Panel: Roles in Infosec That Don't Require You To Be An Engineer

so I guess we can probably get started with this one our next panel of the day it is about roles and info sex that don't require you to be an engineer Josh come on back down that's probably a smart decision

platonically I hope but all right so we can get right into this and how this panel is going to work I don't know exactly how keep just ran his but we'll see how this one works so questions I get a bunch of questions that I have for our esteemed panel here hopefully we can't stump them too much or anything like that but at the same time if you have questions that's going to be awesome so go ahead and think of questions I moderated a panel last year and I think I asked people for questions potentially to be asked at the end but I had Josh on the panel and I had Andy Ellis from Akamai and those people just

talked to her ever so we kind of ran out of time but we'll try to have time this year for audience questions and see how that kind of goes so who are the five of us up here well just kind of really did I miss spell your last name Rachel it's okay that's amazing I'm going to take a picture that later let me sit let me fix that right now no I'm Lulu guy I'm going to change my name now but PLAs is better as soon as I saw it I'm like oh no that's fine I'm a last-minute fill-in so I'm Ike okay so we're back so we have Rachel spats also known as Platts

the demand manager of cyber reason we have Jordan LaRose - the technical writer of rapid7 Susan Kaufman of Principles senior security manager of error code and Nick Cassel a client director at Optive and I am your friendly moderator Patrick Laverty so let's get right into the first question please introduce yourself where you work even though we just went over that what you do and a brief background Nick you want to start four things so my name is Nick castle I make director with Optus security for those of you don't know Optive we're the nation's largest cyber security solutions integrator so I've been with the company for over 10 years and I've kind of started you know at the

beginning is doing renewals and working way up through the the system so prior to joining Optive this is my first job in InfoSec I was in a completely different industry and food service so I actually managed a Applebee's of all places for a couple years so and yeah so it's a little bit of my background so I'm Jordan LaRose I'm a tech writer of rapid7 I just recently joined up actually two months ago and this is also my first job in information security before hand I was a tech writer at electric boat building submarines so bit of a change there but I'm enjoying it so far hello um my name is Rachel spats Platts I am a demand generation

marketing manager at cyber reason and this is my third job in cyber security I previously worked at core security did pentesting vulnerability management katie LeDoux and before that I worked at ssh communications security which did encryption and user key management so I've been working in cyber security for about six years in marketing hi I'm Susan Kaufman I'm a program manager at ver code for those who don't know very code we are a cloud-based solution for application security testing this is not my first job at security I've been at bare code for three years I was at EMC for ten years before that and most of my time at EMC was in security in some way

I worked in our corporate product security organization where we developed a secure development lifecycle process for all of our software products and I also ran vulnerability management and other than that I've been in the world of software for more decades than I'd like to admit

and I actually ended up on moderating this kind of last minute and it's kind of interesting looking at the topic for that you don't necessarily have to have an engineering background to get into info security I actually have two degrees in sports medicine that really has nothing to do with information security whatsoever I grew up wanting to work in major league baseball that was that's what I was going to do so that's what I went to college to do I went to minor league baseball and those bus rides are terrible so after about three years I decided I want to do that anymore and believe it or not where I got my start was right here and one of

maybe even this room I can't really remember I took some really terrible job at Harvard working for some person and they have the extension school here which is like one of the best deals ever if you work at Harvard you can take classes for like $40.00 and I just took a whole bunch of programming classes and then ended up teaching programming in places and moved on to information security so I taught first son teaching Java moved on to a university teaching you know the office products and some kind of things became a web developer for a whole bunch of years and then one day Akamai called me up and said you want to work on our blue team defending networks

that sounds awesome so you can actually move from it doesn't matter where you start you can move into this field and that's really what we wanted this panel to be about is people like us who haven't been into the computer since they were 8 years old and haven't been working toward this but you can still get places in the information security field without a background in engineering all right let's say what most prepared you to work in InfoSec I'm going to start with that one Susan sure so I have a degree in economics incredibly useful really only useful if you want to be a college professor and you go on and get a PhD but I did take

