Hire Ground Kickoff

I hadn't introduced myself my name is Kathleen Smith I'm yes it's Kathleen on Twitter and I'd like to welcome you here to higher ground this has been my baby for the last four years understanding that career search is a challenge in our community and trying to find different ways to make it more comfortable in the 17 years that I have been doing recruitment marketing I've been on Twitter for about ten and one of the first people I followed was this lovely lady Leslie Carr heart hacks for pancakes and it has been wonderful watching her mentor and coach people on Twitter and going taking her personal time going to conferences and making sure that people understand that she's

available for career search so I was very honored when she accepted my invitation to be our kick-off speaker so without further ado Leslie please kick us off Thank You Kathleen appreciate it all right so um I want to tell you guys a story we're gonna start with story time so it was a dark and stormy night a long long time No okay sorry it was last April Tuesday it was a little foggy and we're gonna talk about two people today we're gonna talk about Alice and Bob who's met Alice and Bob before I think a few of you have probably at some point in your InfoSec careers met Alice and Bob alright so in our parable I'm not gonna need this in

our parable Alice is somebody who's a little bit farther along in her career and she has decided to make a lateral move from another technical field into InfoSec and Bob is a pretty young college recent college graduate who is trying to get his first position in InfoSec and they're facing different challenges Alice and Bob it's almost easier if I don't use this microphone I'm sorry and we're going to talk about those challenges that they're facing and I want you to try to put yourselves in the shoes of one of them at different points during this talk it recognized the challenges that they're facing as the challenges that you might be facing is you're trying to get a position into a

sec or trying to move up the career path and feel free to use them as a shield to if you want to ask a question about what to do in a specific scenario in terms of hiring or job progression you can definitely use either Alice or Bob as an example to phrase your question to me all right so really quickly about me my name is Leslie Carhartt I worked for a company called Drago's and I mostly do digital in forensics and Incident Response so that's figuring out how bad people did bad stuff two good things I've been doing this for 20 years this year oh my god yeah yeah for reals I run a Twitter it's called hacks for

pancakes if you don't follow it good I'm happy for you I also run a blog which you probably should follow called - Stephanie net where I talk about infrastructure education finding your first job and then also some tutorials on how to do various digital forensics and Incident Response stuff and I also punch things semi-professionally so let's I am also a reservist yes try to not bring that up too much on the interwebs but yes I'm also a reservist I do things so but this talk isn't about me it's about Alice and Bob so let's talk about Alice a little bit so Alice is about 36 years old and she's working as a NOC technician so who here is anybody here

worked in network operations network engineering okay a couple people so pretty familiar background she knows networking stuff really really well she obviously spends a lot of time looking at packets looking at tcp/ip but she hasn't spent a lot of time on systems administration so she's a little weaker there and she got involved in an InfoSec case like a few months ago and she said wow this is really my thing she got involved in doing some network forensics and she was like this is super cool I want to do this for a living and so she's been trying to figure out how to do that but Ellis is also a parent and she has kids in middle school with

hectic schedules she is well under a career she relies in the money to support her family and making a lateral move is pretty hard for a lot of reasons but she's made it to besides Las Vegas she's made it to higher ground good job Alice and she's ready to make that next move so let's talk about Bob a little bit so Bob is a lot younger he is just out of college he studied information security in college and he's never really had a job yet he's done some fast food and some work at the student union and he loves computers he grew up tinkering with them he has a pretty solid understanding of like scripting

and you know basic computer security stuff collie etc but he doesn't have any experience with like how corporate environments and corporate networks really work he's also really really shy he's incredibly introverted and it's giving him problems on his job hunt so he's also made it to be saw it's besides Las Vegas and he's also at higher ground so a good job Bob but before we get into Alice and Bob anymore I want you to take a moment and I've given you a paper and a pen here's to help you write down ideas and think about your own problems and concerns and how you want to resolve them the first thing I want you to think about is what

is the thing in the back of your mind that scares you the most about making the Mex move in your career whether that's in the info sack or getting promoted or moving to another company what is that thing that alarms you the most and makes you the most hesitant about making that change it could be that imposter syndrome like I'm not good enough it could be it's kind of hard right now to get entry level job in info sock it could be I don't have enough money to get the certificates that I think I need or to go back to school it could also be career uncertainty like I have this really stable job right now in

something else and if I going in for a sec I don't know what's gonna happen and finally it could be you know there's a lot of problems in the InfoSec community with substance abuse with trolling etc etc and those can really put people off so any of those things and keep in mind that your greatest personal fear or my greatest personal fear is not necessarily our greatest real weakness from the perspective of other people but I still want you to keep in mind what you think your greatest weakness and your greatest fear are so we're going to talk about Alice and Bob's greatest fears and we're going to talk about some advice I would give them and let's start

