HG - The Key to Managing High Performance Security Teams - Mike Murray

so thank you Mike Marie is just absolutely phenomenal and this is his third year presenting for me because I find that a lot of the career tracks really talk at sort of an entry level or a basic level and there are many of us in the community who really don't need to sort of have that extra midway in our career or what do we want to do to move beyond into management or we're trying to talk about other issues in our mind and just pentesting or blue team or red team so Mike comes up with a new wonderful topic each year and then this year it sounds like we ended up having coffee about 15 minutes ago and he

totally changed his presentation based on that so with that Mike Murray yeah oh there we go all right technology all right so seriously actually before I start can we do another round of applause for Kathleen she's amazing and and really the driving force behind this whole thing and and to me so I've told her this before but I'm gonna say this in front of everybody this is literally my favorite talk I get to do all year I talk a lot right I talk to a lot of conferences I talk about a lot of things but this is one of the few where I really get to feel like I'm giving back and it's a lot of war

stories and a lot of things that I've learned over oh wow am i old over almost 20 years of managing insecurity and as Kathleen said each year I've sort of shifted the the talk this year I had an entire plan and I got to two days ago and I realized that I didn't like anything I was saying so I completely rewrote this from scratch so you guys are getting a very different presentation than I've ever given before because I've noticed a pattern or two in the industry that I really want to call out and I really want to talk about I really want to point out at the same time I'm not here to espouse really I'm here for all of

you so I plan on it this is an hour but I plan on only going probably 25 to 30 min because each of the last two years that I've done this we've spent more time on questions and answers and interesting just you know whatever problems you all are having then whatever I want to talk about and I I liked that format I like being able to hear what you all want and what you're all thinking so we're gonna do the same thing and I I have to start this meeting with a caveat because we're live-streaming so and I'm gonna tell a story about what happened to me last year so I got up here last year and I did what I think

was the weirdest most boring security talk ever at any conference I did an entire talk on how to have meetings which I'm yeah I'm a management nerd guys I like that kind of stuff I like thinking about how to have good meetings and what was really awesome is I spent a bunch of time talking about how important one-on-one meetings are and before I even get off the stage there was a slack message from one of my junior employees they said why don't you ever have one-on-ones with me so I'm gonna say it upfront I look managing is hard and it is hard to do all the things that I'm going to talk about well and I

will promise you I don't do them well even after 20 years this stuff's really hard honestly I got into management because I love like I'm probably a lot like most of you guys though it seems like I'm an extrovert and I'm very outgoing and effusive and when if you see me at a party I'm actually really shy and I really would rather just be sitting in a corner with my laptop and my headphones on then actually dealing with or talking to people and so this is hard for me and it's actually I think because it's hard for me is why I want to teach it none of this is actually ever easy and so to talk about how to

get teams in this industry to do well I think it's a really important set of topics for for anybody who wants to go into management so actually before I even start how many of you think you want to be a manager some day oh I'm so sorry I I'm glad you're here I hope at least one of you I talked out of it and and that's not because management is not fulfilling it is it's actually I I will tell you the best things I've ever done in my career are through other people not through things that I came up with and the things that I am most proud of are the days that I actually just sat there

while someone else did the work but I knew I had prepared them to do that work and they kicked a lot of ass and I just really got to sit there and buy pizza like that that's a great day for me but it's hard to get there and all the other days where it doesn't happen like that are really unfortunate but to that I want to talk about some of the things that make management in InfoSec and especially high-end InfoSec so when I say high-end InfoSec you know you let you go around black hat and DEF CON and you see some of these talks and you realize that someone is literally talking about how to do some crazy

cosmic ray bit flip of a register and a PCP you that you've never heard of managing those people right because they're a very unique breed and this industry breeds a type of people that actually I tell any first-time manager in security that if you learn to manage security people well you can pretty much manage anyone because we are the hardest first of all I think we're the hardest industry in the world to have a sustainable career in and on the other side of that we're the hardest industry in the world to make sure that other people under us have a sustainable career in and it's funny cuz to me it's not a feature or sorry it's not a bug

it's a feature and it's a feature of the industry the industry itself is set up so that the career is really hard to maintain and management is even harder so let me ask you guys a question how many have you been have been strictly in security security job only not product management not marketing not sales engineering for more than 10 years good that's about half the audience yeah now how of of that half of you of the people you started with how many of the people on your first team's more than 50% of them are still in the industry really so about half of them so I've been doing this for 20 years and all my first three teams I