some computer science classes a long time ago in a galaxy far far away and I think that actually was helpful because I wanted to write code but I understood the process and I had a number of jobs before I ever got into anything involved in software but it came to information security by chance I was working managing product releases at EMC and a customer reported a vulnerability and I ended up having to work with our product security organization to help get that through the process managed to fix manage the communications and deal with the customer and I was very engaged with the folks who were working in product security I was interested in what they

were doing built a relationship and then when they had an opportunity they asked me to come and join them and that was 12 ish or so years ago so I almost like restarted my career with that and went in a completely different direction um I this is a weird question because I don't think anything prepared me to work and InfoSec to be honest but I I think understanding how business businesses run is important because a lot of people all of the companies I had worked at before I mean I the first company I worked at out of college I don't even know if we had a security team like it was just something that I know we had an

IT department that you know the guy called when like my computer wouldn't start but security was not on my radar at all so I think understanding how business works and the relationship between IT and security is a good prep kind of understanding that and then I think just being somewhat tech savvy like understanding how the internet came to be and like how computers generally work I know that sounds like very simple but like when I started my first job at SSH I didn't know what a server was and like a client-server and I was like what would so I think understanding just the basics of and not necessarily like taking a computer science class but just

understanding technology so what most prepared me to work in InfoSec I think was actually working on submarine systems if any of you are familiar with submarines they much like the Internet are a series of tubes so but seriously submarines are a incredibly complex pile of machinery that nobody totally understands and I like to think of computers in the same way they're both sort of something that you have to take apart piece by piece and start to specialize in and information security is a lot in the same way there's a lot of stuff going on and the only way to really take it all in and deal with it is to just take it piece by piece and try to adapt to it as

it comes to you so I have a slightly different take so I working on the sales side you know I have to really be engaged in me the business processes and really any project that's sold from from start to finish so I would say looking back what prepared me the most is the years I spent in foodservice dealing with you know upset customers especially when I went to the manager training at Applebee's you know they spent a lot of time and emphasis teaching us how to defuse situations you know somebody has an undercooked meal how do you handle that right so my role as a client director in helping my clients navigate various different projects you know as

we know no project ever goes smoothly as planned right there's always setbacks and twists and turns so really what's prepared me the most is really learning how to defuse those situations and help steer it from a negative experience into more of a positive experience I think that's really linked to a lot of the success so

about Jordan what do you wish you are more prepared for or more prepared about when you started your job in InfoSec two months ago yes okay so I have to admit when I came in I I thought I was super knowledgeable about computers I had you know played with them for years taking them apart but and put them back together but when I came in what I realized was that no matter how much you think you know there's always more to know so when I got into information security the first thing that really baffled me was Python I had some experience in C++ beforehand but it was not nearly enough to help me understand the you know complex

scripting tools that a lot of the penetration testing team uses so before hand I really wish that I just sort of I guess tried to get that same mindset that a programmer has when they try to create a piece of software to accomplish a task having that sort of ability to break things down into individual processes and sort of put it all together to work is something I'm still working on developing today and if I can also tell a little story about Jordan can actually work together we both work at rapid seven and at rapid seven we have a team of about 25 30 or so pen testers and I know a lot of pen testers

and there's brilliant pen testers all around the world and on our team we also have some really smart guys and when Jordan was hired one of the very probably not the first thing but one of the first things he got sent to do was to come to this thing that we call hackathon and hackathon is when we get most of our pen testing team together in a building and we kind of just all work together and you can imagine my head spins when I look at some of these other guys on my team and some of the stuff they know and here's Jordan starting his job first job in InfoSec walking into a room of 20 or 30 pen testers with the IT

and hacking and all that kind of stuff flying around and then to make it even or badass by him on Wednesday night of hackathon we have what we call our mini con where everybody's encouraged to kind of present on something for about 10 minutes and everybody's up there showing this new hack this different hack that they're going to do he just signed right up and he's up there giving a presentation with everybody else and I thought it was one of the most valuable ones that anybody on the team gave and he's just like I'm one of you guys I'm right here with you so that was one of Jordans kind of badass moments I think