with Alice so Alice says um she comes up to me and she tells me I've done a lot of important technical work in my career but I don't think I convey its value really well in my resume so that's something I hear a lot and I see a lot because I edit and I review a lot of resumes so let's think for a moment about your resume so think about the last position you've held as a professional whether that is you know in an InfoSec job or in some technical field or in a completely non-technical field think about that position that you've held most recently or you're in right now and think about one thing that you do as part of your

job so this is you guys have to participate right this is audience participation all right don't make me come down there anyway so think about one thing that you do and write it down on a piece of paper in front of you just one one task why don't work bullet we all do things it can be very simple it can be I administer exchange I respond to security alerts one thing I see some people writing good job all right now I want to tell you how I fix people's work experience bullets to make them convey impact I have a rule of thumb for work experience bullets on a resume and make should contain three things and those

three things are an action an impact and quantification let me explain what each of those things are the action is the thing you just wrote down I do the thing that's the same as a job posting for your position it says you've got to administer exchange you've got to respond to security alerts you've got to monitor antivirus whatever those are actions that you have to take as part of your position to maintain your position but we have to add a couple more things and this is where I see people really really have problems on their resumes the second thing is impact now I'm on your resume it's really hard for a lot of us to brag we're mostly pretty humble

and introverted introverted people so why does this thing the thing that you just described that you do as part of your position matter to your organization what impact does it have on your bottom line on your team on the people who work with you on your ability to work faster work better think about that and add that to your piece of paper under that bullet why is that thing important imagine I'm standing in front of you we're talking one-to-one and I say why is it important that you upgrade it exchange to the latest version why does it matter so write that down next that's your impact and finally we have quantification and quantification is adding like a scope to that impact so

that people know how much impact you had so that could be money that could be the number of people you serve the number of people you work with the number of people you trained the dollars you prevented being lost during an attack or the number of nodes that you service on your network lots of different things but every work experience bullet should have a bullet to give me context to see what size organization you are working in and what kind of you know pace temple your operations who are working in and also to give us an idea of the value of the work that you are doing and that you understood that it has value so

hopefully you have three things written down on your piece of paper right now finally I want to remind you to sell don't tell your work experience bullets and your resume should never read like a job posting for your current position anybody who comes into your position is going to be doing a set set of roles they're going to be doing they're gonna be administering things responding to alerts etc why did you do it better your resume should be talking about your contribution what you did and why it was valuable a few more notes about resumes and the problems I see on them all the time as I'm reviewing them first of all watch your tense and your voice I see a

lot of people hop between pest present and past tense your current position should generally be be present tense and your past positions should be past tense I also see active versus passive voice changing I should also understand through between the cover letter and the resume what in the world you want to do do you want to make a transition to another role in InfoSec do you want to go from red team to Blue team etc etc or do you want to move upwards or do you want to move laterally I should get an understanding of that by reading your resume whether that's an impact statement or it's your cover letter plan for automated review so computers will read

your resume before any human being does that's how HR systems work at large organizations make sure that the proper keywords that match the job posting you're applying for are in your resume it's in a standard format that isn't going to bulk when it's converted to text and that it's using simple markup and not a lot of fancy formatting don't bias the reviewers I've seen people's photos headshots I've seen cute jokes men's weird and old email addresses like you know something kitschy from when you were a teenager at aol.com and a lot of those things make assumptions about the reviewers they assume that the reviewer is technical that they are into pop culture that they're into hacker culture

and that's not necessarily true especially looking at the HR level keep in mind that your volunteerism your Talks your project participation and even military service are all very applicable so make sure they're on your resume we want to know that you're involved and you're interested and always let a professional editor and a technical person review read through your resume and give you commentary all right so Alice tells me the InfoSec seems really into drinking and partying I'm a fun person but I'm not 21 anymore well why not be able to network I know people have that unconscious fear out there because our our scene is known for parties and especially DEFCON blackhat and heavy drinking all right so I'm not

drinking right now good drinking water all right so here's what I want to tell you it's okay to not drink when you're in InfoSec the important thing to me is that you're interested in learning you're interested in keeping your knowledge up you want to learn more and you're passionate about security that's what matters it's okay to not smoke it's okay to not party all night it's okay to even not want to go to since parties that I love that's fine yes that's even in Vegas there's lots of stuff to do here in Vegas for non-drinkers wonderful food wonderful shows cool spas lots of cool things to see so what I want you to do here raise