think about 10 percent of those people are still in security that's not true of other industries and there's a reason why and we don't often think about what it means we think about what it means when we talk about security a lot if you go to if you go just look at the talk roster at blackhat this year versus the talk roster at blackhat in 2012 you will notice the talks are about completely different subjects write the word SEC DevOps he's everywhere this year that word didn't even exist two years ago and now it's the main focus of this conference and there's a reason for it it's fundamentally baked into the industry um anybody know what the

technology lifecycle is okay so first of all anybody ever read Geoffrey Moore's crossing the chasm okay seminal book if you want to be in management if you want to understand business in technology you must read that book it is absolutely required it's a little old now it was written in 2001 but more actually talked a lot about the technology lifecycle and basically the idea is that as the technology goes through its maturity it has a bell curve life cycle looks kind of like this right and in the early days of a technology nobody uses it right this is basically the the axis on the left here is the number of people who actually use the technology and sort of

on day one right on actually it's more like day zero because this is like early alphas and early betas this tiny fragment of people who actually use the product right and over time if the product is at all successful then you get early adopters right these are the people who lined up outside the Apple Store for the very first iPhone even though the stupid thing didn't actually let you send a text message or cut and paste right and those are the same people who are still lining up if those are the people who got the iPhone acts even though I thought face ID was the craziest idea I ever saw and really didn't not that technology but still whole ton

of people bought it right then you get to the sort of early majority went when you really start to hear about the product the late majority which is sort of you know when when when my mom comes to me and says what's this iPad thing I've heard about and then finally what's known as the laggards not gonna I hope I don't offend too many government people but anybody's still on Windows XP that's them right and and you know you see government large companies you know older sort of non-technical businesses this is sort of the curve of obsolescence of every technology now here's the trick question for us across this lifecycle where did the security issues happen we goat said no no not at

all not at all when when was the last time there was a massively significant vulnerability like changed the whole internet vulnerability in the TCP for stack at least right we're talking at least a decade when was the last time there was a vulnerability and I don't know Apache spark like yesterday right and actually what the curve looks like if you look about vulnerability distribution is it looks like this right so when the product first comes out that think Swiss cheese because nobody you know that the three people in the garage you just developed the technology did they care about security at all no they're just trying to get the product out the door right the very first

version of the technology always sucks but nobody uses it so there's no loss right you're not really worried about a hacker hacking your limited beta that you've only allowed three users to have it's actually what the interesting thing is is as the technology matures and people start to use it this is where the attackers really get interested right this is so this is Facebook in 2005 when it was just you know Mark Mark Zuckerberg and Harvard and nobody cared this is Facebook in 2010 when suddenly everybody's doing the oh no I'm stuck in London I just got hit over the head with a brick please send me money remembers the the scams there was this

huge proliferation of stuff on social media around that we spent all this time building social media protection products there's companies still that are advertising social media security you know somewhere on the show floor somewhere within a hundred yards of here I guarantee it and this is where we spend almost all of our time now what's interesting about that is the consequences it has for our careers and for our people because it means so in general for the most part in today's world I have if this was five years ago I I would quote you a different number but in today's world we have a new technology shift like this about every three years are you SEC DevOps as an example right

now SEC DevOps is sort of at this level of popularity right now three years ago lots of people sort of knew about it and they're you know there's some whispered conversations in the hallway between the few thought leaders but now everybody talks about it by the way two or three years from now SEC DevOps is a cos a and ideas going to be out here and there's gonna be one talk at this conference about SEC DevOps because it's going to be widely accepted now what this means for us as an industry is actually a huge problem and to understand the problem we have to talk about accounting not because I like talking about accounting but so that you understand the pace of

change in other industries innovations in accounting so CPA cert 1896 get the rules of accounting the fundamental rules are called GATT the generally accepted accounting principles or GAAP the GAAP rules do change a little bit every year but fundamentally gaps pretty much been the same since 1939 if you learn GAAP in 1939 you could read a couple of articles and be up to speed on today so in the last 60 or 70 years your knowledge is stable in the last ten years of security our life kind of looks like this oh don't worry it speeds up and and I'm probably a couple years behind I know I forgot that a sec DevOps out here somewhere um you get the point our

industry is evolved more in the last ten years than accounting has since 1939 right and so it leads us to this world where constant update and constant reinvention is required we must continually learn and I my rule of thumb is really simple every three years the most valuable thing in security changes like I and I'm using sec devops as an example because that is you know pretty much one of those things right now if you're if you're an expert in sec DevOps you have lots to talk about you have lots of things to write about you have lots of conference talks to give and you have lots of people who want to offer you a job if you're an expert in you