with starting in InfoSec right you haechul um so I think going into my first job and looking back at that and what I know now I think the most alarming thing I'm sure this applies to other industries but how big the spaces and how many different types of products and platforms and solutions and technology there is out there and just trying to understand how those each of those apply to how business runs and what a CISOs thinks of when he's building out his stack you know understanding why they think AV is necessary why they think firewall is necessary and what type of solutions are necessary and understanding sim and how where that sits and how that fits into

everything else that's happening and DLP and instant response and just really understanding like from a business mind when someone is building out their security stack all the things that they need in order to keep the business safe and going into my first job it was an encryption company and we did like keys you know SSH key management and I think of like encryption and as such SSH keys and stuff as like a tiny little part of like the entire landscape now and so you know reading more about that and trying to talk to seas or security analysts or whoever maybe to kind of understand the business side of of a security stack in that entire space

so I actually will pick up where you left off on that because I think understanding that the interaction of security and business is incredibly important and I was not newly working when I came to InfoSec I had experience in the world of software but what I wasn't prepared for was how difficult it was to make security a priority and so that's where you have to be able to engage with the business people to educate them not harangue them and help them understand why it has to be a priority because often it's not even today surprisingly it's not so being able to speak in business terms about something you know somewhat technical you don't have to go too deep but be able to

present facts and figures your figures and help lay out the risks that the business will understand so they understand why they have to make it a priority that was a hard lesson to learn and is still part of my job every day today and it can be a battle every day yeah and I agree with you I mean trying to help you know our CISOs and the you know Board of Directors and the very sea levels and the clients we work with take what the outputs of these different technologies are giving and tying that back to business which is very challenging so you know whenever I came into the industry you know it's a much

different than it is today but for me it was relatively easy to pick up okay firewall does this you know DLP does that you know the actual functionality of the spectrum of technology that's out there but for me what would have been very helpful back then as a young person coming in is learning how each of those technologies interplay with policies procedures standards what does compliance have to do with that right what are some of the external factors that are forcing the businesses to make decisions that aren't necessarily based in either a technology or functionality so and again that's that's one of those areas that's still kind of always evolving and want to try and stay in front of but I think that

would have been the most helpful if somebody would have set me down said okay here's technology but here at how it all works with the business that took me a long time just kind of out on my own I'll throw the set to anybody that wants to jump at it when somebody doesn't really have a technical background and they're moving into something like intersect which is a technical field it can probably be a little bit scary like I'm going to be intimidated by all those engineers and tech people how much of that do you think is a real concern and how much of that do you think you probably how much text do you think you should know

especially if you're not exactly in an engineering kind of role I'll take that one to start so you know I'm definitely not technical my wife actually jokes that she's the helpdesk of our house and I can't figure out how to work more you know the iPad half the time right so but when it comes to understanding the basic functionality the various technologies out there I do understand X I've been living in it for ten years you know I see it every day so you know I think I think it's okay to not be the subject matter expert and everything but as long as you know the basics of how something operates or how technology operates or

how maybe to technologies you know interplay against one another you know I think to come in and not have that expertise is okay you don't need to be the expert but as long as you have a basic understanding I think that that's at least to start and to add on to that having a sense of curiosity and being willing to ask questions is important and also having a little bit of humility so I I'm a I have a pretty good technical understanding I'm not a hands-on technician and haven't ever been in my career but I work with some incredibly smart people and they like to teach and they like to share and as long as you're willing to be honest about

what you know and you don't know and you don't try and act like something you're not people are going to respect the fact that you want to learn and you want to grow and as a most of my career I'm good a program manager which means I'm responsible for coordinating a lot of people to solve problems and deliver things so I have to know the right questions to ask but generally what I do is find out what kind of skills are needed and I find those experts and I bring them in and I get out of the way so you just have to be willing to understand the context and then bring in the experts and then

opportunity to let them be the experts and then learn from them yeah I think Susan hit it on the head in terms of being okay to ask questions and I know there are probably jerks in every industry but there are going to be still some of the engineers and some of the technical people that are more than happy to explain things if somebody comes to me and says hey how does this kind of thing work or in your report this week it you talked about this how exactly can you just my own interests I want to learn how this kind of thing works you might explain it to me I'd love to sure go ahead and ask these

