skill sets needed based on me like i've been in this job for 25 years i know what a cyber security professional does and what they need to be able to do do i have any data to support that no but my god questioning the ambiguous statements so you know even during our interaction here we had statements of like coding or scripting if i walked into my computer science class from two decades ago and asked you know what coding meant there was an assembler class

and there was a cfos class and i guarantee you those classes thought very differently on to what they meant by coding so this is where we talk and we'll talk about precision uh questioning about my default values you know i found for myself when i do this insertion i have the default value of pen testing because you don't pen test you're not cyber security i have the default value of coding because if you can't do python it wasn't just coding it was python you can't do python you're not cybersecurity and i had nothing in there about risk i had nothing in there about controls and you know going across domains so you know questioning and also getting

that outside perspective so as you're questioning going to your peers and going to your friends and having this discussion you know your friends you love them they love you and in that reflection sir because again we are nerds start playing some experiments try a new ground rule for behavior like as a manager i cannot use the word technical in any of my reviews as i see when i'm writing my own review i cannot use that phrase i cannot use the term uh coding in my reviews i need to reflect what i'm actually doing you reflect the skill set that i'm utilizing uh and the test the other test and experiment that i implemented was uh

less instinct more intentional meaning taking that time especially when working with others and working on my own side to say okay what is the skill we're looking at uh and where are they adding it on the awareness side uh we joke about the the trap iocs the indicators of cot or compromise or whatever we want to call them these days but as a ic or manager take a look at your review feedback and looking for those ambiguous statements reading the statements as if you were someone completely outside the situation and going if i read this statement of hey could work on x could work on x technical skill set is that clear enough to actually tell me

what that person should do or tell me what i should be doing or my reports should be doing assignment trends and this is something that i encourage anyone who has a people reporting to them start looking at and keeping track of the type of work that your people are being assigned this is one of those sneaky ones because you know it's uh we're all on the security architecture team they're doing architecture work i found at one point i definitely had one person who was doing way more control writing than they were doing systems architecture and there was a default that had to be fixed at the belief that you know this person didn't have a skill set there

we talk about the lack of documented scope and you know anytime you have a work task or an item having that clear what are we trying to do here so you can actually go and talk about skill sets which brings us into where i talk about precision like

as individuals in cyber security and again i don't care if you are a manager or director consultant and i see precision is one of the biggest tools to root out bias and to fight the technical trap meaning when you have work that's assigned to you or you're signing out if your work has anyone had an assignment saying engineer a new system i certainly have and engineer a new data system great the next task was to go break it up and actually figure out what that meant but when it was reported out and talked about all it was talked about was oh they engineered this data system they engineered this system the skill sets needed for the roles that

are actually being enacted and this is where we talk about the day-to-day work and being precise about what an individual is supposed to be doing i'm going to say the the scary word i'm going to say you know career ladders and role definitions who here at work has ever had a career ladder yeah building one or use it so career ladders have a both very positive conversation and a very negative connotation in our industry because some folks when they're built they end up being this check box to promotion and in others they end up being this you know pathway or guide so when you look at a role or an organization and if there are no

career path and i'll use that as an alternative phrase career paths that define skills required not be more technical and when we say skills required we're down to they need to be able to write python they need to build a pen test linux systems they need to be able to you know map controls from cyst to stig these are skills that we can measure against and not have ambiguous hand-to-sky statements about how someone is doing as you look at those skill set breakdowns one of the questions that i'll ask with each one is if i'm measuring someone on a skill set how do they train on that skill set because if they can't train on the skill

set either i've got a terrible skill set that just no one knows but the mystic master over in some faraway land or i've got a skill set that i haven't properly defined and if i'm measuring or measuring folks on skill sets that they can't train on how do they succeed curiosity can only get you so far and the last one i want to call about a precision is ensuring that what we're measuring and looking at folks on and what we're measuring ourselves on is it actually applicable to the core of the role that we're in or the role we're going to or is it a one-off for example i had an engineer at one point get

assessed on not knowing how to implement juniper firewall because the one weekend one time there was a need to fix something on a juniper firewall wasn't their job wasn't their role they didn't know the skill set the feedback came to me oh this person's not technical they couldn't fix the juniper fireball who here can go ahead and fix the gender for firewall wait i thought you're wrong there we go all right we've got one juniper engineer i thought you were in cyber security isn't that a cyber security skill sorry i get a little fired up on this topic i apologize um but so oh dear oh we have the wrong version now um do you want to just do summary

where's the summary slide uh we have the usual fun of a slide issue one second please