know protecting wpa2 on wireless networks well not so much right and yet in 2003 15 years ago if you were an expert on protecting wpa2 in wireless networks there does anybody know there was actually a certified wireless administrator certification okay okay now that I've asked that did any of you get it I was hoping no I was literally hoping that there would be at least one person who got that sir the point being something that was important enough that we made a certification for it 15 years ago is now not even a job that's how fast this industry evolves and so a lot of us end up like this and the reason I asked the question about how many people

that you started out with are still in security is because our level of attrition is so high if you start out in the career path as an accountant you generally are an accountant when you're 50 but there are exceptions to that rule but in security it's the other way around the people who have been around for 20 years I'm walk around here how many people have actually done nothing but security for the last 20 years a fair but it's look you guys are a very small handful right you're a very small handful of your peers yep okay and I guarantee you the only one in the room who's done that right yeah which I caught earlier and I was like that's not

that's a good t-shirt I want one of those but but the idea that people people don't stay in security for this long for a reason so if my favorite jokes ever made on the blackhat stage Scott Blake did a talk and for those of you who remember Scott Blake he started the Razr team at bind view he was see so at Liberty Mutual for a while and Scott did a talk I think it was in 2001 called should you hire hackers were you there Scott open to talk with my all-time favorite security dad joke what's the difference between a hacker and a security professional no time of day nice not a bad guess a mortgage and the fact that you are

laughs means you all get that right like that that is actually true there's a truth to that statement and because of that as soon as we want to grow up and not continue to reinvent ourselves every year and not continue to learn by the way I have ridiculous ADHD anybody who has ever hung out with me knows I'm always thinking about something new I'm always learning something new this industry works really well for me because after about three years of knowing something I'm bored and want to learn something else and so that's why I'm still here is because this industry fits for that if I had at 27 decided I wanted to Coast for the rest of my

career I I would still probably be a pretty decent web at pentester but how useful a skill is that really right that skill obsoletes really fast whereas if I was still if I learned accounting in school I would still be a decent accountant I might not be the best account the world but I'd still have a job and this means that our industry has one trait that I think nobody talks about although actually I so some people after me are gonna talk about this there's I'm really excited this is becoming the topic of conversation this week and we talk about it a lot so my company our headquarters is in San Francisco actually any of you guys in in tech in

seconds in the Bay Area so come about few of you okay so so the one thing that I've noticed that you guys can confirm if you're seeing the same thing but all of my friends are seeing the same thing rates of attrition on staff for security people in San Francisco range between 35 and 50 percent a year so and and it's really interesting to me to talk to managers around me who haven't come from security because if you didn't come from security actually our CEO so our CEO is brilliant man he's just he's done all this incredible business stuff over the years and he said to me so he he's built tech companies in Boston on the East

Coast you know over many many years and he said you know when I was growing up if a CEO had seven percent attrition the board was asking them why they they were terrible at their jobs and he took over this company and his first reaction is 30% attrition oh my goodness and and then people started telling them oh wow you only have 30 percent attrition great work right because that is the new normal in security and it's by the way it's it's not a bug it's not a problem it's actually a feature of everything I've been saying if you have to reinvent your skills every three years and you're in a job three years from now suddenly the

skills you're learning may not apply to the job you're in anymore right and suddenly there's movement we move a lot more than most industries we have a lot of attrition and I actually I think the only way that we as an industry survive in the law turn you know we we all try and manage it I bet if we talked to all the people at the back of the room most of the organizations have ways to try and retain their people and I'm looking at the B of a people who are who are nodding at this right and and we work really hard to retain our people but we also have to realize that kind of

movement is actually a feature of this industry and if you do that then you realize you have to change what you do as a manager and a leader like just think about it this way if you knew every one of your employees would quit in the next two years how would you change what you do would it change the way you manage right of course it would and the very first thing you would get good at is what hiring new people right because if I know and actually my favorite mathematical equation so say it takes me say it takes me 90 days to recruit an on board a new employee I have a team of four and I expect 50%

attrition how many employees do I have on that team I think your maths wrong yes no I don't I have three because if I have 50% attrition which means 50% of the people are cycling out at all times and every time that happens I lose 90 days over the course of each of those four people quitting I lose one year over the course of two one man year over the course of two years I I'm I'm averaging I'm not you know I'm not putting the variance in there yeah if we can weave through a much more detailed analysis but just in general the idea that you have a four person team but you could only ever maximally expect a three