people especially at a conference like this where you heard Jack earlier talking about it's all about community it's all about communication talking to people and if you have these kind of interests even if you don't have the background even if it's not part of your job but you want to learn and you're curious ask people love to talk about this kind of stuff it's asking a whole lot of fun what tips would you give someone else that doesn't have an engineering background that wants to get in they maybe they have some other kind of background currently and they think information security things seems like it's going to be a big deal someday I want to get into it let's see rachel e

going to start so I think the most helpful things for me starting when I first started out and still to this day are I mean there's so many like going to events like if you're here right now like that's a great start b-sides in like the like show me cons and the hugh set cons and like all of those little hacker cons are incredibly helpful attending all of those sessions and panels i think reading about security in the mainstream news is helpful in a way but also making sure that you're reading like krebs and you know whatever your your flavor is dark reading whatever it may be but listening to people and how they talk about security and I don't

know that like everyone might not have an opportunity to like work in like a tradeshow booth it some eh but I've worked in many tradeshow booths for different companies at like blackhat and RSA and sans events and people coming up to the booth and you know what do you guys do you've given that your spiel but then hearing the kinds of questions that they ask like what immediately comes to their mind what's important to them going back to the business case thing is probably the most insightful experiences I've had and has helped me I think do my job better is actually speaking to people that are subject matter experts and figuring out what's on their mind and if you aren't

at a trade show then obviously there's tons of reading materials and tons and tons of vlogs Swift on security you know always a good place yeah so the other thing to keep in mind is you can work in information security without being a security engineer or software engineer or hardware engineer or a pen tester I work at a security company but it's still a company and it has lots of jobs that are not about being an engineer marketing people get to be intertwined with security they need to understand it and be able to communicate about it but they love marketing so they do marketing we still have finance people you know so you can be involved in the industry

without being an engineer so it's figure out what you like to do and then if it's not an engineering function but you're interested in security find a company that's looking for the stuff that you like to do in the corporate world and then you can be involved and then you can learn more and if you want to take another path once you get in most companies are willing to let you learn and have opportunities to try stuff out yeah so I think you know what they both said is very relevant I think to coming in you know you have to be humble right it's been said before we have to be ok with asking questions and I think most

importantly have to be ok when somebody asks you something and you don't know the answer to say hey I don't know the answer to that that's okay not to know I mean there's a lot of stuff out there to really understand and learn so you know as a young sales rep starting the other 7 times where I tried to kind of BS my way through answers or whatever and it always ended poorly so you know I learned that very quickly that don't be afraid to ask questions and they'll be afraid to say hey I don't know but I do know where I get that answer for you and - coming from the sales side you know

kind of echo what Susan was saying there's lots of entry-level sales jobs whether that's working in bleed generation or you know just an entry-level inside sales role where that really gives you a lot of experience and exposure to you know whether that's a specific technology or a services business or whatever so I think that that might be a really good foot in the door and then you know you can go in there and pivot and if you like what you do or you see something that you really want to you're interested in you know start focusing on that after you have a couple years of kind of industry experience under your belt I actually have a really good example of a

colleague who's actually about to become an ex-colleague because he's moving on he was selling insurance three years ago he came to ver code in a entry-level sales like lead generation or something so I'm kind of role like that did that for less than a year came over to program management and learned about program management was an associate for less than e'er moved into product management because he wanted to learn about how products get developed and that was his ultimate goal he was in product management for a year and he just took a much bigger role in product management and another company so from insurance to software security product management in under three years joining there any tips that today you'd

give yourself two months ago honestly I think one of the most important things that you can sort of show in the industry and one of the most important tools you can have is just a baseline interest if you're here you're probably interested in security at least I hope you are but if you can show in an interview or you can show when you're talking to somebody in the industry that it's something you really care about or something that really sort of makes your mind work I think that's really important and then as a result of that interest those you know important questions that you'll have to ask we'll come naturally to you you know you'll you'll feel more inclined to

approach those people and figure things out when you know security is something that you really care about no matter what the reason is behind that so passion exactly the dreaded word and I have another example kind of to go if you're someone who's actually here and I told her I was like I'm probably going to use it as an example but someone I really look up to who's really like paved Rome path she started off in PR working for an agency and then came in house for one of her clients which was core security she's snoozing right now and she was just our you know she was our PR and social media person but she

