BsidesLV 2025 - Hire Ground - Tuesday
Show transcript [en]
Heat. [Music]
Heat.
[Music] Heat. Heat. [Applause] [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat.
[Music]
[Music] Heat. Heat. [Music]
Come on. [Music] Heat. [Music] Heat. Heat. [Music]
Wow. [Music] Yeah. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. [Music] Hey Heat.
Heat. Heat.
Heat.
[Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. N.
[Music] Down. [Music]
[Music]
[Music] Hey. Hey. [Music] Hey, hey hey. [Music] Yeah, [Music] down.
Yeah,
yeah yeah.
[Music] Heat. Heat. [Music] Woohoo! [Music]
[Music] By far. [Music] Baby, [Music] daddy. [Music] Here [Music] you are. [Music] Hey everybody. [Music] Down. [Music] Hey. Hey. [Music] Welcome to Higher Ground day two. We have resumeé reviews and coaching uh career coaching sessions happening. This is one of my volunteers. Uh and then we have a networking social at 5:00. Without further ado, uh I ran uh the hiring village at Bides Charm and the room where this guy was speaking was it was elbow to elbow people and people out the door trying to get in the door and I begged him and begged him. I was like, "Oh, I know you're a little teeny tiny bit busy this week, but also maybe you should do this talk." So, you will not
be disappointed. Welcome, John Stoner. >> Thank you. I was coerced into the CFP. No, I'm happy to be here. Uh, I am busy though. Uh, I'm John Stoner. I work at Google. There's two of us. One of us has a mohawk. One of us used to work at Splunk. That's the other one. Um, so if you're trying to find us on LinkedIn, he doesn't have a mohawk. I'm the other one. Um, welcome. And I am lying. I do have a few slides, but like most of them are memes. I swear. Like there's like no bullet points at all other than the like who am I? This is your like why am I here this morning and why am I paying
attention to this person? Um so US Army veteran technical intelligence for 10 years. I got out in 2010 and I've done a lot of different things in cyber security since then. Uh the biggest area of expertise is cyber threat intel. I have been a department of defense contractor in quite a few companies. I tend I tend to change jobs like every three years. So I am also a frequent like interviewe. Um uh I am at a fang company now. I'm not representing the company I'm at though. Um uh and there I am a cyber security consultant and academy instructor. Um so as both a government civilian and as a contractor I have interviewed at least
150ish people and done about 45 different hiring actions. Um, so I do come from a place of like being the hiring manager in addition to just also personally changing jobs quite a lot. Um, you'll see me around the rest of this week as well. If you're ever over at Defcon, I'm a goon. Uh, I'm mostly on Macedon and LinkedIn is probably the best place to find me and also go Liverpool. All right, so at Career Villages and I've been helping out Career Villages a lot. I think it's really important to give back to the community. Everybody, it's always resume, resume, resume, resume. In the nonprofit I help run at Vetsc, we have a resume channel and
people are like, "Help me with my resume. Help me with my resume. I need a job." Your resume is important, but as a hiring manager, I normally know within three minutes if you're getting an offer. And most people aren't prepared. They spend all of their time and effort on the resume and they haven't prepared the interview at all. And I can tell as the interview person, right? I can tell whether they're prepared or not. It starts off, hey, thanks for coming to the interview. Why don't you tell me a little about about yourself? And if that's a 12inut meandering saga of their life, that's probably a no from me, dog. Um, I have mostly hired threat intel
people, right? So most of the roles I've hired for are threat intel specific. And there is very specific things that I need that person to be able to do including giving a presentation, writing concisely, conveying information. And if you can't do that about tell me a little bit about yourself, that doesn't inspire confidence that I could put you in front of someone else to tell them about an advanced persistent threat actor. Now, not every role in cyber is going to do that. But communication is super important in all your roles. Generally, as you get senior in your role as well, you're probably going to do more talking to various people as well. So, the resume can only get you in your room.
So, it is important. I will be here. I'm gonna stick around for a while to also help review resumes, but you also need to prepare when you get the interview. So, like maybe make it like 7030 split in effort, right? not 100% effort into the resume because I want you to present the best image of you when you get into the interview, right? So, and if you when I say like I want you to prepare for the interview, I want you to literally like bring up Zoom or Google Meet or whatever and like look into it if it's going to be virtual and practice or go to a hiring village and say, "Hey, actually, I would love to do a mock
interview with someone." If you have a hiring manager here who could do that, maybe they look at your resume first and like can do a couple of questions. The more you prepare for the interview, you will also be a little less nervous. We're all nervous at the interview, right? every single person is nervous at the at the interview. I will also tell you like a lot of times the person making the hiring decision is nervous at the interview as well, right? So, everybody's nervous in that interaction. But the more you've prepared, you will hopefully be able to get a little less nervous or at least maybe it will show a little bit less because you do need to
project some confidence in the interview. I can't stress that enough. You do need to project some confidence in the interview. We understand you're nervous. I interviewed someone once who I think she said, "I'm sorry I'm so nervous." Seven or eight times in the interview. >> That person did not get an offer. Right? I like I have to see that you have some confidence in the skills that you're bringing to the table for me to want to bring you onto the team. Right? So, you're allowed to be nervous. Maybe you can tell me you're nervous once, but like I need you to also like have practiced enough and prepared for this that you can present the best foot
forward because that's what the hiring managers are looking for. The hiring managers are looking for somebody that I think you probably have the skills to do the job and I want to work with you. That's what they're looking for. Do you have the skills to do this job and are you going to be a good fit on my team? It's those two things, right? So, they want somebody who's throughout the interview where it's a technical interview or multi-stage like, you know, interview could be a panel interview. Have they answered enough technical questions that I think they can do the job? and do I feel like I would want to lead this person on this team? That's
that's uh that's what you need to prepare for and understand. I am the biggest proponent of preparing your stories. Your first story is that elevator pitch. Hey Jen, thanks for coming in today. Why don't you tell me a little bit about yourself? That should be a threeinutish very tailored version of your story for this role. Right? So the other thing is like your resume is a compilation of information about you that is a sales pitch and your interview is a compilation of information that is a sales pitch for that role at that company. You cannot lie. That is not what I mean. Right? But if I'm selling a car, I'm going to tell you all the great
things about the car. I might not tell you the one or two bad things, right? If you ask me like, "Was I ever Rick?" Yeah, there was a minor fender better, but I got it fixed. But I probably don't lead with that, right? It's been a super reliable car. Never had any major mechanical issues. You are selling yourself on the resume and you're selling yourself in the interview. And and a lot of people have trouble with this, which is why I want you to practice. I hear all the time, I'm bad about talking about myself, right? That's a common refrain, right? it's uncomfortable for me to talk about myself or it's uncomfortable for me to
try to present myself in a good light. Well, that's why I want you to practice. So, not only do you practice that that initial sales pitch about why you're super excited to be here today and I'm really passionate about cloud security engineering. I could be really passionate about a lot of things for a lot of roles I'm talking about, right? I really appreciate the opportunity to be here today. I'm super excited about the role at this company and about this type of a job. and then two to three, four minutes max. And I would time yourself because if you don't know you're giving an eight minute spiel, I don't want an eight minute spiel about your whole life story about
when you graduated high school. But whatever your story is, whatever your compelling story is, I want you to practice it. I don't want you to memorize your stories either. I don't want you to verbatim memorize the story because if you forget a word, then you'll be stuck. But if you practice the story enough, you'll know what it is the highlights are I want to hit. Right. Hey, thanks for letting me come in today. I'm super excited about this engineering role that you've offered me. As you can tell, I did 10 years in the army and technical intelligence and what I got out. I pivoted into cyber security. I've always been the computer guy in the family since when I was
building a computer when I was like 10 years old. So, I've like always had that passion for computers. So, it kind of naturally transitioned when I got out of the army to kind of go into cyber security. And you can see on the resume that my first job was at a technical instructor to get my foot in the door. That's prepared. I've given the answer multiple times and I've prepared the answer. And I can also tailor it a little bit. Maybe if it's in the DoD or the intelligence community, I emphasize those parts of my past more than if it's a private company. Maybe I real briefly, maybe I don't really cover that. Maybe it's just real brief. You know, I did 10
years in the army, then I got out and focused in cyber security. I can tailor the intro because it is a sales pitch. I'm super passionate about technical instructing, right? I'm super passionate about putting food on the table. Hiring managers want someone that's energetic and excited about the job as well. So, can you do the job technically? Do they do they want to work with you? And are you actually showing energy about the interview process? So like on a scale of zero energy to 10 energy, somewhere around a seven. You want to hit somewhere around a seven energy level. I don't want to worry if you've had cocaine, but I also don't want to worry that you
don't want to be here and like someone has a gun to your head. Like somewhere in that five to seven range of energy level is what you want. And that could come and go a little bit depending on the question. But as a candidate, you need to seem enthusiastic about this process in the role. And I know that's really hard if this is the 50th interview you've done because this job market sucks. But you have to you have to understand that if you're not bringing that energy, it will really show on the other side of the screen or in the room. So the other so there's two types of stories you can kind of practice
depending on the types of role that you're getting ready for. There's going to be technical stories, right? So, the technical things related to that to the technical aspects of the job, right? So, tell me about a time you had an interesting consulting engagement and the client was pretty unhappy with the report you delivered. Okay? Right? So, if I'm if I'm interviewing, you're focused on that type of role. I can probably think about any number of times that happened and how we dealt with that. Right? But there's also like all the non-technical questions you're going to get on the interview. Tell me about your greatest strength. Tell me about your greatest weakness. You know what the key to the greatest
weakness question is? Is you also have the mitigation for it. Right? So that's how you answer the question successfully. I don't care what the weakness is. Right? So one of my go-tos is I don't have the world's greatest memory. So like I write everything down. And if it's a if it's a Zoom interview or something, I have my notebook. I'm old. I write stuff down. And I can literally like show them the notebook where I write everything down. So, I take really, really good notes about every meeting I'm in or every interaction I have with a client. Right? So, that's my weakness and I just told them that I've mitigated it. Right? I've worked with another person on interview
prep where we decided through consultation that the answer was going to be I'm just interested in everything. Sometimes it's hard for me to focus. And so, we kind of came up with a way he mitigates that in a work setting. Right? So, this is what I mean by preparing the story. So, and you can like you can kind of use AI here a little bit. You can be like, "Hey, here's the job. Here's the link to the job. What do you think are the 10 or 12 technical questions I'm likely to get? What are the like top eight non-technical questions you think are going to happen in here?" And like it does a pretty good job. Chat GPT, I've