person set of output out of that team how many of your managers would say I gave you four people but really due to three people's or the work that's not that that's not what we tell our our managers it's you have four people I don't care that one just quit you still have four heads you shouldn't be able to do four heads with the work right I completely agree with you I completely agree with that if instead of it taking you 90 days to recruit those people it takes you seven days and if you have a seven day turnaround from the time that you lose that person to the time the new person starts then

you think I'm crazy every every single person's are gonna be like that's impossible Mike oh it's absolutely possible it's absolutely possible hey so so I it's I explained it to it two to two business executives this way so we have we have a sales team right the sales team there's 35 of them their prospecting on you know a hundred and fifty accounts why don't they just do one account at a time wait until they close the deal and then start on the next account and they look at me like that's stupid who would sell like that but isn't that exactly what we do with recruiting almost across the industry I get to start looking for the next person

the day the person gives notice that 90-day clock starts that day right you're right my best case scenario is I get to start that day you're right then it has to go through HR approval backfill approval some sort of committee yeah it usually takes a week or two and then my 90 days is 120 days right and then I have two and a half people across that team of four this is the point the point is if you know that you're in an industry where attrition is a natural part of the way things work we have to change our recruiting we have to be building pipeline in advance of actually meeting the people because so it's one

thing if you're in a company like if I if I ran an accounting team and I expected one person to quit every five years I could afford to lose 90 days when that person quits if I expect half of my people to quit every year or if I'm gonna learn I really stretch it out and say okay I'm gonna be really great at keeping people I'm gonna have thirty three percent in attrition so I'm only gonna lose my one third of my people every year even still if I have that in order to maintain my productivity I must be recruiting ahead of the plan right I must be recruiting so that the day that that that per

and leaves or that that happens I am ready to move forward with the next hire as quickly as possible and here's the problem nobody is good at recruiting I and I I've been doing this for a long time and I'm literally somebody who thinks about recruiting enough to stand up and talk about it and I will tell you I might have a 50% success rate of hiring great people and the unfortunate part is there's a there's an all there's an old sporting Maxim that says best coach is the coach that has the best players right and that is true unequivocally about management it does not matter how good a manager you are if all of your people are terrible and

that's where recruiting really comes in but the problem is how do we recruit we get resumes and then what we do we interview them how many think people think interviewing works Jameis is literally the only one with his hand up why because it does it okay I actually I would love to know I I'm gonna take that offline because I'd like to hear about that because actually I think you probably are going to know most of what I what I'm gonna put in here because all the research says and this is the most this is the most uncomfortable thing for any of us to accept but I promise every single person this room does it all the research says

that you make almost exactly the same decisions after the first ten seconds as you do after thirty minutes and the idea I mean if you thought about this as the case if everybody just acknowledged this was true all we can do is like a police lineup and decide who to hire and guess what we'd hire the same people that's the scary part the scary part is if you turned your interviewing process into a police lineup most of you would end up hiring the same folks that's how strongly our unconscious process biases the recruiting process so the problem is there's not a better answer right there's no like okay here's what we're gonna do we're gonna take all the

resumes put them on a wall and throw a dart at it that might work but I don't think any of our HR people would be okay if that was our process so what do you do if you want to hire good people the very first thing is you have to accept what I just said your brain is out to get you your brain will screw you up and your brain will make sure that you hire exactly the wrong people most of us make a really screwy mistake most of us do one of two things that we do it exquisitely we are also good at it we either hire people exactly like us or we hire people exactly the opposite of us

and one of my favorite quotes I heard a psychologist named John Bradshaw say one time 180 degrees from wrong is still wrong right hiring somebody exactly like me is just as bad as hiring somebody exactly the opposite of me and we all make that mistake it's it's a built-in human bias right and we could go into the psychological reasons that we like people who are like us or we hate ourselves so we like people who are like the people we hate there's a lot of deep-seated psychological stuff there that doesn't have a place in this talk but it's true and so if you actually want to interview well and this is why knowing Davis in a little I bet he's

actually solved some of this to actually interview well your job as an interviewer is to realize your mind is out to get you and to intentionally fight yourself so my best way to do this is really simple you have to write a real job description now when I say a real job description how many you guys got I'm sure most you have a job description if you actually went to work and did exactly what was on that paper how would that work good job but exactly most of our job descriptions actually nothing to do with our jobs right and we write these job descriptions that have all this crap on them but what we're really you know it's