would spend so many hours sitting with our security team and our technical team product team trying she would write her blog and just getting as much information as she could she was is luckily she's very smart too but what three four years later now she's on the security team at rapid7 so it's key to do yes I embarrassed her okay that's it all right so how about did you intend to work in InfoSec or to fall into it and how one of the first NIC sure yeah no absolutely I had no intention of going into InfoSec actually had some friends that worked at the company I start with sufficient net security was a predecessor company to Optive and his

base in Kansas City which is where I'm from the manager gig was a grind you know I was working like 80 hours a week and I was trying to throw out what I wanted to do really and I had a couple buddies over inside seals hey come check it out so I started looking into him like you know what this is this is maybe really interesting right and you know now I've relocated my family to the East Coast a while ago and made a very nice career out of it so didn't intend in doing it but very happy that I landed here for sure yeah I can sort of concur with that I definitely didn't intend

information security I knew I was interested in tech but as far as I guess falling into it I it was a very you know I guess regular process I just I sort of applied for jobs I I got a interview with rapid7 and as soon as I interviewed at the company that's when I knew I wanted to work there because there were so many of those questions that I wanted to ask in the interview it was a two-hour long interview and I feel like that wasn't enough time so again the that interest those questions that you'll ask are I think are integral and sort of falling into the industry yeah no intention at all I moved to Boston

six years ago and I had been working in the world for two years and luckily had a foundation of marketing knowledge so signed up with like a temp agency and three weeks after moving to Boston they threw me into this company called ssh communications security and bases a temporary position to work as a marketing coordinator to help with trade shows and emails and just general marketing stuff that i had some ability in and i went to my first like security conference i think he was like InfoSec in Orlando Florida and I was like hooked after that because I like walked into the trade show floor and I was like what are all these people and I was didn't

know what any of the companies did and it was so interesting I would just spent the day like walking around and I mean I worked I was like in the booth but you know on my breaks I would like walk around and like you would like check out all the messaging and like go and talk to different vendors about what they did and and then after that I started noticing like I would start actually noticing stories about data breaches in the news because like before I was like anchor but then I started getting very interesting that so it been two companies later I'm still in it and I've planned to be in cybersecurity for hopefully the rest of my career because

I think it's the most important industry out there but security conferences do have the best swag though yeah they have pretty Schlag so I didn't have the intent to work in it because I've been working long enough that it didn't exist when I started working so I didn't work in anything technical for the first couple of jobs and then I got into software project management and I think I talked about this a little bit already I spent many years doing that and when one of the products that was in my portfolio to manage had a vulnerability I got very interested in the process of finding it and remediating it and resolving it and the process that went along with all of

that and was lucky enough to be offered an opportunity to move in that direction just because just by happenstance so it was I guess we make it four out of four or five out of five not salutely kind of us intended to do this and look at where we are because I can relate to what Susan said it didn't exist wait anyway next question Oh what skills do you think are important to you being successful in your job Susan you're still thinking so so I think this applies to any job ability to listen and communicate effectively is important to any role because unless you are sitting in a room by yourself working for yourself and never dealing with another

human being generally every problem that I see happen is not because a product fails or because somebody didn't do their job or somebody intended to do something harmful it comes with missed expectations and miscommunication so being able to communicate effectively is both in person or communicating verbally as well as in writing and that's actually becoming more of a challenge these days and I apologize for being generational but people who are used to typing you know a couple characters in a text and abbreviating things having good writing skills and being able to address a professional email effectively stands out so much it seems very basic but those are things that get noticed I think you just made Jordans day yes yes

you did so for my job specifically so I'm a marketing manager I have a very difficult job along with salespeople because selling and marketing to info security people is challenging because they are like no BS people they will see right through you you can't like do the like HubSpot e like ten things that will clean up your security environment and like and like though they'll be like now so for me going off but soon soon was saying having good interpersonal skills and being able to be open to asking questions and learning more and general curiosity and understanding that you do not know best you need to go to the people that know best fortunately for me