used Chat GPT for that specifically to try to help some people who wanted to do interview prep, right? Because I mean there's so many different specializations. I couldn't tell you like what are the top eight technical jobs reverse engineer is going to face. But like AI can help you with that a little bit especially if the if you have the job link or the job description. So practicing your stories is going to like you're going to come across like a rock star if you practice most of the stories you're going to answer and you will feel more confident because you already know what you want to say. I already know what I'm going to say when
I get to the greatest strength question or when like I've had a disagreement with my boss and how did I resolve that, right? Or I had to like if you're a manager, you had to deliver some bad news to your team, right? You can anticipate likely questions for the role you're applying to and have your stories prepared that you want to cover. And you are going to have to like go over your greatest hits. Like you are going to have to like maybe in consultation with friends or family like if you have trouble talking about yourself like what are the things I want to highlight in a positive way as I'm preparing my stories of stories of my
success right we all have stories of success everybody in here has them but you also don't want to be struggling to think about it in that moment in the interview right and again everything is sales Everything is sales. Your interview, the resume, your interactions here while you're networking professionally, everything is sales/social engineering. Everything is those two things, right? So also you need to like like if you approach the interview from the mindset of I am trying to present the best version of myself in this situation, right? In this panel interview, right? or in the Zoom interview or the first call with the recruiter, right? That's part that's part of the interview process. Like you need to like
be like you need to have energy when the recruiter calls you to talk about this, right? They may be trying to figure out which of these 10 candidates are going to get an interview and they got to whittle it down to four because that hiring manager is busy. So, you also need to be enthusiastic. You probably need to have your why. Why are you interested in this role is a super common question. Why are you interested in this role? I enjoy paying my bills is not the answer. That's not the answer. Right? So, like what is the answer? Like I've been really >> I've been really passionate about trying to join a small startup firm to gain a
lot of different types of experience than I've had in the past. I'm really excited to join a really long company that has better stability than small startups. I could be excited about a lot of things, right? But I also want you to be truthful. But again, if you're out of work, the economy is bad. Practice how you're going to approach these things, right? There the hiring manager right now and the companies, this is a hiring market. They can be very picky. There is a lot of talent that is available on the market unfortunately. So you want to present your best set of you. I probably need more caffeine. Thank you. You want to present yourself in the
best light. >> The request was for me to have a monster, but I I I was informed by our lawyer that I don't actually have to do that. So, you can have it instead. >> Lawyers. I'm really excited about this position where I don't have to interact with lawyers. Everything is sales. A lot of people like I heard this once and I was like that's weird. I do cyber security, right? Like I'm not in sales. We're all in sales all the time. Me meeting random people here running into it. The community is really small, right? How you interact with somebody, how you treated somebody, how you treated a volunteer, how you how you talked to the to the
inner to the uh recruiter the first time you ever talked to them, that gets passed along or or you don't get passed along. So, the other thing here is you're presenting the best version of yourself. you're preparing how you want to present yourself and it's through practice and so like if you don't want to practice the interview public speaking in and of itself is another good way to just get more comfortable with speaking so like I was talking to somebody earlier about toast masters right toast masters is a good opportunity to at least overcome because an interview is public speaking basically right an interview is public speaking right and I know that there's a lot of anxiety with that
but also remember you're selling the best version of yourself. They don't know your terrible secrets, right? And I don't need to talk about terrible secrets, right? I'm presenting the best version of myself of why I'm a qualified candidate for this role in the best possible light. Understanding the technical aspects is critical for that job. I know some people who've pretty much done this generally the same job in cyber security for years. Right. Right. But I also know people who pivot specializations because there's like 125 different things you can do. We're making up all the time. And what is an AI prompt engineer anyway? Um, so like there's a ton of AI roles out there. Well, if you're trying to get
into that space, you're probably going to have to figure out how I answer some questions. I'm like, what courses have I studied to get familiar with LLMs or whatever else they're going to probably ask you about this position, right? You're allowed to prepare for the interview. Right. And you can be honest in the interview. I'm really interested in getting into the AI security side because I see it's a growing field. As you can tell in the past, I've had a role as a blank blank blank. In order to prepare for this role, I have done X Y and Z, right? And that's either a compelling case for the hiring manager or it's not. There aren't 5,000 AI experts on the
planet, but Google specifically has like 400 open roles for them, and a lot of companies do, but people are pivoting into that field. So, you just have to figure out what your compelling story is of why you're also qualified to pivot into this brand new field. And when that bubble bursts, whatever the next thing is. Right now, I'm a blockchain crypto expert. that really never panned out for anybody. Um, I mean, I guess for the threat actors, it's been fine. Um, the other big thing in terms of preparing is when you get to the end of your interview, ask two good questions. Two good questions. What's the pay range? No, that's not not the right time to ask that question,
right? That question's asked of the recruiter ahead of time, right? And you should already know whether the range is going to be worth your time and maybe their time, right? A lot of times people will be like, "What's the culture here, right?" And the hiring managers be like, "Great. Our culture is amazing." And that's not that's actually not the world's best question. It's better than no question, right? So, some good questions could be, right, especially with some of the job descriptions I've seen, what are my primary duties going to be on a day-to-day or a week-toeek basis for this role? And you could even say, when I look at the job, I see the job title, the job description is really
kind of vague. Could you talk to me more about what my primary responsibilities are going to be in this role? And if they don't give you a good answer, you're you're still allowed to take the job, but at least you know it probably isn't well defined. How do you go about performance evaluation and promotions at your organization? That's a good one. You know why I like that? Because it shows the interviewer like you have ambition, career ambition, right? And like they might be like, it's just based on vibes, right? Not the world's best answer, but at least you know that going into it, right? You should should be something like, well, we have quarterly quarterly performance
goals and then we meet with our one-on-one and we have this big workflow somewhere. That's the standard that's the standard of how like most companies that are doing it that have some thought process thought out for performance evaluations and um promotions, right? So, that's a pretty good question to ask. What questions you ask is obviously up to you, but like two or three good questions can really set you apart in an interview. This is sometimes the deciding factor. If there's no difference, if both candidates good, both candidates interviewed well, they're both qualified, they both are going to accept the pay range for the role that I want to hire them into, maybe it comes down to who seemed like
they were more interested because they asked questions. As the majority of candidates don't ask any interview questions at all. So, this is again another place for you to differentiate yourself from the other candidates you're up against. you're interviewing them, too. Now, your situation is unique. You you may you may need a job. So, you may take the job you get offered. That's fine. That's fine in this market. Hopefully, the market turns around in like 18 months if like you take a job and it's not the world's greatest job. But, like, this is your ability to interview them, too. Is the person making the hiring decision your boss? That's a pretty good question, right? Do are like you can ask
them like, "Hey Tom, I was just curious um are you the decision maker and will I be reporting to you or will I be reporting to someone else?" Because sometimes the person you're reporting to isn't the person that gets to hire you, which is a little weird, but some companies are like that. And you might want to know that going into that role, right? You might want to know that you haven't actually talked to your boss yet, right? And it may be multiple panels. that maybe you're not sure who you report to, right? Because all the tech companies are like 73 rounds. Thanks. It's very efficient. Um, so like which one of these people I talk to is
the decision maker and like who do I actually report to in this organization, right? That would be those that could be a really good question as well.
It's not real good out there from the candidate perspective right now. You're competing you're competing against every other person that's trying to get a role right now. It is really common right now. The role is open for 24 hours. They have hundreds of applicants and like 30 to 50 applicants that are like qualified for the role. It just happened to a buddy of mine. They roll open 24 hours, 300 candidates, 30 fully qualified. So from that, they're going to use some system to try to figure out which six people they're going to actually interview from the 30 qualified people. So, if you can get to that threshold where you're getting the call backs and you're
getting into the interviews, then you want to make sure you're practicing and acing the interview because this is tough. The companies have the pick of people right now because there's so much talent on the market and also depending on your situation, you may just have to take a job. It may not be your dream job. It may not be a job that you are truly passionate about, right? That is the reality of the market today as well. So, and I think you can explain that like in 18 months maybe things start to improve for the job market in cyber security and in tech and maybe you're able to pivot again, right? And in 18 months recruiters are going to
be like, "Oh, I saw you've only been in this role for like 16 months or 18 months. Could you tell me more about it?" Well, it just wasn't a great fit and the market's starting to turn around. So, I wanted to see whether there might be uh a place where like I feel like I can contribute better to the overall company's values and missions. Right? Practice that story too, right? Practice that story of why you're now applying for another job as well, right? Well, the job market was [ __ ] and I was unemployed for three months, so I took this job, but my boss is an [ __ ] so I'm really trying to get out of here.
That could be the truth. That's not what I would say, right? But if you practice it, it'll be a lot more natural when you have those interactions with recruiters, when you start to get that phone call back, right?
I can't emphasize enough how important it is to prepare for the interview. I can tell who's either interviewed a lot or who has prepared. I can normally tell within the first 30 seconds of how nervous that candidate is and how much trouble they have answering the the first question whether they've prepared or not. And for me, it's a big differentiator as a hiring manager. So, the resume is important. The resume is important, right? The resume gets you the call back from the recruiter, right? And we're do they're doing a lot of résumé reviewing in here today. I do that. I'm going to stick around for a while and do ré reviews as well. Please don't pay for a resume review.