like must have eight years of this experience and must know how to run snort and must know how to run Metasploit etc etc and then you get to work and you never touch snort you never touch Metasploit and you spend all your time interacting with people and program managers and you hate talking to people and you're like man the hiring managers like he seems so great in the interview well why well we evaluated his Java skills and we evaluated whether or not he could use snort and Metasploit and so we gave the person the job the problem is when the job description doesn't match what you actually are looking for how are you making the decision you're

making the decision on unconscious bias you're making all of your decisions on unconscious process and so you literally could do the 15-second lineup and be equally as effective because the criteria that you've primed yourself with that you setup yourself with looks nothing like what will actually make the person successful the job and so you end up in this really screwy situation where the people you hire aren't effective but you don't know why I mean I'm a big believer that 90% of management is hiring the right people into the right roles and then getting out of their way and if you don't get this step right everything else gets hard and if you get this step right everything else gets

easy the problem is we're not wired to get this step right so you have to work really hard at it and it's ultimately about knowing more than what just goes on the paper for job descriptions for those who are really interested in nerdy about this there's a wonderful article in the Harvard Business Review about 15 years ago called the portfolio model of human capital and portfolio model of human capital basically is the best way to write that job description it basically says there are a lot more to a person's job and to a team to a set of people on a team then what actually most of us right most of us when we write a job description we literally

just sit down and go what skills and you know what kind of knowledge do they need to have eight years of Java experience 14 years of DevOps 36 years of of understanding AES like we write the skills down but we don't write down the most important question who is that person are they are they an extrovert you know what if I'm gonna hire an evangelist who goes out and speaks at conferences I probably don't want to hire a shy introvert who's not very good talking to people and similarly if I want to hire an amazing coder who's gonna solve really hard technical problems maybe like great sales skills is not what I'm looking for but maybe it is but we have to think it

through you also have to think about the team you have so what they called it in in the portfolio model was they called it the weirdness quotient every single company I will tell you so just a couple of career path jumps for me so you understand what I mean I went to GE healthcare and I ran a team of GE healthcare and I hired a team of about 20 people and all of them are I think in fact pretty sure all of them are still a GE and they're all doing a great job then I went and I work to look at now you think I hired the team of all these great people that I love did GE and I

didn't bring any of them to look at why because the weirdness and the kind of person that fits in GES culture probably doesn't want to fit in a Bay Area startup culture right or might not fit in a Bay Area startup culture and vice versa you know I I went to GE I ran my own company we were a 30-person security consulting firm I didn't take many of em to G with me either because that's also a very different set of weirdness actually funny story about about my GE employment three weeks into GE and I have to come out so you guys can see what what this was actually about three weeks into being at GE I my manager told me this

jokingly but this clearly happened he said somebody pulled him aside and said you know I don't think Mike's gonna make it I don't think Mike's gonna last year and he said why he said well have you seen the guy Sox seriously that was the reason not not tech skills not can I do the job have you seen my socks that's what I mean when I say weirdest question every company has things like that which will mean like some people fit and some people don't right and and the problem is this is where we stray into the problem that that this industry has far too much on the other side where people think about fit and their definition of

fit is everybody who looks and acts exactly like me right and we get into the diversity conversation I am actually arguing the point here is you should think about the diversity you need you should be thinking explicitly what diverse things about the people I'm bringing in will add to my organization right what is their background if I hire if I heard a tall team of PhDs from MIT that's gonna be very different than if I hire a bunch of people out of a coding boot camp in San Francisco who have made her a self-taught and have learned you know by being scrappy those are two totally different teams in some organizations I want a whole bunch of

MIT PhDs because that fits that organization in some organizations that's insane and so it's up to us as managers and leaders to think that through and to try and create a situation where we are able to hire exactly the people that we want to hire so here's my other rule of thumb and I could talk about this for an hour but it is a simple concept and we all screw it up me included it is always better to say no to a good hire than it is to make one bad hire always a hundred percent of the time by the way humans aren't wired like that you are not wired to have a candidate that almost fits and go oh

wait till the next one right we all want to close our reps we all want to move quickly we all want to we all want to round up relationship the relationship factors expert Dan Savage likes to say you know we take our partners and instead of them being the one we round them up from a point nine right the problem is when you're hiring the the research shows HR people have done a lot of research and the research shows that in general a bad hire costs you exactly one point five to two times that person's salary that is in lost opportunity costs the amount of time you take training them the amount of time that you actually

