HG - Discovering Your Passion in Cyber Security - Cherie Burgett

so without further ado sherry tell us about finding your purpose in cybersecurity thank you my name is sherry briquette I currently work with the mining and metals Isacc which means that I work with many mining companies to get them to work together and I work with governments and countries even sometimes helping them with their overall strategy so I get to work with a lot of moving parts and I get to meet a lot of different people at various levels whether in their cybersecurity career or within their own company and organization their maturity level as they try and build their own cybersecurity programs so here's just a brief overview of what we're going to talk about today so you can decide

whether or not you want to sit in these chairs for the next 20 minutes let's stop pretending that there's a defined career path into the cybersecurity world I'm going to share a couple personal stories about how I got in I'm going to talk about how you can customize your education to get to where you want to be and focus on your strengths and your interests and we're going to talk about the gaps that are that are definitely apparent to everyone in the industry if you spend any amount of time in cybersecurity you know where those gaps are you you know where point A and point B do not connect and we're going to talk about how to find a mentor how to find

how to connect with the people that's going to help you grow as a person and introduce you and find opportunities for this career so it all started edie Def Con I I was a stay-at-home mom I had not worked for any employer for 15 years I decided on a whim that I wanted to go to DEFCON and the only way that I could afford to get there was by bus and it was afford a Greyhound bus trip and that bus trip was incredible if you've ever taken the bus across country you'll know how many people you meet at the back of the bus that will share with you their personal stories and so as I'm telling them where

I'm going they're sharing with me where they're going I got to meet people that were just getting at release from prison that hadn't seen their families in 20 years I got to meet a family that was traveling around the world from France that decided to take a short jaunt across the Arizona and so I got to meet all of these people along along this journey which finally and led to Def Con so after I got off the bus I went straight to DEFCON and got my badge and sat down in line the very first person that I saw and met and talked to I got to share these stories with I got to tell them why I was there and I did he

it wasn't like he gave me a job on the spot or you need to work in cybersecurity but I got to make friends at this conference and so for the next three years I came back to Def Con I wasn't looking for a job I was just kind of looking to be around what I felt were my peers I wanted to be around smart intelligent people I wanted to have fun I wanted to start a little mischief when I could so that was 6 def cons ago after the third DEFCON this first person that I met said why aren't you working in cybersecurity yet why haven't you gotten off your butt and gotten a couple of

certifications and got in and and he was right and so what is my background anyway so my background originally was theology and so that's why I thought this uh a reporter picked up on my story and I think the headline makes them good clickbait so theology is the study of ethics and personal beliefs and how those beliefs affect society and so if you think about you wouldn't think that that's the obvious crossover from you know religious studies to cybersecurity but if you start thinking about cybersecurity as more of a human problem tracking organizations and groups you start to see that maybe somebody with a broader worldview could perhaps draw some connections whereas someone who is

more technically focused would miss so when you're creating your own path you still need to get the right training and that training may be the traditional you know cyber security degree it may be it may be of various numbers of certifications but what's gonna help you fine-tune what you need to do has more to do with what your interest is what your background is what what you're looking to do and that's why getting a mentor and talking to people in the industry to find out which certifications are actually valued what employers are looking for and it's okay to be different it's okay to be the outlier because it's often those outliers that get the job

one one program that I am currently working through is an interdisciplinary studies degree and I'm working with the University of Maine and Augusta to develop a cyber intelligence program with concentration in psychology and political science so I work for a non-profit an AIESEC is a nonprofit organization we do not we don't have any goods to sell our services are member-driven one of the things that I have learned is that most of the cybersecurity world is very profit focused and profit driven and so your needs or whatever the vendor says you need because they can sell that product to you but oftentimes things that make a difference you can't sell the things that make a difference are people you

know basic hygiene basic hygiene doesn't cost a lot of money it doesn't your vendor for the certain for for your system actually has you know included in the cost of the license patching so when profits are off the table and funding is tight we started our Isacc with five companies who kind of believed in a dream and they brought me they brought me on board and said okay this is our dream let's make it happen but what we didn't want to do is we didn't want to ask for government funding because we wanted to maintain control of where we went and so funding was definitely tight and this sort of ended ended up with a