Please don't pay for a resume review. There are so many career vill >> Yeah. Sorry if you're charging people for that on the internet, but like maybe go stream some Twitch. Um, please don't pay for an interview. The only time I've ever heard that it's even remotely is like maybe at like an executive level or like you're trying to break into like the board of directors, but like if that's not you, don't pay don't pay for resume review. There's a lot of free resources for ré help. um at career villages like this and at all your local bides wherever you're from, they almost all have career villages. Um questions, come up to the microphone if you've got
questions. Any any questions? I got one. Um, what would do you have any advice if they throw you like a curveball question in the interview that you weren't prepared for? Like how do you handle that? >> Do you do you have a specific example or no? >> Um, well, they'll ask well I' I've been asked like, "Give me your last five bosses and how would they have rated your performance?" And then they asked like follow-ups like, "Well, what you said isn't good enough. What what weaknesses or strengths?" And I was like, it was such a long question that I wasn't like prepared. I don't know if like there's something you can do if they hit you
with something. >> Yeah. I mean, so it depends. It depends on your position. I've had some curveball questions before. Um, I was employed, so I was approaching that from a position of strength. It's like I was interviewing for a senior threat intel position. And they started asking me port questions. I was like, did not I did not know this was a network plus exam. Like I I have a cheat sheet on my monitor and we have the internet like HTTP 80 HTTPS 443 SFTP I don't [ __ ] know. 23ish somewhere. Like I was like I literally asked them do you ask your senior threat intel people port questions? They stopped asking because that's [ __ ] stupid.
Now, not everybody can do that. If I was unemployed, I probably would have approached it a little differently. But I wasn't and that was stupid. And that was a company that I probably won't work for again. Um, so it depends how much strength you want with that sort of a thing. Like if they ask you about like all of that, you'd be like, you know, my last boss rated me pretty good. And you could be like, I don't I don't understand this line of questioning. I mean, you again, if you're out of work, you might not be able to do that. But like, if you have a job and like you don't desperately need the job, you
could turn this back a little bit and take some of the power back a little bit because like what does that have to do with your ability to what what exactly does this have to do with my ability to do the job here? Right? And like then they won't be able to answer that. So then hopefully they move on to the next question. Yes, sir. >> Stoner, thank you for taking the time to do this. I appreciate that. So, I've recently got dozed and what do I do to compete? What keywords do I need to put? Like, do you have like a dictionary keywords to fight off the AI bots that go through your resumes?
>> What? So, it depends. I'm sorry to hear that. Um, >> tailoring your resume can be pretty helpful. Tailoring the resume can be helpful, >> right? So like I've seen when I was a government hiring manager because the way the government works everybody in tech is a is a 2210. Everyone IT support, threat intel analyst, cloud, CIS admin, everyone's a 2210. I'm pretty sure people didn't read the job ad because we would get the resume for these roles and the word threat or intelligence did not exist anywhere on the resume, right? They're just blindly applying, right? That is happening now in the civilian market as well. I have created one resume which has all of my
information because I need a job. The hiring manager is not hiring you because we're giving out jobs. This is the give out job line. This is the I am hiring for a cloud security engineer who understands AWS and GCP. And if that's not on your resume, you're not making it through the cut. either the automated ATS system or the recruiter if if they look at the resume, right? I bring 15 years of experience in multidisciplinary fields within cyber security looking for a job as a AWS and GCP security engineer. Well, [ __ ] man. That's what we're hiring for. How convenient. That's tailoring the resume. And also the skill tree blocks, don't list every skill in cyber security
in there, even if you have 50 different skills you bring to the table, because it looks like a one-sizefits-all resume. Tailor it for the job. The smaller the company, generally, the more hats you'll wear. you will probably do a lot more things the smaller the company is because there's one person doing it all, right? Or two. But when you get to like a bigger company, they are generally hiring this one person to do this one thing on this one team, right? And that's what they're hiring for. They're not hiring a jack of all trades. So, if you have a version of your resume that is a more jack-of- alltrades resume, that could be effective at smaller
companies, especially like startups, and I use like startup like loosely, like whatever stage they're at, because they're probably handling all sorts of different things all the time, whether they're a tech company or not. Whereas, like if you apply to Lockheed Martin, they want like I need one FTE, cloud security engineer with 12.5 years of experience who can three days a week go to this location. And if you don't meet that requirement, you're not getting the interview. You can also put on your resume like,"I am open to full-time remote work, full-time on-site work, or hybrid work and/or shift work." Put that right at the top of the resume as part of your professional summary, right? Because that could be the difference
whether you get selected or not. What other questions? >> I got a quick kind of caveat to your presentation. You know, I I really like what you're talking about and you can tell me I'm full of crap afterwards, but as something that I do hire a lot of people and one of the things that I personally look for is portfolio, especially people that are trying to pivot into the industry or they're they have zero experience. One of the things I personally hold a lot of value in is the resources that they have, whether it's a home lab. Um, >> we Yeah, you're not coming through the audio at all. >> Not how about now. All right, sounds a
lot better. So you know what resources they use at you know that they have available to them whether it's hack the box building up SDRs and writing up blogs or doing YouTube videos and demonstrate their portfolio and doc you know having professional level documentation of what they're working on at home even if they have no work experience they've been able to demonstrate that hey >> I can I can either I'm taking this task serious I have responsibility and I have a lot of passion for um this community and what I'm trying to apply for. That's one of the things I personally hold value a lot because we all know the people that are applying are that a lot
of them are introverts. They don't have good interview skills. They, you know, I'm nervous to even just ask them this question. We're not great public speakers. And so that's one of the reasons for personally for me I hold the portfolio of what they're doing on their off time and how they're um personally developing themselves within the career. >> Yeah. No, that's great. So some jobs are going to probably have more ability to have some sort of an online portfolio than others. Um, and I don't care whether you're really new in the industry or experienced like yeah if you like have stuff on GitHub or you you know attending conferences or participating in CTS or I like to have a
section like separate from education which is like cyber security community involvement right if that's something I want to weave into my resume right because it doesn't fit anywhere else and that can be a differentiator for entry more junior people as well right cuz like we've got a bunch of people graduating with four year degrees in cyber security that like can't explain to me how DNS works, right? So, like I'm going to need to hire one of them into the role, but the more things that are on there that are trying to show me passion, show me interest is helpful to differentiate all of the junior people that are all hiring to try to get their
foot in the door, right? I am definitely going to hire somebody that was like, I attend my local Bides conference or I did this CTF or or whatever it might be. So, that's a great point. I think it probably holds to some extent less weight later in your career depending on the role. But yeah, I mean like I have my public speaking engagements on there, right? Is in thread intel. We got to go we got to go brief people. Core part of the job. Hopefully that helps. Yeah, great point. Hello. >> Hi. Is this audible? Oh, yeah. Excellent. Okay. So, um my question is it's sort of a two-parter, I suppose. Um, so back in the day day whenever we
were all still printing out our paper resume and there was no LinkedIn, right? Uh, traditional um, interviewing tactics, traditional hiring stuff says you do a follow-up, you're going to follow up afterwards. So my question at the two parts would be a is that still like in particularly in today's market with like you said earlier, you know, you might have 30 qualified candidates in your pool, right? And so that's you with 30 other or 29 other people, you know, that are just on the same level with you, maybe better, you know, depending on your where you're at. Um, so like in that in the kind of environment we're in, is the follow-up still effective? And in that in the
second part being in the scenario that you discussed earlier where the person who's interviewing you is not the person who will be your boss. In that scenario, if the follow-up is effective, would you follow up with the interviewer or would you look up the organizational email of the person who will be your boss and say, "Hey, I interviewed for your company today. I just wanted to say, I found out that you would be my supervisor and I was wondering, you know, or and I just wanted to say like it's going to be I really look forward to working with you." And then, you know, fluff their ego a little. So the first part of your
question, yes, interviews are still important because you know who else you should be networking with? Technical recruiters like Kirstston. You should know which recruiters are good because just like in every other job field, they're not all good. So which ones are good? So, not only should you like at some point have a network of like professionals you can call upon, but like if I have a friend that gets like laid off or like I need another job, I know which recruiters that I would like personally just direct contact and be like, "Hey, my my buddy just got laid off. They need a job. Do you know anybody? You know, anybody you can talk to?" and part and that's why
like the follow-up to the recruiter I think is also really important because you're trying to build that network even if you're not going to hear back like you're doing you're putting your best foot forward because you don't know their situation maybe they're slammed with and you know maybe they're not going to be able to get back to you until like 3 weeks but maybe they'll remember your name that like I remember this person tried to follow up with me but like we were just in crazy hire mode I could never follow up I wouldn't reach out if you figure out who your boss is though I wouldn't do that part. Uh, one, I just think for like legal like hiring
reasons, they probably can't respond to you in most companies. They probably aren't allowed to contact you outside because like once you're in the hiring chain, there's very specific rules most companies have to follow. So, there's no like bias and things in the hiring process. So, I would say if you're f the follow-up is to the recruiter. Um, and and like if if you didn't hire with your boss, I wouldn't necessarily reach out to them unless you know them, which is different. And then like you hit them up on Signal. Please use Signal. >> Hey, John, thanks for the talk. Yeah. Hey. Um, I was I've worked on both sides of the fence. Um, and I was wondering I
was interested to get your perspective. Can you talk a little bit more about how you might change your interview styles or like how you prep for an interview whether you're going for like open commercial companies versus like a clear defense contractor or something like that? >> Yeah. So, I've worked on both sides. I've worked with within the secure community and I'm doing less I'm continuing to do less and less and hopefully less and less work um with that side as my career progresses now. Um so some of it is like which stories do I want to tell? So like I work with a lot of veterans as well, right? So, like if you're like a brand new veteran,
maybe like tell me tell me about a time you overcame a challenge. Have you ever heard of Afghanistan, right? Well, it's it's going to depend, right? Like that that that story might work super well like Lockheed Martin or Boeing, right? So, maybe I kind of want to lean into that, right? Like, oh, this this cyber security position is supporting the F-35 fighter. There's probably a whole bunch of veterans in this program, right? So, I could kind of like lean into that. Whereas like if if it's like Bank of America, probably not the story I'm gonna pick for the time I overcame a difficult position, right? So So that's like how I start to kind of differentiate that a
little bit and I tailor my prep for the job, including like what vertical it's going to be in, right? So like this is a big thing I have to talk to veterans about. And sometimes like a branch like somebody who's just getting out, they mostly have stories about being in the army or you know whatever branch they were in. So we try to work on that a little bit or like maybe dial down the war aspect of the story and concentrate on like some other aspect of the story. Like maybe don't mention this occurred in Iraq, right? Like you can just talk about the story without saying like well in Iraq. Just be like well all the
servers went down and like you just you don't have to like right. So like little tweaks like that can really matter, right? Like and also the one person who like would not take Sniper Training School off of their resume, like yes, I understand it is a difficult school to graduate from when you apply at the Children's Hospital. What question do you think that they have? So again, tailor the resume. If he's applying for a cyber security position at like Quantico with the Marine Corps, then yeah, leave that [ __ ] on the resume because they're going to be like, "How many confirmed kills do you have?" I doubt the Children's Hospital hiring manager is going to ask that question.