I am surrounded by the people that I try and market and sell to so we have a security operation center in our office I go in there numerous times a day one of our soft members is here and I'll go in and I'll be like can you read this what do you think about this like what would you think if you got this in the mail from us and it's incredibly helpful I mean they're sometimes too honest they'll be like that's so stupid and like I wanted to like be like oh like maybe we should do like a giveaway like a nest camera and they were like are you kidding me you can't give like

security people cameras like I was like oh yeah I was like I a good plane so it's really helpful to be surrounded by the people that I'm trying to market and sell to and it's really just um being humble and not trying to like trick them because they will see right through you um yeah and see yeah works for a company once it gave away USB keys said it yeah yeah that's another one that I shouldn't give away can see this piece so take it from the tech writer attention to detail is important in almost any job field I think but especially in information security whether the you know actually testing vulnerabilities or reporting them everything hinges on you know very

minor inconsistencies or you know areas where you sort of have to go in with a microscope to really find what's wrong with something so being able to to look at something critically and sort of break it down into pieces and I guess digress in a productive way is very important when it comes to this field and I'd also like to point out that being disruptive finding ways to innovate is really something that is helpful not only when you're trying to get into the field but once you're in it as well because this is a field that's constantly evolving and it's a field that needs people to you know come up with new ideas new processes for things

just new ways of doing stuff because if we don't come up with things new things to do we'll eventually stagnate and fall behind whoever the competition might be so being the last one respondents afforded me the luxury to think about this for a minute so there's several skills that I think are very important to my job again tempered through the sales lens right so the first one is be relevant and what do I mean by that so you know I'm constantly emailing and calling seaso CIO Senior Director CTOs you know across organizations that I'm prospecting into and I always try to put myself into their shoes and think about how many emails that they get in a day hundreds

if not thousands right customer from guys like me trying to get a you know meeting or a follow up or whatever so you know I found to be very successful in I apply this everywhere but be relevant and to the point I never seen an email especially introductory email or an unsolicited email more than about two or three sentences you know if you don't have somebody's attention within the first couple words you're in here in the the trash box so be relevant be concise another very important skill to Susan's point is communication skills specifically the ability to listen and I'll give a kind of anecdotal example so just about a month ago I was attending

the Boston secure world conference down at the Heinz Center and I observed kind of from a from aside an interaction between sales rep and then a individual from a very large organization based in Boston that everybody in this room would recognize her name so the the person from this company came up and started asking questions sales rep got real excited because they saw the big names like oh wow we're going to really impress this guy and he started just talking and talking talking the person from the customer was trying to interject you trying to share his problems he was asking questions but the sales rep was just going going going it wasn't even taken one second to listen

to this guy so a few minutes went by the guy kind of threw up his hands and walked away right and I think did that sales rep had they just taken a minute to stop and listen and really hear and understand what this you know fairly high-ranking person from this company was trying to say he most definitely would have at least led to a follow-up meeting it's not a sale but now you know good luck selling to that guy anytime in the next couple years so listening is very very important communication skills for sure yeah and that's awesome and I would add on to that and you guys can throw tomatoes at me if you want because I'm

going to throw out a very fuzzy one but situational awareness so that's a perfect example of the person had their own agenda the sales person there had their own agenda and rather than opening themselves up to what someone was wanting to bring to them to ask for their help on he was just doing his own thing so you have to be able to read the unspoken messages pay attention to the dynamics of the people in the room one of the one of the best things somebody where told me is them especially now with where everybody has maybe three devices sometimes they're carrying especially if you're trying to get somebody on your side or pitch something or get a project

approved or get funding for something the moment one of the decision-makers picks up their device you've lost them so you have to keep them engaged and sometimes you can get them back but paying attention to the nonverbal cues that are going on in the room and sometimes other people in whatever situation you're in are communicating between themselves non-verbally and so it's not an easy skill to develop and it's not innate and everybody but it's really really important I thought this let's see that's last question that I have might be just kind of fun but something technical you've learned on the job that you didn't know when you started I'm going to go first because I feel like I

don't want anyone to take mine I thought about this for luckily I saw this to answer I'm in question so I mean there's tons of stuff that I've learned like learning that like people can hack your like camera on your laptop and like little stuff like all the different types of IOT things that can be hacked so that's all like very interesting and scary to learn about but something pretty scary is the is Philo's malware and when I first heard that I had no idea what that meant but I think learning about like utilizing PowerShell and WMI to basically control an OS without actually installing any software is pretty trippy trippy was the word I