oh there it is we like to hide slides from people apparently i'm sorry that's my fault

actually it's a bit more of an engineering concept [Applause] so in summary like we all can't fill our roles let's be clear we have way too much demand but we don't need to sink our own ships right like so we need to really let you got to stop letting bias stop you right so actually this applies i would say even more often when we're interviewing right so you're doing the debrief you've had this great conversation and somebody's like oh i mean they were great but they weren't technical like that there's no way that hasn't happened to people in this room in a deep brief so like stop the person who says that and says okay well tell me what you mean

what did what skill do they not have that you think is essential to this role like fight back when people say oh they're not technical because there's probably some sort of unconscious bias going on and like let's just call a spade a spade um i think this impacts ics and managers a hundred percent and it impacts everybody in our industry because either you will be told at some point you're not technical enough or maybe you'll have the delightful experience that i had which was i was working uh for my company on a booth someone walked up to me they're like you know oh what do you do i'm a technical at the time i was a technical program

manager and they're like can i talk to someone technical and i was like wait i think it's in my i'm like okay like i get it like you heard the word program manager and decided i wasn't technical even like literally it's in the title but it happens right and i think it's how we respond um to hearing stuff like that and we don't let it stop us and as i said it impacts ice managers everybody we all have to be in this together um as we mentioned earlier there's a lot of there's both anecdotal data that we saw um that indicates greater harm to unrepresented minorities than women and like we want to make this an inclusive

industry like we want to make sure there's everybody because let's be clear we don't want diversity for diversity sake we want it because the more people with different backgrounds that come in and join in a conversation you get a better outcome like that has been proved again and again and again so like let's embrace it for the awesome business enabler it is um and to combat it it takes focus you you've got to commit to this it's not something i can just say like i'm just going to like not fall trap no you have to commit um i think reflection is the most powerful tool there is i remember i was in business school and

each week we had to reflect on stuff and i was like this is an amazing tool i wish i had this in my tool set earlier because it just allows you to learn in a different way so reflect like commit to becoming aware and get precise like if you're saying like i need a technical person really what do you need like it's not sufficient anymore to say i need a technical person or i need an engineer what exactly do you need what skills do they have to have when they walk in the door versus what can you train them on like what do you have a really exciting candidate that you believe you can train

are you gonna let your bias of like they don't know how to pen test stop you i would hope not but plenty of people do so get precise know what you want and we would love uh feedback like if you liked this if you didn't like this um we're feedback at bsidesfeedback.com yeah we just did that in the speaker room yeah we're like that um and we'd love to open up for questions i think we still have time i'm not watching the timer um or anything else like any comments people want to say like really did appreciate everybody participating if you're participated out i understand but if you're not we would love to hear any thoughts

i think that buyers are out there being technical or not typical can manifest in different ways i have experience with it manifesting from the other side when somebody considered to be too technical in order to be good enough with you know soft skills on these people and this was not based on any kind of actual experience with that person playing that role but simply an assumption that you know a good engineer is probably not also a good manager at the same time right and i think that i mean if that is the case and really it's just a standard for you know like the bias expresses itself in multiple different ways i think that we shouldn't be just looking

for specifically a new bias around the term due to technical but about the biased approach to assessing people you know whatever terms are used to describe kind of the pitch and call the person based on the frequency of notions such so true you know the statement uh and kind of some re-summarize of like bias impacts in all directions and we talk about so you know getting precise on what's actually needed by a skill set and also taking that time to reflect and asking others to reflect and like why is it that you say that this person who's an engineer doesn't have leadership skills well they're an engineer okay what does that mean and you know some of the times taking

that socratic questioning and just taking someone down that road you get you get some amazing results when that person's eyes start to light up and go crap i'm just assuming that oh the engineer can't talk to humans but what do you do what do you do when the person you're talking to doesn't know the specifics and just uses technical as an umbrella term because they don't know what they need so i i can speak from my experience depends situationally i'd love to say that there's a catch-all golden answer but i still i'm following down the if you cannot specify beyond the word technical then we are not in a position to assess the individual if you cannot specify beyond the word

engineer we are not a position to assess the individual and we need to fix that that's the problem now and i'm going to focus on that problem and once we fix that problem we come back to assessing the individual or the group of individuals yeah at least for myself i mean i've experienced this in job interviews and oftentimes coming from people other than the hiring manager who has some misconception about the role in one case i was interviewing for a security manager role and the director of development had something you know stuck in his head that i had to you know the role had to be a pin tester and i was not a pin tester and in my