So tailor the resume and tailor the interview tactic to match what we're talking about. Obviously, that's a pretty extreme example, but like you get the idea. Yes. Uh do you think that the look and the design and the feel of a resume is still important these days given applicant tracking systems extract that information and genericize it for >> No. So if you are attending an event where you are still handing a resume, you can have one that looks nice. If you're not handing out a physical copy of your resume, it needs to have I would say no columns, columns, no tables. Like if you have to have columns, fine. Don't do the whole like one column on the
piece of paper because then you're just wasting space. But like right, yeah, this is getting parsed by the ATS. So like it needs to pretty much be a docx. Sorry office libre people. Um it pretty much needs to be a docx or a text file so that it can be parsed or a PDF. Um and that is a big thing like you don't want weird formatting. Um the the look of the resume can still matter though. Like again a lot of threat intel positions. These are different fonts. These are different size of fonts. Like I am literally going to require you to publish threat intelligence and your resume has two different fonts and like different font sizes and that's a no for
me. Like you're not making the cut. And again that attention to detail is really important too. I've seen I have looked at people's resumes who didn't have their contact information on it which how are they contacting you right so also how people look at your resume like I would have like one non-technical person look at it and usually it's like my mom I was like mom don't worry about like what I'm saying but like did I spell stuff wrong and she'll be like what about this word I'll be like no that's how we spell it but like and then have like someone in the organization like in the industry like look at the resume too, right? And if you're making
multiple versions, like quality control the multiple versions um as well. Hopefully that helps. Yes. >> Hi. How would you suggest like adding to your resume like extracurricular activities that you're like proud of or accomplishments >> like like what >> like let's say like if you do like a cycling trip across the country would that be something good to include as like um something that like shows that you have grit or like >> So at the end of the day you have to make the decision on this. >> Yeah. I'm not a big proponent of including hobbies unless you have a story that's good in case you get asked about it, right? So like it sounds like
you have a good story for that though, right? Like well this is a really like difficult thing I do and it takes a lot of endurance or like whatever. Like if you can like tie that in then it makes sense to be on there. The other problem with including your hobbies is that it can be something that somebody just Well, man, this guy sure spends a lot of time out of the office. You know what I'm saying? You don't want to autodisqualify yourself, right? So, anything like that could be interpreted as like political, religious, helping the homeless. I mean, unless that's like related to the job or the industry in some way, I am not a big fan
of including this on your resume. Okay? >> Because I think it just distracts. >> Now, I did interview someone once because they played in the CFL. We did not hire them. They were not good. They did not do a good interview. But he so like that one time I hired I interviewed one person because he played in the CFL. That's the only time I can think of that I ever made any decision around hiring related to someone's like hobbies or extracurriculars that weren't related to cyber security. >> Okay. >> Yeah. Yeah. >> What are your thoughts on gaps on your resume? Work gaps. Is that still relevant in this day and age? and also previous career experience prior to
cyber security. prior two. >> Well, both within and prior. >> Okay, >> I I'll give you details. Right now, I took about a seven-month break trying to get back to work. Uh relocated. There were a number of reasons for it, but prior to that, I've been on the journey to get into cyber security over about the past four or five years. Before that, sales and marketing background, and I don't put that on my current resumes. So, we're looking at about a four or five year trajectory on my current resume. Does that make sense? >> Yeah. I mean, I I probably need to give you a more individual answer, but so I'm going to take it as a two-part question.
Is one, if there's gaps on the resume, let me deal with that first. Is you just need to sort of like if that comes up in the interview process, what like what's the story around this? Right? Because like the recruiter, the hire manager be like, "Oh, I see you have a gap between these two different jobs. What was going on?" I mean, the answer was like, "Oh, well, unfortunately, I was laid off or you know, the company downsized and then that was that was the soonest I could get back into the job market, right? I would just be prepared with whatever the answer is, right? Um, and I would do that for like any gap on
the resume. You also your resume is not like your entire bibliography. Okay? So, like most people care about like what's happened in the last seven years. If it's more than seven years ago, like it probably is irrelevant for the most part anyway. So, this is especially a problem like in the government sector. Like, please don't send me a 12-page resume. Um, I don't care. I don't care what you did 12 years ago. it's not relevant to the like five the last five years especially right so your resume really should be focusing on the last like five to seven years of experience that's where most of your bullet points should be coming from and that's what most of the resume should be
focused on I would just say own any potential gaps for whatever reason whether it was child care related elderly parents laid off tried to start a small business it didn't work out whatever it is just be prepared to answer the question right um the other one is like career career changer is different. There can be different strategies for career changers. I will sometimes have someone make an entirely new one-page resume as if they were brand new to the field, as if they had not worked previously. I've worked with three people who were mechanics um coming from various services, but I mean like throw throwback to Jack Daniel who was a mechanic, right? So like right and
then we have the stories around like problem solving, root cause analysis, but like we're not listing any of their previous jobs. Like I I have a professional summary what they're doing to get into cyber and that's what the whole onepage resume is focused on. And sometimes it's hard for people who are like more mid-career changing because they're like but all that stuff I did I was like all that stuff you did is not related to cyber security. Right now if it's like management and you have management experience right this is an individual thing right? Well, maybe we do include some stuff on there if it's like a program management type of a role and now you're going to become like a
technical program manager, but like I work with a lot of people who are like, "Yeah, but I work part-time at Starbucks." And I was like, "We're not putting that on the resume." Like, I'm just not Don't put it on the resume. It's not relevant. Same like in a lot of cases, like if you're in college and working part-time jobs, you don't have to necessarily list them. I don't think they're adding any value, right? Like again, this is up to you. Do you have a compelling story around that? Maybe. But like I'm not a big fan of listing things that aren't related to the job I'm applying for. And we can cut out old stuff. Or we could just list like, you
know, job year, job year, job year at the bottom of the resume. That's how I do it from my old experience. It's just job title, place year, job title, place year. So at least I'm proving that like I'm old. Go ahead. >> Yeah. Quick question as far as the sites that are have that are hosting the jobs, the LinkedIn, the Indeeds, the you know the Googles, I mean where do you where are you finding out that a lot of you know because some of these jobs will go 75 jobs you know on one one area you're looking at I mean am I going to go through all 75 trying to find it or by time I spend hours sometimes looking at
the different job opportunities and you know where the where do you see the companies are trying to really post and then those are in the front against those down in the you know on the page 15 on the on the search engines, you know, where are you seeing, you know, because do we go that far down or do we worry about the beginning ones or they keep coming out new? >> Uh, I'm a big fan of the way LinkedIn is working right now and many many many recruiters use LinkedIn as one of the primary places they find people. So, LinkedIn is good. And then I am a big fan of going to the if it is a big
company go to the company's site where they have you know Meta Facebook Loheed Martin Boeing whatever to their job page their job page that's the latest info because Indeed is just pulling that from an API or whatever right and then some stuff on there is wrong or old right or like it's closed already so you go through the whole job application it was like actually this closed two hours ago so like I'm a big proponent of going to the company itself and going to their career page Right. So, I think Indeed, like it used to be good and it doesn't seem like it's as good anymore. I don't know what happened. Maybe they integrated AI. Um, but like LinkedIn and
being active on LinkedIn. So, this is another thing. I think there was already a talk about this somewhere here this week. So, like your LinkedIn activity helps you show up higher in search results, right? So, if you're like, I log into LinkedIn once a week and I'm actively searching for a job. That's not enough LinkedInness, which is a word. Um, you have to like be active on the platform. Repost stuff. I found this article to be very informative. Like whatever, like just reposting things is making you active on the platform. So, like when the recruiter pulls you, you're going to be higher up that list of candidates that they're looking for in their search results.
Hopefully that helps. You mentioned not including your entire work history on your resume, which which I I think makes sense, but then how do you handle it when you go to that company's job site and the application has all the forms for list all the jobs you've ever had and when you've ever had them and what you did? Like do you just not include those as a part of that application to match the resume or do you fill them out in the application and leave them off the resume? Like how do you handle those situations? >> Um, it really it it depends. Uh, unfortunately, this is one of those it depends questions. So, yes, me
personally, I have reduced what I have on my resume. I'm listing them by, you know, job title, company, date, so they're still on my resume. And then I would list them. But there's a job I had for like eight weeks and they ain't listed on my resume. The only reason it has to come up is when to do the background check. So, I do add it into my thing. Well, that was some [ __ ] I went through. So, I don't list that on my resume. I don't talk about it at all. Right? because it was in fact rotating night shift work at Dissa and I was told it was not that. So then I left. So I
don't include that on my resume. But like when I have to fill this out for the because part of this might be like the background check as well because they can verify employment. But it kind of depends like at what like maybe you only go back 15 years. I mean the background check is not going back 25 years most of the time. So I I think it depends on like how many years of experience you might have, but like you might be able to cut it off after like 15 years because it may not really add any value even in their like internal application and workday that you're filling out. >> All right, thank you.