your hand here I watched a few of you to make a pledge and that pledge is you'll at some point during this week hacker summer camp you're willing to hang out with a non-drinker you're willing to hang out with a non-drinker okay look around see the people who are raising their hands and you promise me you promise me personally hacks her pancakes you're not going to pressure them to drink and you're not going to take them somewhere we're all there is to do is drink cool if you're one of those people who raise your hands I've got some stickers up here they are just like little colored stickers they're nothing obtuse or offensive you can stick one of

them on your lanyard or on your badge and anybody else here who needs some time away from the drinking scene and the party scene go find one of those people who has a sticker on their lanyard and pass that around you can take some of the stickers with you kind of start a trend maybe over b-sides you know for people who don't want to drink and don't want a party and need some quiet space alright so we've got one that both Alice and Bob were concerned about and here's both of their perspectives I really want to do this but I'm worried I'm just not good enough there's so much stuff I don't know the college the college kids seem to know

everything and then we have the college kid who's Bob sing I'm pretty good with Collie and scripting but there are some things I just don't understand about networking I'm embarrassed to admit it or ask for help I think most of us fall into one of those two categories either were feeling like well we're in fosters or that were terrified to ask questions because we'll be shamed for it so I'll tell you my rule about that you will never ever ever ever ever ever know everything about InfoSec and nobody else does either and the more that you focus on one nish whether it's red team or blue team you know differ mal reversing pen ding the harder it's gonna be to keep up

with the minutiae of the other ones and the more you learn the more you're gonna find out that you don't know it's just the progression of things after 20 years there's so much I know I don't know it just it's progressive and I'm constantly learning and you should be constantly learning to and trying to advance your skills but nonetheless you're still going to have those moments where you're like I don't know about this whole subject matter here and it's in a different initiative InfoSec and I'm gonna have to learn about it eventually but I don't know so keep trying to learn and when you run into those people who have refused to help you for the sake of

refusing like oh you should go it alone read the man page whatever they're not worth your time there's plenty of people who will help you and you should be willing to help others because nobody will ever know everything about InfoSec okay so real quick raise your hand if sometimes you feel like an imposter in any area of InfoSec any area now there's a lot of hands up there good job well done if you've got two years or more of InfoSec and you feel like that keep your hand up if you've got five years or more of InfoSec and you sometimes you feel like you don't know everything keep your hands up eight years alright there's

still hands up there guys I mean already here's my hand there's lots of things I don't know about InfoSec alright oh my god you guys you're surrounded by people who have been doing this for years and years and years and they still don't feel like they know everything so that's okay keep asking questions keep learning you're here and that's awesome alright let's talk about Bob for a sec I get really nervous in interviews I mess up and people can't see the real me so I'm sorry I'm a little sorry this onion article just got posted like yesterday and my former boss posted and I was oh that's sweet okay a slide where we say hello so here's what I want you to

do it's only gonna take like a minute I want you to turn to one person sitting around you hopefully somebody you don't know I want you to look them in the eyes I know that's so hard I'm looking you all in the eyes right now oh my god look them in the eyes and then I want you to introduce yourself say who you are and I want you to just so this is an easy one tell them about a really good meal around here that you for at home that you've eaten recently okay and then once you've told them about that meal tell them one thing that makes you a great InfoSec candidate then trade places so

start with the icebreaker tell them about food food is easy everybody likes food who doesn't like food thank God okay all right so find a person and tell them all right one minute go you guys okay okay so I encourage you to continue those conversations after this talk as well yes make friends all right so eight things you might mess up in job interviews that I've seen repeatedly is not being up-to-date on current events and InfoSec so you go when you get your degree and you're like I got my degree and then you don't read anything or learn anything you're all doing better by being at a con right now but that's a problem I see especially a lot from like

recent graduates or people who graduated a couple of years ago they didn't keep up with like what are the cases in the news what's new and cybersecurity law you know stuff like that failing to convey your passion for the role or the industry I mean you don't have to be doing a ton of stuff outside of your own you know work hours just show that you like to listen to podcasts or read something or there's some area that you're interested in learning more about I run into a lot of people who just show no interest in doing anything being too formal or more likely to informal read the room if you're having trouble with that take

a speech class take an improv class get a handle on am I being too casual with these people who I'm talking to right now or am I being to formal are you answering the question which you are asked are you evading a lot of people when they get nervous and they don't know the answer to something they change the topic it's not the appropriate thing to do in at nerve interview it's okay to say you don't know something or give your best guess but don't like try to change the topic we have reasons for asking the questions we ask speaking at the wrong technical depth for the interviewer or the question definitely a problem if you're