have to spend firing them and managing them that the organization the things you didn't get to do because they were a distraction on your team the averages so if you're hiring 150,000 dollar engineer and you make that mistake you would immediately incur a $300,000 bill before you hire the next replacement it is always better not to hire the bad rep to make the bad hire and so you have to move as quickly as you can and you want to hire as fast as possible but at the same time you absolutely have to be thinking about how do I create a situation where I am able to do that now a quick literally just a quick two

digression because I really want to get into into conversations and it's about development so everything I've said here is about how to live in a world of attrition but how do we keep people from a trading in the first place the answer is development the answer is you must be committed to to actually making your people better and that doesn't just mean with money like a lot of us think especially around here a lot of us think that commitment means I'm gonna send you to every blackhat Def Con CANSEC west recon etc around the world and you're gonna spend 26 weeks a year at conferences that's not what I mean what what I'm what what

I mean I would love that I would like that job too but but what I actually mean is you have to be thinking about how are you constantly causing your organization to learn and grow and how are you setting them up for three years from now when they want to have that new set of skills how are you getting them there and this is an entire org effort right what it comes down to is not just do I send people to conferences my team I I think we have 11 or 12 people here this week of the 35 or 40 in my organization hey you know that I would have loved to bring everybody but we're

gonna take those people who came here and they're all going back and they all have responsibilities and they already know what they are to be teaching internally at town halls and an internal All Hands for the next few months right everybody who comes here comes back to the organization and then trains even the junior people even the people who are here because it's their first time at black hat and DEF CON I expect them to come back and teach at the same time it's funny I was talking to Kathleen earlier and I'm really excited about her talk later this afternoon because our company actually has a really great policy of volunteer time off right where we actually give people

time off to volunteer I didn't tell you this but this is an interesting this should be interesting I don't remember in the two-and-a-half years that I've been there that anyone ever asked to use their VTO to volunteer at a conference and I would absolutely approve it right because volunteering here is just as powerful and you know an opportunity to help the world in the community as volunteering anywhere else not only that you learn stuff right you can't volunteer here without meeting all of you this is where networks happen even just by osmosis the hallway talks I learned stuff just hearing what people are talking about at dinner volunteering at conferences is a huge opportunity and

many companies have policies around volunteer time off that I bet actually how many of your companies have a policy on on VTO how many of you have ever used it to be to volunteer at a security conference you see the difference right like half the room and two hands but that's the kind of thing that we need to be encouraging our teams to do encouraging our people to do to get out there to use the resources they have so that we can keep growing them in this industry that requires constant growth because the other side to this right the other side to this we really evolved every three years is as a manager if three years from now my people haven't

learned the skills that are gonna be relevant that day then what do I have to do well I hope I don't have to fire them but at the very least I have to go get new people and then I'm back in that attrition hiring all of that all over again and the hiring treadmill never stops the best way to stop the hiring treadmill is to turn the people you have into the people you need right much easier but takes a lot of commitment and actually you said something wonderful to me that I don't remember who you said said it that somebody's managers said what do you think I'm doing paying you to go to conferences and I look to every

went yeah that's exactly what I'm doing that is absolutely what I'm doing because that's the only way that three years from now those people are still gonna be useful for me and part of my org and be be able to teach those skills to everybody on my team and it's something that we all have to commit to because you know we're self-selecting by being here but ultimately being here year after year that all actually all of you who have been in this industry more than 10 years is this the first black hat DEFCON for any of you of course not right how about besides yeah I a couple of years first besides but I guarantee

you even that it's not your first security conference right we are learning in and we have to keep that going and especially we have to teach the young people so with that I said I would only talk for 30 I talk for 40 let's turn it open to questions do it do I need to pass the mic around you okay what mike is referring to is my talk that's at this afternoon is I've been noticing over the last you know five eight years I've been in the community that people use volunteering as just a way to get out in the community but they're not looking at it from a career development lens and companies are not looking at it

from a technical and non-technical skills management lens so I actually did a survey over the last three months within the community nationally and internationally asking people do they volunteer does their company support it what are the skills that they have learned if they would move to another company if the company provided more support and we'll be releasing some of that data this afternoon and then we just got accepted for derbycon so the full Community Survey will come out at that time so if you're around at 3 o'clock we have a panel of people who have used community volunteering as a way to develop their career and how their company supports them and how they negotiate with their company to do that