>> Yeah, I'll keep taking questions until they kick me off stage or like in 10 minutes. >> Okay, another two-parter, but I'll try and keep it brief because the two parts are separate. Okay. So, first question I guess would be um cover letter. Whenever people when you're applying somewhere and they want a cover letter, right? Um in today's hiring world where uh machines are parsing your uh hiring process, right? Um do I need to be including the cover letter in the same file with my resume as a separate file or does the body of the email count? >> Right. Let me let me take this. only do a cover letter if it's necessary because even a lot of times when it's necessary,
it's not holding a lot of weight. So, I'm not a big fan of optional cover letters. Part of that is because my preferred resume format is contact information, professional summary, and that professional summary is pretty much what I would put into a cover letter. So, if it does require a cover letter, I'm pretty much just copying the professional summary and maybe adding like another line or two on the cover letter. That would be my that would be my first answer for the first part of the question. As far as whether it's the same file or not, I would ask I would ask the recruiter. >> Do I put it together? >> What's that? >> If it's required, do we put it together
or separate is my is the meat of it. >> I mean, if you're working with a recruiter at that point, I would ask the recruiter. >> Okay. >> Um, by default, I would probably submit like cover letter, date, resume, date. Like, if I if I wasn't sure, I would probably keep them separate. >> I don't know that that matters a ton, though. >> Okay. Okay. And uh for the second question, you know how there's that uh adage that because you were talking about keeping your resume brief. Um there's that adage that a lot of employers if they see résumés over a certain over one page because I know you were you were kind of talking up the
pros and cons of the onepage resume, right? And like when it's appropriate, when it isn't like as a subtext, right? So, uh, is that thing still true where there are the predominance of employers are like, "Oh, I'm literally not going to read past the first page because there's so much pool." Or is that problem taken over and obiated by this machine parsing? >> It's complicated. So, you want to tell a compelling story in whatever length of resume you have, which is two pages or less, right? Two pages or less. I have a version that's three pages because I'm bad at following my own advice and sometimes in the government circles but like not four pages and not more
than that. This is where people struggle of being like, "Yeah, but that's everything I've ever done." Great. I don't care. Like I am like when I get a resume as a hiring manager, I am literally spending 30 seconds looking at it to determine whether or not that person gets an interview. 30 seconds. It's like yes or no. And then that one guy who was in the CFL, we didn't hire him. Right? That that's it, right? And that's also why like the formatting is so like I Kirsten and I I stole her formatting. Like we're on the same page. contact information, professional summary education everything that's important has to be on page one because page two is not getting
looked at. Generally, I have been in plenty of interviews as the candidate where it is very clear to me the person interviewing me has never looked at my resume yet. And I will say things like, "As you can see on page two, when I was at the DoD cyber crime center," and you will see them turn the page because it's the first time they're looking at it, which is also why you want your stories to match the resume and like it's on on paper on page two when I did the thing. Hopefully that helps. One page, junior career changer. One page. I don't care how amazing you are. If you've just graduated college, you need to have a onepage resume. And
if you've worked for 55 years in this industry, you need to have a two-page resume, maybe three. But everything that's important is on page one. You mentioned the uh the LinkedIn. A lot of us have pulled back off LinkedIn, a lot of the social media and all that type of things just from cyber and security. And um what are you seeing now? If you're in the job market now, we should we go back and really get heavy on LinkedIn and be really more involved in putting everything we have on that or should we try to limit that? How do we protect what we're trying to do especially with all the issues that are dealing with this, you know, with um
not, you know, just from the hacking side of the fence as far as you know, you know, we we like our company, we got to keep the name of our company undisclosed. You know, they don't want us putting the company name on there. They got part of our social media policy. That's someone who needs a reality check. Um, you have to be active on LinkedIn on professional social media. You have to be. It's 2025. You have to be active on this platform. That doesn't mean like posting pictures of your kids and like where your kids go to school like you can still have some OPSSEAC. Like if you're OPSACE concerned, but like if you send me a LinkedIn request and you're
you're the name of your company is undisclosed, that's a no connect for me. Same with like if you don't have a picture like I'm not connecting with people who don't have a picture on their LinkedIn either, right? I mean, so like I connect with most people, but like there's still like a little tiny bit of due diligence for me and I want to be connected with tons of people. Um, I especially hear this from the side of the house, like from my veterans or people who work behind the fence. Like there are people on LinkedIn who are like headline cyber threat intel analyst TSSCI clearance and you're like bro like the North Koreans are on the page. So
like I'm not so like I'm not a big fan of that. But you still can be active without saying everything. Like if your company won't let you put the name of the company on there, I mean you got to abide by that I suppose. I think that's really bizarre. Um but like you should still be sharing articles and connecting with people and like it it if I have worked with people who are like I am not on LinkedIn and I was like you will not get a job. If you are not on LinkedIn I find it impossible to believe that you will be offered an actual job. So that's how important it is. Yes. >> Uh, would you ever still include expired
certifications on your resume? >> Is it a good one? >> Uh, I two twofold. Okay. Old compas, I can see those sliding and not listing those. But if it's like unique like a a PCIP or something that's like unique, but you just you're not in that field. If you used to be like PMP, CISSP, GX, something maybe, but not like 17 expired. So, one or two if it's relevant, if they're asking for it, right? If they're like, "This position requires a CISSP, PMP, Gak Council, C, blah blah blah blah because they don't know what they're doing." And like one of them you had that was expired. Yeah. Um, but I wouldn't list all of your
expired certifications. Just like if you're in a boot camp and you're trying to get some certifications, I'm not a big fan of listing any certifications you don't have. Even if you're like, you know, expected date for a certification. That's a lot different than like listing the college degree program you're enrolled in. Like if you're in a college degree program, you could be like, you know, I'm in, you know, bachelor cyber security blah blah blah expected, you know, March 2026. That's pretty normal for college degrees, but it's your resume. So, like if you if you're like, "No, no, I'm really I'm studying the CISSP. I'm going to take the exam in in September." Like, you could put it on there. But I have
definitely caught someone listing the certificate they didn't have, and that did not end well. So, don't do that. >> All right. I think this is my last question, then we're going to move to resume uh stuff. >> Okay. This should be a fun one for you. Okay. >> Biggest pet peeve as an interviewer. Biggest pet peeve as an interviewee? Man, this is a hard question. We're like an easy last question. >> Dang. >> Okay. Um, I mean, I I find it very frustrating as a candidate when the when the person interview me has not looked at the resume before the interview starts or does not seem to be paying attention, right? Like, what the heck, man?
Is it It's almost always a man that does that. Um, just Not to stereotype, but like we've I spent all this time getting here and like you haven't even looked at my resume and like I'm not even sure you're listening to my answers. So like um as the hiring manager, I mean mostly I want I want people to be successful. So like when it's just the one page non-tailored I'm not even sure if they want this job and that can carry over to the interview too. Like I understand people need a job. Like yes, clearly like everyone needs a job, but like I can't hire you if it's not clear that you're like you're not going to
bolt after like seven months when something better comes along because we're putting a ton of effort into this. Like I know junior people are not going to stay at this place for 15 years. Like but like can I can I get you to stay for two years? Like do you have any interest in the position at all? So maybe I'm not backfilling all of my junior people constantly. That is a fear I have as the hiring manager, especially at the junior side. Because what's going to happen is you're like, I have zero experience right now. I've now been hired by a company and in 18 months I'll have 18 months of experience and then I'm back
on the job market and you're getting offered $35,000 more dollars or at like 5,000$10,000 more dollars a year and you're like that's more money. See you. Well, at least maybe if I can have like a good work environment and make sure that you're valued, I can keep you for like two or three years before you decide to go and take that bump. But that's the reality. So like a seven on the energy scale and at least I think that you're really interested in this job at this position. >> I actually have an audience question. >> Audience question. >> Okay. So selfishly, well, all right. So I messed up with my supplies and I was late and whatever. So, my husband had to
run all the way back. This was the talk he wanted to see. Okay. And I know it was recorded, but can you rewind and repeat when someone came over and said something along the lines of um you're in the interview because this is you just covered like all the higher ground content like you don't need to come to our panel at four or do a Rosemary review because this guy just championed it all. But actually, no, you should. Um, but I love the part where uh I think you had a specific experience where you were being interviewed and they were, you know, you're it's a senior position. You're like a a senior threat something something, right? And they're asking you
stupid lowlevel Oh, I shouldn't have said stupid. They're asking you a bunch of low-level stuff where you're like, uh, duh, I have it on my screen or whatever. Can you repeat that whole answer? >> Yeah, >> please. >> Okay. So, so this pertains to like when the interviewer is bad at their job. Um, which is not that infrequent. So I would so my story that I related earlier was like as a senior threat intel analyst they started ask me like the port questions like it's a network plus exam and like remember my weakness is I'm not good at memorizing stuff same interview by the way whereas like that's why I write stuff down right so it's like yeah
443 secure HTTP right 80 HTTP 20 SFTP 20 something threeish I don't I don't know right I'm not looking at pcap every day and I basically was like, I'm sorry, I didn't prepare to memorize ports. Do you ask all the candidates for the senior threat intel role port questions? And then we moved on to the next question because that was stupid, man. That this is stupid. Now, I also knew the person I was interviewing, so I was like double frustrated because I was like because I used to respect this person and now I'm like, you're the program manager. Um, but this can another person had a question around this of like they wanted like tell us about the last five
performance evaluations you had and it's like I mean my last boss and I got along pretty good. Before that it was Steve. No problems. Does this how does this pertain to this position? How does this allow you to judge whether I'm a good fit here? Now, you can only ask that if you're prepared to walk away, but that might be a sign. It it this is not red card. Like, sometimes you get some like yellow cards. Sorry, I'm a big soccer nerd. Sometimes you get some yellow cards and you need to take the job anyway because you need to take the job. But sometimes like there's like a straight up like red card tackle and
you're like, "Oh no, I pulled out of an internal interview once because the team was so [ __ ] up." I was like, "Are you kidding me right now? Cancel the interview two minutes before it starts. Change the interviewer three minutes before it starts. Bro, you know what? Good luck. Good luck. I'm I'm out. Two red cards. Like, that's a three game suspension. See you later. I think that's it, though. We're going to move on to getting you some free resume help. Don't pay for resume help. Thank you so much. [Applause] All right.
[Music] Hey [Music] Heat. Heat. [Music] Heat. Heat.
[Music] [Music] Dy [Music] daddy. [Music] Fire.
Damn it. [Music] Hello. Hey.
Down. [Music]
Heat. Heat. [Music] Heat. Hey, Heat.
[Music] Heat. Heat. [Music]
Heat. [Music] Heat. [Applause] Heat. Heat. Heat. [Music] Heat. [Music] Heat.
[Applause] [Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat. N. [Music]
[Music]
[Music] Woo!