would say probably one of the coolest things I've gotten to do has nothing to do with any work that I've done but I showed an interest in something and previous employer was kind enough to fund me to take a digital forensics class and that was pretty darn cool and it was a struggle for me it was highly technical but I had a colleague who helped me through it and I learned a ton and I learned some really scary stuff so I guess the thing that I wanted to point out is not really pertinent to cybersecurity per se but at the hackathon Patrick mentioned one of the consultants actually taught me how to pick a lock which I thought was very

interesting it's it's a lot of fun and it's actually a lot like hacking in sort of a high-level sense it's breaking something down into pieces identifying the safeties and then bypassing them one by one so I've learned a tremendous amount of technical you know information that I didn't know coming into it but some of the things that really stand out you know not that long ago I participated in a presentation of findings where we did a very large corporate wide penetration test for a fortune 100 company and you know there was a several month effort with multiple resources and crops the world doing all sorts of pen testing and it ranged from you know app scanning all the way down

to social engineering and you know physical security penetration testing so to see the the results of that you know the ways that these guys were actually able to gain entrance into secured buildings and go around and just the the information you know whether that be printed files or just open ports or conference rooms with the you know computer in it that's unlocked you know this you know large ports 100 highly regulated secure company was just astounding the way the way that that are you know ethical hackers were able to go in and do that really blew me away I mean it was and this was only a few months ago that you know I said in on

this so very cool to see the way that they do that I mean it just as a side note we have one guy crawling through duct work to try to get into somebody data center one time and you fell through the ceiling so you know the extent that you know not only our guys will do but also the bad guys will do to go in and get somewhere it's just really really very revealing so so we probably have time for one question ish from the audience's anybody think of one while we were going through this that they want either the whole panel or one person answer so I've been more of a technical myself more of an

engineer but kind of just curious is there anything feedback you guys could give I guess to more technical people or like criticisms or tips I guess to help you guys be more effective in your job I don't know if I've ever told an engineer what to do where you can I just keep helping everyone else out and in like the information sharing manner and I think like I said attending meetups and b-sides and hacker cons and capture-the-flag type things networking I think I mean I can't help you in any way but like probably like other people here can just like saying hello maybe patience with those of us who are less technical than you especially those who

are expressing interests and curiosity and want to learn and might things need things explained to them more than once so people aren't trying to bother you I generally really want your help there any others do your companies formally encourage additional education or certifications the short answer is yes I don't think certifications as much but I could be wrong mic certification yeah but yeah definitely I mean we sponsor a lot of kind of information-sharing gatherings and meetups because that's very important I mean I feel like that's how security has evolved is from everyone sharing knowledge about look at this piece of malware I found and look at this thing that I discovered in sharing research and so I think it's very important

yeah and that's actually I'm glad you brought that up because there's a lot of certifications that are not necessarily engineering oriented you're CISSP Xin Jie sex and Gi at giac or certified ethical hacker and that kind of stuff but there's other organizations that offer other more process and program level and management types of certifications that are still around this aisaka is one certified information security manager certified information risk something C risk sisa I don't even know what the acronyms are but I thought was a great one where you can be in the area of information assurance and information security but you don't have to be hands-on engineer I'm working on my CI SM right now my company is

sponsoring me for that I got another I got a third-party risk management certification and they sponsored me for that and so yeah definitely one of the things that opted does is also sponsor anybody interested in doing their CSP or any of those others but one of the lines of business that we we have is around training so we do a bunch of security awareness training you know hacker training and coding training but we also have a pretty large course book of technical training whether that's a you know be certified to be a f5 LTM administrator you know firewall I've been expert or whatever there's a bunch of different classes and so they'll actually kind of task for it but they'll

actually let employees sit in on those classes if we don't have a full session as long as it's convenient for the workload their manager approves it so you know so that gives them exposure if somebody wants to learn more about a specific technology or whatever so always continuing education that's for sure want to thank the panel for for doing this and thank all of you for coming and I'm guessing it could catch one of them out in the hallway and your questions for them they'd probably be happy to answer that and