talking to the HR people they're gonna have a different skill set than the technical person from engineering failing to convey why you want the specific job or why you're a great fit again showing that passion showing that you're interested showing that you have an interest in that specific line of work and also failing to read up on like the organization or the job you're applying for you should know some basic details about what the company does like it just shows that you care and finally are you hacks planing I invented that term last night do you like it yes yay hacks planning is when you tell the interviewer what they're doing wrong and how they should rebuild the organization

without having any prompting from them or having any background info on why they do things the way they do and this is not gender specific at all this is like just don't do it like when you're in interview like don't tell them well you should be on exchange like what are you doing when they want your opinion they will ask for it and please provide them insight but you don't have the information about the problems they faced all right so Bob all the entry-level job postings I see are for two years of experience how am I ever supposed to get my foot in the door okay apply anyway say it with me apply anyway okay because so here's the bad news

yes entry-level InfoSec is getting saturated there's more degree programs there's more people interested in a field there's more people graduating at a entry-level low level tier 1 here's tier 0 tier 2 and employers can get pickier and their HR departments can tell them to get pickier demand degrees demand certifications it depends a lot on the region you're in in the market and red team of course is generally smaller and more competitive than blue team understand that you might have to move laterally or upwards and you're gonna have to network in person is better it's great that you're at a con today get your name out there for positive or valuable stuff whether it's just blogging or podcasting or you know

doing a project or doing CTFs you should have a good resume and good interview skills and you should maintain your current knowledge by reading and watching stuff this is all doable um you can totally do this oh I'm sorry okay I need I need some from the hiring managers in here people who hired raise your hand if you're your organization hires blue team people okay there's a few people with your hands up now put your hands down raise your hand if you're considering a move to a blue team position so those people who raised their hands earlier I want you to take a business card out and hand them to one of the people with their hands up just

walk over to one of the people with their hands up and hand them a business card okay it's not that bad it's not that bad I promise just walk over and hand them a business card okay all right cool all right red team who is hiring for red team or purple team a couple people if you're hiring for red oh my god there's a whole table doctor at Bank of America if you're hiring for red team referral team feel free to raise your hand if you're seeking a position in red team or purple team feel free to hand a business card to one of those folks and keep an eye on that table back there at Bank of America too

because you'll want to talk to them after this okay so we've talked about a bunch of things that worry Alice and Bob I want you to do one more thing with your piece of paper here today I want you to commit to one change coming out of higher ground today it could be anything related to the things we've talked about improving your interview skills rewriting your resume being less afraid to interact with the people around you getting involved more in the community or doing more in-person networking and for the people who are here who are established and are recruiting helping another person succeed in their search I want you to write that down on your piece of paper

that one commitment and put in your laptop bag or your purse here and wallet so you're gonna see it throughout this con okay all right so questions or comments I think we've got a couple minutes you're welcome to use Alice or Bob as your examples if you don't want to ask a personal question you can ask about their scenarios remember Bob is a 20-something year old recent grad and Alice's 30-something making a lateral move from another position I'll open it up ma'am a Bob okay

it is very hard so I encourage you to take a role that gives you exposure to a lot of different things now you're gonna kind of need to decide whether you want to do red team or blue team whether you want to do more offensive stuff or defense stuff so that's gonna depend on your hobby work what you've been doing what you've been reading about for blue team get a sock job get something that gives you exposure to a lot of different roles and just do that for a year or two and get that exposure and find out what mal reversing is like find out what you know incident response and digital forensics look like and start deciding

what's more of your thing but there are entry levels like that the entry-level positions like that that give you exposure to a lot of different things that are going to help you fine-tune what is your mindset best for anything else okay no all right oh I'm sorry sir okay

it's tough especially and that was kind of Alice's problem too was I have a family and I can't move downward I need to make a lateral move where I'm making the same money network network network and also start trying to build up those skills through extracurricular stuff if you can you know at the cons do CTFs do a talk kind of build up that portfolio that you can bring to somebody at a more loud or a level okay so I think that's all we have time for thank you for your attention today I hope you guys have some ideas about where you're going to go for the next few hours of higher ground feel free to come up here and

take a sticker or you can pass them around try to get those out there if you're willing to hang out with somebody who doesn't want to drink they can find you look at your badge and see that colored sticker on there and they'll know that you're somebody they can hang out with and not get pushed it to to do shots stuff like that cool beans okay thank you everybody [Applause]