Mhm. [Music] Heat. Heat. [Music]
What are you? [Music] Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Wow. Heat. [Music] Heat. Heat. Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
Yeah, [Music] yeah yeah. [Music] Yeah, [Music] down. [Music] Black. [Music] Hey. Hey. [Music]
[Music] [Music] Here [Music] you go. [Music] D hey. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. Heat.
Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
[Music]
[Music] Heat. Heat. [Music]
[Music] Heat. Hey, Heat. [Music] Heat. Heat. [Music]
Wow. [Music] Yeah. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. Hey, Heat.
Heat.
[Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Yeah.
Heat.
Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Black. [Music] Yeah. [Music]
down. [Music] Down [Music] down down down down down down down down down down down down down down down down down down down down Yeah,
[Music]
[Music] [Music] Baby, [Music] doo. [Music] Do you [Music] know?
[Music]
[Music]
Heat.
[Music] Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. N. [Music] Heat. [Music] Hey. Hey. Hey. Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
[Music]
[Music] Heat. Heat. N. [Music] Heat. Heat. [Music]
Wow. [Music] Heat
[Music] up [Music] here. Heat. Heat. [Music] Heat. [Music]
Heat.
Heat. Heat.
[Music] Heat.
[Music] Heat. Heat. Heat. [Music]
Heat. [Music] Heat.
Yeah. Heat.
Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Black. [Music] Yeah. Yeah, [Music] down down. [Music] Black.
[Music]
[Music] [Music] Doo doo be. [Music] Do you [Music] buy it?
[Music] That's
[Music]
down. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. [Music] Heat.
[Music]
[Music]
[Music]
[Music] Woo! Wow! [Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. [Music]
La.
[Music] Heat. Heat. [Music] Heat. [Music]
Heat.
[Music] Heat. Heat. [Music] Yeah.
Yeah. Heat.
Heat. Heat.
[Music]
Yeah,
[Music] down. [Music] be
[Music] hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah [Music] down. down down down down [Music]
[Music] Hey, [Music] hey, hey.
[Music] [Music] Baby. [Music] Hey. [Music] Do you [Music] high? [Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. Heat. [Music]
Heat. [Music] Heat. [Music] Hey. Hey. Hey. Heat. Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat.
[Music]
[Music] Heat. Heat.
[Music] Heat. [Music] Heat. Heat. [Music] Heat. [Music]
Wow. [Music] Yeah. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
[Music] Heat.
Heat.
Yeah, [Music]
[Music]
yeah yeah. [Music] black hey black hey black hey black hey black hey black hey black hey black hey black hey black
hey [Music] Yeah, [Music] down down. [Music] Down
down down down down.
[Music] Heat. Heat. [Music]
[Music] [Music] D. [Music] D. [Music] D hey. [Music] D hey. [Music] Thank you. [Music] Heat. Hey. Hey. Hey. Heat.
[Music] Heat.
Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat. N. [Music]
[Music]
[Music] feel. [Music] Heat. [Music] Heat. [Music]
Woo! Wow! [Music] Heat
[Music] up [Music] here. Heat. Heat. [Music] Heat. Heat.
Heat.
Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. [Music] Hey. Hey. Hey.
[Music] Heat. Heat. [Music]
[Music] [Music] Heat. Heat. [Music] Heat.
[Music] Hey Heat.
Fire. [Music] Down. [Music] Hey. Hey. [Music] Heat. [Music] Heat.
Heat. Heat.
[Music]
Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
[Music] Hey [Music] everyone. [Music] Heat. Heat. [Music] Woo! Wow! [Music] Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N.
Heat. Heat.
[Music]
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. N. [Music] Yeah, [Music]
[Music]
[Music] yeah yeah. [Music] Hey, hey black hey. [Music] down.
[Music] Down.
Down
[Music] Yahoo! [Music]
Yahoo! [Music] Woohoo! [Music] Woohoo! [Music] [Music] Heat. Heat. [Music] There you go. [Music]
D. [Music] Hey. Hey.
Well, look what Leo did. He got us in trouble. We We filled up all the seats. If you're in the middle of a resume review or a coaching session, we have to wrap it up. I'm sorry to say, but you can come back at five o'clock for our networking mixer. And without further ado, the one and only Leo is going to tell us to how to get beyond the command line. [Applause] >> So, it's funny. I spoke at another Bsides conference a couple years ago, and I'll be honest, this is the largest group I've had in one of my sessions. Uh, and the last time I had a session this close, uh, they put Leah Pate
outside on the door. Uh, and then everybody was very not happy with me that I am a male and not a female. And so, uh, with that it became like a running joke and then my handle turned into the real Leah 3 because I'm the third Leop. Um, but yeah, so uh, quick question. Who here has ever been asked to solve a problem and they've had no idea on how to do it? Yeah. Now, picture doing that in a leadership role, right? So, you got no road map. stakes are high if you mess up uh and you're still expected to perform. So that's where a lot of cyber security leaders start right now. >> Oh, okay.
>> Is that better? >> Oh, all right. So, that's where a lot of cyber security leaders start, right? They're high performing individual contributors or IC's, right? And they're thrown into management. And it seems pretty logical the fact that you're great technically, you performed, you delivered. Now go do this and make other people do this too, right? So while that logic isn't totally wrong, the same skills that you have made people high performing individual contributors also tie into uh leadership, but it's dangerously incomplete. Right? Being an outstanding individual contributor does not necessarily mean that you're going to be a phenomenal leader, right? So, uh, without the right support, oftentimes that promotion kind of feels like a setup, right? And so, that right
there is the leadership gap. So, we'll get into that a little bit later, right? But today for this talk, I want to offer clarity tools and a real world roadmap for anyone stepping into leadership or you're thinking about jumping into it. So, my goal is to not help you just survive that transition, but lead in a way that's effective, confident, and sustainable. But before that, we can talk a little bit more about me real quick. So working backwards, uh I'm currently a senior director at Net Spy. I run one uh of our US uh regions, right? So I have about 70 to 90 uh security consultants that report up to me. Uh and uh before
that I was a managing consultant at Invisium. Uh so I was another smaller, it was a smaller significantly smaller boutique consulting firm. Uh I ran the consulting team there for about three and a half years and then Net Spy uh bought us. Uh, and then before that I was a cyber warfare officer within the South Carolina Army National Guard. And then the time before that I was a human resource non-commissioned officer as a full-time professional soldier in the Army. Um, unrelated, I am a phenomenal latte maker, or so I like to think. Uh, and because I have the palette of a 5-year-old, uh, I love cinnamon roll lattes, blueberry pancake lattes, but that's not what I make on an average
day. Uh, I make just a simple vanilla latte because time. Uh, and then lastly, you know what I look like because I'm standing in front of you. This is me as Clyde the Cougar. Uh, so for those of you that do not live in Charleston, South Carolina, uh, Clyde the Cougar is a mascot at the College of Charleston. So in this picture, Clyde just received his class ring. Uh, and that's actually me. So I was one of the mascots uh, for the college for about two and a half years. So here's our outline for today. Right. So we're just going to take a quick look. We'll start by framing the problem. So why cyber security needs
better leaders, right? Then we'll talk about the mindset shift uh from an individual contributor to a leader and then break down the core skills that every new leader needs and then pitfalls to avoid. After that, we'll get into managing people, especially the challenge of leading your former peers, which is always fun. Uh and then we'll also cover how to build your leadership style and then how to keep growing once you're in a leadership role. After that, we'll wrap up some Q&A. Uh, and so for our Q&A session, I actually have two books that I'll be giving out. Uh, it's the Phoenix Project. If you've never read it, uh, it's extremely relevant to this talk. I don't want to ruin it,
right? So, start I like the upside down pyramid. You start very broad and then, you know, you kind of narrow it down. So, in prepping for this talk, I was trying to find some really cool stats uh that might like kind of shock people. uh and the one I came across was Isaca's uh state of cyber security report from last year. So 66% of their job of people that they interviewed which is around 1,800 professionals uh say that their jobs are more stressful today than it or at the time this report was being the survey is being conducted than it was 5 years ago. And that's just not workload. That's leadership strain, right? So cyber
security teams are burning out. Not because there's now more attackers today than there were five years ago, which could be true. There's more bugs today than there were five years ago. There's more alerts today than there were five years ago. But ultimately I found they found that leadership teams are under supported. They're undercoached and they're underled. And so when we promote people for their technical skills without leadership training, what do you get? Right? You get delayed projects, you get stressed out teams, and those two things turn into burnout, which you'll see a constant theme with those words throughout this presentation. Uh, and this talk isn't just about being a better leader, right? That's an entirely
different topic. This talk is more about is more about being a sustainable one. So, as we look into the leadership gap, right, we'll start by framing the problem, right? So the leadership gap is the mismatch between people being put into leadership roles and their actional readiness to lead. Right? So in cyber security and tech, this happens all the time. We promote high performing individual contributors into management without giving them leadership training or support. Right? Uh it makes sense from a business angle, especially in consulting uh where it's faster to promote somebody who already knows the ins and outs of the company. They know the culture. They know the TTPs, right? they know the stakeholders, they know
the different teams, right? Than it is to bring someone external to the company who has to quickly ramp up to not only assume the role that they're were hired for, but then they have to go learn the tribal knowledge of the organization, right? So, however, while their technical skills are top tier, that doesn't translate into leadership skills, right? And so, being the best red teamer or engineer or analyst or developer, right, does not make you the best leader. It's a completely different job. So uh with that we see frustration from the new leader and their team and their manager when people are not prepared right we see micromanagement from leaders down to their teams like show of
hands who here loves being micromanaged loves having somebody looking over your shoulder critiquing everything right like I surely don't right uh and when you ask well why do people micromanage right it comes down to a trust issue right the leader hasn't established that trust with that person to be able to say, "I trust you to do the job that needs to get done. I don't care how you do it as long as it meets these things." Right? Um and then we also see missed deadlines and team stagnation, right? Progress slows, morale dips, and then people start burning out. And what happens when people burn out? They leave the organization. They go find something else, right? Which as a senior leader,
good retention is great, but it's always great having some fresh blood into your organization. Bad like high numbers of people leaving your organization, there's clearly a problem, right? So leaders should be considered a force multiplier in my opinion, right? However, that force multiplication can go positive or negative, right? If the new leader is supported and there they're there's an emphasis on their development, right? then they multiply impact in a very good way. Right? If they're just thrown in, figure it out, right? Some people will swim, others will sink, majority will sink, and then because of that, that's the bad uh force multiplying. And then the team suffers the most. So, where do we go from there? The
mindset shift, right? which I'm very proud of myself that I just said that term because I practiced this for the last couple days and I could not say those two words together. Uh but it's one of the hardest parts of the transition and it's one that nobody prepares you for. Like nobody when I moved into a leadership role, nobody sat me down uh and said this is what it means to be a leader now. Are you sure you want to do this? Right? I was in the army and I didn't have a choice. I got promoted and it was like great here's five people. Figure it out. Right? Uh and so uh coming outside of a military