journey for us to do to define what we could do as a small organization that would make a big impact things that we focus on are human factors security both adversaries and defenses so I like to profile groups and organizations but I also like to identify what's going on within an organization that leads to some of these pitfalls I help companies and yes even some countries develop a cybersecurity Travis strategy because there is very little support in this industry on developing a strategy that is the CISOs role but nobody really has figured out how to do that effectively yet getting some CISOs with experience and discussing it is a way that we can start creating what these best practices

should be and innovation support when I work in an industry that is on the cusp of digital innovation and cybersecurity is often seen as like an afterthought let's do they give you a shiny new product now how do you secure it and so what we've been promoting is secured by design we've been promoting bringing your cybersecurity guys to the table during the develop or as early as possible in the developmental stages so that we can talk about security and talk about where we should how we can support them through the innovation process so where do you fit your challenges that think about cybersecurity differently everyone has an idea of what cybersecurity is and a lot of people

think that it is stock analyst pentester the cybersecurity actually involves so much more we're not talking about you know wargames whereas kid versus kid we're talking about businesses versus business corporate versus corporate the the bad guys or our big corporations with office buildings and they have planning and they do their own tabletop exercises you know they're there they have a sales force that are fully trained to to help they're there they're people that become better social engineers so we're thinking about cybersecurity wrong we need to have a much bigger overview in order to support it and definitely the most important thing that I want you guys to get from this is that you need to network with people the only

way that you can get into this industry is not by following some some predefined path that path doesn't exist and we're giving each other terrible advice about it we we have very well-intentioned people who are cyber security professionals that says if you do a B and C you'll get to D and that's not the case

and I'm not sure where I was on time so everyone else thinks about services industries okay so I work for an organization that well mining and metals was actually a kind of late to the party as far as cybersecurity because they were largely an ignored field and so no one was really after them nobody attacked them they didn't get hit with anything and so they didn't really invest very much into cyber security until a few years ago and so a few years ago they were hit by a financially motivated threat after that hit an um a series of mining companies and so these mining companies decided that they needed to get together and work together in order to combat

this because the problem was bigger than any one company should be defending against and so so not well yes yes absolutely Natural Resources part of mining and metals is also oil and gas and manufacture the film manufacturing is a part of that as well but a lot of these weren't hit until everyone was getting hit and so as Irish security was kind of cyber threats were ramping up they were also at the same time creating an environment where they were opening opening the doors per se because of digital innovation they were connecting more to the smart grid they're connecting more they're doing things more remotely and so this organization sort of kite right at the perfect time - for these

guys to decide oh we're gonna we're gonna solve this we're gonna solve it together we're gonna collaborate and we're gonna work on these projects we're gonna we're gonna conduct the research necessary to do it how did I get the job well after after a few series of def cons I went home and I studied I got certifications I enrolled in college classes but the people that I knew that I met at Def Con knew my background knew what I did and they decided oh you're ready now you're ready to help us put this organization together and they wanted me because I had a different background

yeah just on the mentoring concert mean how would you recommend someone who's you know we know about students they've got professors they've got internships someone maybe like you're you know you're kind of ageing my age you know how do I go off and find someone to sort of say you know if I was brand new to this industry and I was comes DEFCON not be such for the first time we don't who do I turn to so absolutely and I think cybersecurity is a perfect second career I believe that you you have to come to these types of events and you have to talk to people you have to and I'm willing I I've actually put myself out

there as well and I know other people who have gotten into the industry this in a similar fashion where they were sort of mentored in have returned the favor by doing it for others nice coffee come on sir oh my god you did it perfect thank you thank you so much that's awesome I am very brief here are napkins

Oh hold that now my question is was that your outrageous request to drop a cup of coffee in front of everyone so there's this thing I get to travel all over the world and there is sort of a tradition I have two traditions one of them is I want to go to a McDonald's in every country so I can order off whatever they're crazy menu is the other one is I want a nice coffee and they never have it so until my original question was are you still coming to DEFCON by bus or have you upgraded so I have upgraded that was a one-time experience but I I actually wouldn't have had it any other

way and I'm not sure that my experience would have been as good had I not had the four days of social engineering practice it was a good warm-up oh so that was from Alabama I no longer live in Alabama

[Applause]