opinion that's not what the tournament should be doing you know but he was just you know couldn't get over that and try to get the yeah so the um what i heard was uh around like having that situation where it's not in a hiring situation where it's not even necessarily the hiring and as a candidate you won't know this you won't know who it is on the back end that's like well that person can't bake bread so obviously they're not a good systems engineer uh loaf of bread is good but one thing i found to be helpful is actually emphasizing my soft skills especially when it comes to translating technical concepts into um more approachable things

uh so being able to communicate cross-functionally to less technical teams actually shows me to be a stronger technical person um i think it's called uh counter-signing um but basically like being able to dumb things down without making the other people feel stupid has been really valuable in getting myself higher and higher as a technical person because i'm able to get more support from more parts of the company and like ceos aren't always the most technical critters sometimes they're a business critter if you can tell them why you're doing a good job or why the engineer just kicked past learning all of terraform in a weekend you become more valuable as a technical resource as more like a technical

consultant and so that might be something that is more helpful like to very work on as well as this stuff very true and and i love like taking you know we we sometimes talk about engineering technical like we're this isolated thing that we exist just for ourselves um i other than some non-profits out there i think most of us work for a company that you know makes profit and does something you know and has other uh facilities and like you said to be able to to communicate what what does it mean that the bumper on the car has been installed three seconds faster well that means this in the business world and i know we're having

the conversations now about the csombiso discussions which i think are going to be interesting in the next few years could part of the problem be the unrealistic expectations of people just starting out in the industry because they're new to it but the cyber security industry is short of people so they have slightly unrealistic salary expectations so in bigger companies to get those roles it needs the title of engineer or whatever so could that be part of the problem i i again i can only speak for for the aries uh for my experience but definitely we you know we do have um if common practice if you have an engineering title or a developer job class

your pay band is different than if you are a you know technician um and sorry um and you know the other part of your statement there around kind of folks starting out with and i wanted to clarify do you mean the folks the new people have on real expectations on themselves or the companies have unreal expectations of new folks coming in

uh so the the discussion of like i need to come into the industry as an engineer because that's a better pay band so but even at that point as a hiring manager or as someone you know looking to fill out roles my role title may be engineer but my job description and my checklist for all my rehirers are skills and if those skills aren't there then we shouldn't hire that candidate

so i something that i've experienced that i think is tangentially related to everything we're talking about is a desire for candidates uh and i'm speaking as a candidate going into job interviews a desire for candidates to have the experience which they cannot have without having the experience if that makes sense like getting the initial experience is a huge barrier as someone who's coming into security without an i.t background and that's um uh it can be kind of brutal in my experience yeah what what is your background uh i was a farmer um and then in 2019 i took a cyber security boot camp and then kind of went off on a tangent with it and found my

tribe that's awesome hell yeah

startups are so desperate for everyone please go find some startups they have no idea what the hell they're doing they're so precious and wonderful also contracting um contracting is great because if you do a small project for someone and it doesn't work out it doesn't matter so put on your linkedin as contracting great oh i keep my client less private that means i can call your references um right and if it does work out then you do get a lot of really good experience and you can still dip out whenever it gets too crazy so highly recommend startups and contracting and keep trying it's crazy and like adjacent stuff i'm in qa i come to security conferences because

it scares the crap out of me and because sometimes i get to wedge some security bugs in as qa bugs so there are sneaky ways in thanks for sure okay oh what about what about these entry-level positions that are advertising for uh candidates with two or three years of experience and assist that so i want to reiterate uh restate the so essentially the question again about the the the hiring field today where we still have this terrible job description mantra entry-level position two to three years experience cissp required which requires five years of experience before you can get the full cissp so the unfortunate side of that is that has to be corrected by the companies

like as a as someone coming at the candidate uh you know other than you could say hey this seems like we're unrealistic expectations but that you know as a candidate isn't really going to help you in that situation what i treat it as is those are red flags for me for companies i don't want to work for because they have not taken the time to reassess their job descriptions to look for biases to look for issues and to try to make sure that they're recruiting in a different fashion and opening up the field i don't want to work for a company like that i want to work for a company that's going to have a room looking like this

with cool people we're going to have great times and we're going to break some

okay well if there's nothing else please if you think of something later please reach out if this was helpful discussion let us know if you thought we it wasn't i mean let us know too that's all i i like all feedback yeah like just be constructive and i might only ask um that's our that's how to get a hold of us uh and we as we said we're b-side seattle organizer so you could probably also track us down that way and thank you all for participating we really appreciated it and have a great rest of your day that's all [Applause]