and government world like as an individual contributor, your worth is tied to how much quality work you personally crank out, right? So the top performers are the ones that are, you know, they always achieve results. They deliver either on time or early on those deadlines, right? They encourage people around them, right? But it's all about them, right? When you transition from an individual contributor to a leader, this bottom statement here, it's not about you anymore. And so uh so as a leader again that model breaks it's not about you doing the work anymore. It's about enabling your team to succeed. So taking this taking this a step further uh that phrase the last phrase on the slide deck right it was
one that was told to me when I was promoted uh to sergeant in Afghanistan in 2011. And it's something that over the last 14 years that I've kept to my, you know, it it's something that I still remind myself today and it becomes a perspective piece, right? And so I use it sometimes as a mantra when things are like going rough and I just feel like I'm just getting beat up by everybody and everything around me. You know, it's the the sacrifices that I make as a leader is expected because I'm not it's not about me anymore. It's about the people that I lead and the people that roll up to me. my job is now to enable
them. And so when you make it about your team and not about me, your entire perspective will change. Right? This is a piece of advice again that I share with every single subordinate leader that moves from a consultant role into a people leader role. Right? And we're going to spend some more time digging into this. So we often treat leadership as a reward for being technically excellent. But it's not just a step up, it's a pivot, right? You're not leveling up in the same game, right? It's not like you started off as a network pin tester and then, you know, you started off on external networks and then you moved to internal networks and then you combined
your powers together and then eventually made your way into red teaming, right? Uh you're starting a new path altogether. You're making a career change when you move from individual contributor to leader, right? And so, you know, the the there's four pieces uh that kind of make this up that I was when I was putting this slide deck together. Being a leader doesn't mean you're getting more advanced technical work, right? In the consulting realm, you go from, you know, normally security consultant, maybe security consultant one or two, right? And then you move typically move into a senior role, senior security consultant, then you'll move into a principal consultant where principal is the pinnacle of your career, right? you're seen as the
technical expert in your domain or several domains, right? Being a leader though is not necessarily that, right? You go from being a very high performing uh individual contributor and now you're kind of like back you're you're moving up, but you're also moving back down because now you're typically start out of a junior leadership role, right? It's an entirely different career change. And so because it's an entirely different career change, you're shifting from doing the work and to enabling others to do it. And so that requires different tools, different behaviors, and again a different mindset. So strategy, people, process, technology matter more than your individual keyboard time. You're moving from solving technical problems to organizational ones and you're
starting to think bigger. So again, my experience is in consulting. So you go from I got to deliver this project on time. how am I going to do it? Uh methodologies, reporting, all that stuff to man, we have a capacity problem. How can I increase capacity without increasing my headcount, right? And the implications that come off of that. You're starting to solve more of those challenges, right? You're starting to take the blinders off a little bit more and see more of the picture, right? So the second block up there, managing people. So growing, maturing, developing people is your new task, right? Your new scope of work that you're trying to look for. one-on- ones, coaching, hiring,
resolving friction, right? Resolving conflict, mediating those things, right? It might feel like a distraction, but it's what actually drives the outcomes, right? So, oftent times you're like, man, I've got my boss told me to do something and I'm I'm involved in these other initiatives and I got to take care of this and uh now I got to stop my workflow completely and I got to go do, you know, 30 minute hourlong one-on-one with people in my team. It might seem like a distraction, but that's another aspect of my of your job, right? In in the this hypothetical I'm creating, right? Because your job is to enable those around you. Uh if your people are raising their hand and they're like,
"I'm drowning. Can you give me a life raft?" And you're like, "Sorry, I got to go take care of this." Uh and you come back and you know, the water's now up to their chest and they're like, "I'm still drowning, by the way. I don't know if you realize this." Uh you know, like, "Oh, I gotta go do this other thing." Right? eventually that person will drown, right? Hopefully, hopefully not, right? But uh that person will drown and then by going that path what that you know translating that that person's going to leave your org, right? And that person could have been very detrimental to your overall team and you missed it because you didn't spend the time uh to
dedicate that time to them, right? So the the third block in there, emotional shift. And this is probably one of the hardest ones that most new leaders come into, right? Uh letting go of the work that you love, right? Watching others struggle with something you can fix in five minutes, right? uh you're sitting there and you're watching, you know, having to coach somebody through something and it's like, man, in your head, you shouldn't say this to them, but in your head you're like, the amount of time it's taken me to explain how, you know, what I needed, I could have already have done it. The problem with that though is that that's only one task
and you might have a hundred, right? And you can do all 100, but you're not going to get all 100 done when they need to get done, right? And so therefore, you're going to have to enable these people and allow them to struggle. But there's beauty in the struggle, right? Because you're enabling your team to grow. You're enabling them to tackle a problem, tackle a challenge that they've never had to deal with before, and they're having to navigate and figure that out for themselves. You're there to coach them. You're there to provide direction, but at the end of the day, they it's a task you assigned, and they got to get through it, right? So, at
that point, you're no longer concerned with getting a task done. you're now concerned with enabling them to make it happen. Right? And the last one, outcomes over input. You're no longer judged by what you get done, but what your team achieves. Right? So, as an individual contributor, performance is personal. How do I move forward? How do I get what I need? I need this training. I need to go and do this. I need I need I need right. And then as a leader, it's collective. My team needs more time. My team needs time to react. My team needs training. My team needs resources. they need X, Y, and Z. Right? So, some of the things in there that you can ask
yourself to determine if they're actually growing, are your people aligned? Are they growing themselves? Are they delivering? Right? Those are your metrics for your scoreboard now. So, in short, you're not the star player anymore. You're the coach, you're the strategist, and you're the advocate. And the shift in that, that's the promotion. So now we'll spend some time talking through some core leadership skills needed, right? So when I was thinking what are there's so many skills that like good leaders need. How do I make it? I don't have a slide debt big enough. So these are the four that I kind of considered the foundation. If you do these four things and you're able to do them very well, then you have a
higher likely of success in being a leader in serving as a leader in an organization. So starting with communication, right? Communication isn't just uh verbal. It's not just how you're able to deliver a message and talking to somebody on the phone, right? It's also written, right? And so it's adapting your message for the audience that's in front of you, right? So if you're a consultant and you deliver, you know, you did a web app pentest and you generate the report and then you deliver the report and do the readout call, right? There might be a siso on a call. There might be an engineering manager. And there might be somebody from that team. Each three of
those people are receiving the same message, but they're going to take away different things from that from that message. The syso cares about the overall risk. The engineering manager cares about the overall problems, and the individual person may only care about a certain piece of it, right? But you have to be able to write that report so that all three of those groups are able to pull extract the information they need and then conduct actions on top of it. Right? And the only way you're able to do that is if you know your audience, right? So when you think of the best orators in history, right? You got Churchill, Roosevelt, Martin Luther King Jr., Lincoln. You know what
do all these people have in common? They were all considered leaders of their time, right? And so in short, it doesn't matter if you have all the answers. If you cannot clearly articulate your message and thoughts so your audience can understand and act, your words are going to be useless. I don't care how good of a pentester you are or a red teamer that you are on my team. I don't care if you found every single vulnerability alive in an environment or on an application. If you can't communicate the risk to your to the people that need to understand that risk, your efforts are useless. Right? So, uh next piece is delegation without micromanagement. Right? So delegation
isn't dumping. Some people may think, oh well, you know, my boss isn't going to take care of this and they're just dumping it on me and now I have to deal with it, right? But really from a leadership side, it's not just dumping things on other people. Uh it's assigning outcomes. It's trusting people and you're getting out of their way to do what you ask them to do, right? Uh and so I encounter this a lot. Leaders today have too much to do and not enough time, right? I wish I had more time. I wish there were 40 hours in a day instead of 24, right? But the only way that I'm able to actually achieve the
things that I need to achieve at my level and my leaders at their level is they have to provide purpose, they have to provide motivation, and we have to provide direction. Right? Those are the three things that we owe our individual team members. Right? And so we discussed it on a previous slide, but you're paving a path and allowing others to struggle in a safe manner and enabling them to grow. You're giving them some left and right limits, right? You're not letting them drive the car off a cliff, right? But you got to you got to teach them how to drive, right? You got to provide some coaching there. Uh, next one is decision- making under
pressure. So, something I learned early in my career is the higher you go, the smaller that spotlight gets on you, right? So, when you're an individual contributor and you're standing on a stage with all the other individual contributors, depending on the size of the org and the function, you can kind of hide, right? But as you start to move up your leadership ladder, right, that circle gets smaller and smaller and smaller until possibly one day you're standing up there by yourself and there's nowhere to hide, right? And so, uh, something that I kind of coach my team members through, my leaders through, is there's a time to gather information, there's a time to debate, but ultimately there's a time to decide
on the path ahead, and then you have to execute. And the I we'll get into this a little bit later, but newer leaders typically spend more time gathering information and debating instead of actually executing, right? So they spend all this time discussing and validating and doing all the things that they need to do, but then when it comes time to execute, it's like, I need this done by tomorrow or I need this done, you know, within, you know, an unreasonable time. Not saying that that's always the case, but I've seen a lot of new leaders make this mistake. And so uh when you do decide and execute on your own decision, right, it should be something that you
truly own, right? Ownership is a huge part of leadership. You own the successes of your team. You also own the failures, right? Pros and cons. The goal though is to have more successes than failures, right? Uh but I will tell you in my career when I have failed, I have failed spectacularly, right? I like I I failed like nobody has failed before, right? because if we're going to do it, then we're going to do it big, right? Uh so then the the the last one on this slide is giving and receiving feedback, right? A lot of leaders think, you know, a lot of people moving into leadership thinks that they have to have all the answers. I'm here