and enough of the commercial for my talk later questions yeah it will be taped I so if I could summarize your talk into three phases you've got recruit run and retain yeah okay all right so across the three categories with the with the differences in management styles you're advocating here where do you see managers encountering the most friction with the rest of their organization and what strategies and tips would you have for them to overcome them great question it totally depends right every organ is different so when I was at GE I thought I was gonna have the biggest issues with the recruit part and HR was incredibly willing to just go to do whatever we we

needed and III thought that was to be the fight and it turned out that the fight was actually about training and all and some of the other things at the start up by Matt actually I would have thought the recruiting stuff would be easier I've had a hard part of partially just because we're in many offices and were across multiple cultures and we have a lot of other challenges of a harder challenge on the recruit situation there so I spend more time working on our crew I think it's a matter of for each of those orgs you've got to understand the culture and you've got to understand every org that I've ever been in and has had some things

that don't move and some things that do right it's just like hacking you know some some rules can be broken some rules can be bent and some can't at all and for each org you have to figure it out independently because I don't think it's I don't think there's necessarily a one-size-fits-all in the managers I meet though I actually think recruiting is the hardest part because we don't check our unconscious bias heck I've been doing I've I've interviewed conservatively 1,500 people in my career and I still fall victim to all of these things I'll still walk into an interview and think wow this person is awesome and they haven't said a word yet all right

and it's it's just a human response and so until you're aware of that and you're really willing to just to be rigorous and just almost beat yourself up every time you have an opinion with no justification and none of us are good at that we all do that right we all we all judge books by their cover just naturally it's why it's a cliche and so I think in terms of actual individual skills that's the hardest this is the hardest one to learn so next question but Mike you keep playing with your microphone yeah I'm just trying to look like Britney Spears is really what it kind of fancy there you go perfect thank you now maybe you guys will be able to

hear me I won't sound like I'm fading in and out um thank you for the great talk I think that's what I've heard so far today um well it is only 10 a.m. hi hi bar so so many questions come to mind have you read first break all the rules and what do you think of course yes there's there's a lot of that in there and actually I had a slide on strengths and weaknesses earlier but as I told Kathleen and I rewrote it that was in my original deck so so did you want to tell them what it is do you want me to I mean I just I I did see some things that

reminded me of that I was just wondering if there is there's definitely some buckingham influence here yeah okay and it's great I recommend it as a read like yes there's a lot of research behind it and it gives some paradigms that I think are helpful for hiring for the weirdness yeah you kind of alluded to there and and understanding what the job description is as well and like not just like what are the skills you're hiring for but but what are like the talents what are the innate what's the innate nature of the person who's going to be successful in this job yeah um but I think I think my question though is related to like so there is some value

that I feel I get out of my intuition and I find my I've studied myself in this area and I have found that when I disregard my intuition and I take it completely out of the hiring process I am more likely to fail and that perhaps speaks to the inadequacy of the rest of my hiring process I disagree I think you're right okay into it intuition is not the same as unconscious bias okay great so I and I and I feel like it's the onus is on me to take my intuition out of the realm of unconscious competence into conscious competence and understand why then intuition is working for me and me and in the ways where it

may not be if that is if that is the case I just was wondering if you thought that was a valid consideration so so let me just refer so we just had a very a lot of shorthand in that conversation let me just actually restate a few of those things for everybody but you're doing it exactly right as far as I'm concerned that's that was one of the most insightful takes on this whole process that that I have heard but it's especially the best one I've heard this morning so all right so so quick quick references the book that she was referring to is called first break all the rules there's another one called something about playing To Your

Strengths they're both written by a guy named Marcus Buckingham who's written some of the best things on this and Buckingham actually they did this incredible study at Gallup and what they found was that the most likely things in developing career for people that were successful and we was we had to throw it on our head a little bit up until about 15 years ago everybody viewed management as let me look at and your your annual performance review probably still looks like this you go in you hear a couple of nice things and then there's whole list of things you suck at and we'll call them areas for improvement but really it's a whole bunch of things you suck at

and then there's a plan for you to not suck at those things anymore right we spend all our time talking about what we're bad at and getting better and Buckingham actually did this incredible study and what he found was the people who are successful don't spend their time working on their weaknesses they spend their time making them stronger at the things they're already good at right you have a superpower that is uniquely you right the things that you are just naturally good at that they really come through that you you can offer to an organization better than anyone else and if you work on being better at that you are more likely to be better than if you

work on trying to be you know to be less bad at something else it's sort of it's sort of like I don't know how many of you guys are basketball fans but if you think about like Steph Curry I don't think Steph Curry spends a lot of time working on like 360 windmill dunks right he works on shooting three-pointers he's already the best 3-point shooter in the history of basketball and he gets better at it every year he doesn't spend his time working on becoming Michael Jordan or working on becoming LeBron James he spends his time working on being better at being Steph Curry that's what Buckingham was talking about now to the intuition thing you you

cannot so so everything you said was so right on that I'm just gonna restate it so that everyone hears it because yeah it's incredibly important if you've been doing this for a while you get intuitions it's not the same as making the unconscious decision up front and the goal of a really good interview process and if you get really good at this what you will find is I have an intuition about somebody how do I on the fly then structure a question to confirm or deny that intuition in real life right it's not about just pretending that you don't have experience like anybody who's been managing for us for as long as many of us have you can tell

a lot of things unconsciously and if you guys have read Malcolm Gladwell's book blink there's a lot about how much we know quickly the problem is that often gets mixed up like that's not a high fidelity signal usually because it's mixed up we thought like it's mixed up with did I did I eat breakfast this morning and am i angry right so your goal has to be to take that figure out what that intuition is telling you and then figure out what questions to ask to figure out if you're the one that's wrong or if the intuitions right and I think that's what you were saying at the end and really that was wonderful hey thank you for offering that because

that was great yeah go for it so you gave a great talk on management direction and there's enough of us in here who are managed versus managers and because of the situation and all the managers are and what advice would you give to the employees who have to switch jobs every once in a while because no longer their dog or a great fit for their company obviously get training started yes but managing the job interview process managing the fact that the job description doesn't necessarily match the job what advice would you give us because I'm sure you've got blending oh that's that oh yeah actually it's funny because I was actually just about to call you out so how can managed

become better managers of their managers yeah managing out early on that thing today yeah we totally are today so actually managing up is is one of the biggest challenges and we often so one of the hardest things for most of us and is that we enter into a very strange relationship with with our managers many many of us and and this is a pattern I've noticed across most people we relate to our management almost like they're our parents a lot of the time and so we go into the relationship as though they are removable and you know much like our parents they told us what to do and we didn't really have much say in it right and we still treat our

managers that way and to me management and but I'm literally I'm looking into the camera for this if anybody on my team thinks I'm not doing this calm send me a slack message and call me out because I feel at this - but as a manager you have to be willing to be partners with the people on your team and if you are then managing up is easy right I don't view my team as working for me I have management skills this is what I've cultivated I will tell you I'm the worst reverse engineer on on our team of malware reverse engineers I haven't opened Ida in five years they're better at that than I am and they should be and

if they're not we've got a problem because if I'm the best reverse engineer we are in deep trouble and I know that so I know that my role is not to be above them in some way it's to use my skills the same way their jobs to use their skills and we're partners in this right and if if I can view it that way then you being able to come to me and say hey Mike I need this or hey Mike you're not doing that then we can actually have a conversation that makes it easy now the hard part is that not that many of us especially is if you read older management books were raised in that

culture and some managers are not as open to that especially the autocratic folks I see lots of nods in the room we've all had that manager and in that situation my only my only advice is is strong understanding of economics so economics isn't is known as the study of incentives what are your managers incentives what do they want and and what do they want is usually not what they tell you right if I go to my team and I say you know hey I need you to do XYZ it's not because I really want that it's because I want something else does anybody know that Toyota system of what's called the five why's in the

quality system we asked why five times and eventually like after you've asked why the fifth time you have the real answer figuring out what your manager wants is really a five why's exercise and if you can get to oh they want to look good in front of their boss they want to get promoted and so they think that whatever they just asked you for will get them promoted they want public recognition or they don't want public recognition they want private recognition you have to figure out what your manager wants and then how do i structure whatever I'm doing to help them achieve that goal and if I can do that then my managers happy and I'm

probably successful now the hard part of that and I don't have a good answer for this because this is where the you know management and the manager employee relationship is a relationship the problem is if the manager wants something and you fundamentally can't give it to them right in divorce proceedings that's called irreconcilable differences and it generally leads to a divorce and though the whole thing is you got a hope that you can do that divorce as amicably as possible and do it with you know as little collateral damage as possible but sometimes that's the only answer all right I'm getting that I'm getting the hook from the back but seriously thank you all for coming

and listen to Mike [Applause]