to tell you, you don't. I don't have all the answers, right? When I'm talking to my team, but and in that they have to be able to constantly give feedback. That is an expectation. But another side of that that I think some people might have problems with and I'm talking to myself uh is receiving and taking that feedback, right? Uh but giving and taking it is not optional, right? It's how your team improves and it's how you continue to grow and improve as an individual leader, right? So at the end of the day, your teams are looking for you to guide and coach and train and mentor them. They're looking for you to hold them accountable and the rest of
the team accountable to establish that standard and that baseline and everybody has to meet it. And then lastly is consistently provide feedback and updates on their performance. My company we use 101 ones and I use this very heavily. Uh it's a way that I can manage expectations but it's also another way that I can keep my finger on the pulse and enable the people on my team. Right? I constantly ask my my team members, both principal consultants that report to me directly and my managing and senior managing consultants, what can I do to help you? What challenges are you facing today? What is it that I can do to enable you in your role today? Right
now, I will tell you, I've already mentioned it, but I'll tell you again. I'd be a hypocrite if I told you I'm great at receiving feedback. Right? It's not easy hearing someone tell you where you failed or you've made a mistake or you didn't do something well enough. Right? And then if you ask my wife uh how good I am at receiving feedback, she probably laugh at you, right? So take away take away the professional in the personal life, every time my wife says, "You probably shouldn't have done that." I turn not nice, right? Uh but this is a weak spot for me personally and it's something I try to work on every day. So
how do I handle that? I try to remind myself that the person that is bringing me this feedback is not necessarily attacking me, the person. They're most of the time attacking the idea, they're attacking the behavior, right? And sometimes new leaders kind of confuse those two and they think they're attacking them, the person. And then that's one piece. The second piece is that we're all moving towards a common goal and that person is also trying to move towards that goal and they're calling out perspectives and they're calling out blind spots that maybe I didn't even know existed, right? And so not all the feedback will be relevant, not not all the feedback will be good,
right? But the feedback is needed in your overall career growth. So this is a fun one. Leading former peers. Are there any leaders in here that's had to lead people that were the homies, right? Yes. Uh it is it is not fun. It's it's kind of weird, right? Because it's like, man, I was just hanging out with this person the other day and we're grabbing beers and now I'm this person's boss and I'm now responsible for their career, right? So, I mean, these are four things that I like try to instill and try to narrow down like what can we actually nail, right? And so, first you got to acknowledge the shift, right? like I
don't know. I'm somebody who just let's tackle the challenge head on. And so in this case, the the challenge is the elephant in the room, right? I'm now your boss and you have to listen. You have to do what I ask you to do as long as it's not illegal, immoral or unethical, right? And so you I've seen some people be like, "Ah, well, nothing will change. Everything is good." Right? But you're wrong. It will change because there will come a time where that person messes up and now you've got to go correct it. There will come a time for promotions. There will come a time for payraises. There will come a time for evaluations, right? Where you have to be
critical of this person, right? And so the longer you wait to have that conversation, the harder it is it's going to be for you, right? So, how can you do it? You just acknowledge it. Hey, I'm your boss now. We can still be homies. We can still be cool. We can hang out. Our families can hang out, right? We can play video games. We can do whatever, right? But when it comes to the business, you report to me. And and so it's not just from the leadership side to, you know, the individual contributor, the subordinate, right? It's now to a place of there needs to be mutual respect between the two, right? And so, but it's not that person's job
to tell you where the lines are. You have to have you have to tell them where the lines are. And in fact, I would take it a step further. You have to have the dialogue with them to establish the the the boundaries and where those lines are. Right? So uh the second one leading into that is set expectations early, right? Uh something that I try to do is I try to get away from ambiguity. I hate ambiguity. I hate gray areas and I like a playbook for everything. I like roles very clearly defined, very clear expectations. And the way that we do that, the way that I found to do it is formal documents within the company.
Right? Uh when I first came over to Net Spy, it took two and a half years, but we finally got role charters established that outline the responsibilities, the training, the expectations of a role for every single one of our consulting positions. This removes the need for me having to come up with this off the top of my head, right? And also, as your team continues to scale, I don't scale in that way, right? So the message I might deliver to one one person might differ from when I'm delivering the same message to another to another, right? And so by having in this case having a work group established that you know is comprised of multiple cross functional
teams that are having input and say into it once you get to a final document it's a hell of a lot easier to point to that and be like these are the expectations of your role. And then at that point as a leader you can add to but you cannot take away from right. So that's I I try to, you know, it's our policy. I don't know to tell you here's where we are. Um, you know, it makes it a lot easier for your leaders to have those sorts of conversations, right? And so in that something too when you're trying to lead uh your friends, right? Uh don't assume that they'll read your mind, right?
They're not going to know. They're looking for you to establish where those boundaries are that we already kind of already talked about. But you as a leader, you set the tempo. You set the pace of that conversation. Right? Like that's your conversation to have and then you have the burden of providing the clarity of how both of you are going to navigate you know this new dynamic that's there. Right? So for me fairness is everything right? Favoritism even perceived will crush your credibility. If you lose credibility with your team you've lost their trust. If you lose their trust you're no longer effective. It's just it's just not going to happen right? Uh and so by establishing those
roles, by establishing those expectations upfront and then applying those expectations to the wider group, to your entire team, right? You're removing that bias. You're removing even the perception that, oh, that person just got promoted because they're friends with Leo. That person just got that pay raise because they're friends with Leo. That person was able to go to Bides because they're friends with Leo. Right? The moment that creeps into your team, it's poison and it'll run through your entire organization. Right? Last part, I tell all my new leaders this. Just because you're the boss now doesn't mean that you doesn't give you the right to be a jerk, right? You're not a dictator. I don't allow that to
happen on my team. And in fact, in the training program that we've established for individual contributors coming managing consultants, uh at the six, it's a fourmonth program. at the six they're assigned uh three to four indiv uh consultants newer consultants to the org uh and their job is to effectively lead them right they're they're cutting their teeth on leadership on day one uh and so at the 60 and 120day mark when I built this program I established uh there's an there's a conversation that their direct leader will have with every single person individually where they're essentially grading that leader on I think 12 topics right and they're asking these probing questions. Um, you know, it it spans from communication to
morale, uh, to how well they feel their needs are met, right? Uh, it's through that not to get the leader in trouble, but it's meant to establish where that person needs to grow, where what are they doing that does not work. And the way that I communicate it to our team members is this is the one time that I want you to just be as hyper critical of this person as humanly possible. And this isn't you're they're not going to know you said it. We've got mechanisms in place to provide that anonymity, but I don't operate with them on a daily basis. And therefore, I need to know where they're not succeeding and where they're failing because if you don't
tell me, I'm not going to know and you're going to feel the pain, right? And so, because news flash, when you're done with the program, they're still going to be your boss, right? So, now's the time to tell me. So because we're focusing on it so I can help correct those behaviors, right? So last part, it's a marathon and it's not a sprint, right? Don't fall into the friend trap. You're their manager now. It's your job to lead them and they're looking to you to provide that leadership. So next we'll talk about imposter syndrome. Who here has imposter syndrome? Yep. >> Yep. I have it right now as as we live and breathe. Uh, and so, uh, you know,
if you ever thought I'm not really a leader, like, welcome to the club, right? Like, I didn't think that either. Uh, especially being promoted in a wartime environment and now it's like, oh, this got real. Now I'm responsible for these people's lives. Like, this is, and I think I was 20, 21, and I think I had five or six people assigned to me. Uh, but, you know, imposter syndrome is almost universal in first-time managers. I felt it. I'm sure many of you that are in leadership positions have felt it. And if you make a jump into leadership, you too will feel it, right? Uh but what is it? Right? It's that voice that says you don't belong. It's a voice that says
you're not good enough even when you do belong and when you are enough. You care and you're growing. Right? And how do you combat it? Right? Well, the first thing that I always do is I get feedback, right? I ask myself why. I do the self-reflection. Why am I not good? Where do I think I'm failing? What where do I suck? Right? And then I write those down and then I go talk to my peers. I go talk to my boss. I get feedback from my direct reports and even their direct reports, right? Because their opinions matter too, right? And I use that to challenge my assumptions to be like, "Oh, I didn't think I was good, but
either everybody's lying or they think or I truly am doing a at least a decent job. Right? And so as individual contributors, success is clear and it's measurable. Right? As leaders, it's slow, sometimes extremely painful. It's messy and it's shared, right? But again, your successes aren't as a leader aren't really yours. It's the teams. It's not about you anymore. It's about your team, right? And then lastly, confidence. Right? Confidence isn't a requirement for leadership, right? Uh it's a result, right? So, how do you gain confidence, right? How do you build to be, you know, in your head when you think of a leader as somebody strong and resilient and, you know, willing to lead from the front
and those sorts of things? Well, what I've learned in my career is it's knowing the material, knowing the environment, knowing the stakeholders, putting the time in to understand how things work and that sort of thing, right? So, uh, common mistakes leaders make, right? The first thing is uh trying to stay too technical. This is something that people most definitely love to be. They don't want to give up the technical work, but here they are, right? And so the way that I describe it is when you're an individual contributor doing technical work, you're sitting at 100% and at 100% you were successful. But then you move into a leadership position and you're still trying to be technical
while in a leadership position, meaning you're doing the job of somebody else while also trying to do your job. You're you the best you can do is 5050 in either or, right? And then I would personally would rather take somebody who's a 100% good at one thing than 50% good at two things, right? Uh next is avoiding harder hard conversations, right? Like this is another thing that it's it's uncomfortable being a leader, especially when you have to let somebody go from a company or you have to tell them, hey, you're not meeting the standard, right? But the way that I phrase that is you're not meeting the standard. Here's what you're doing. here's where the standard is. Here's how
we're going to get you there. Right? Here's where we need to help you. Right? That's the second part. It's easy to call out mistakes. It's easy to call out when people are not doing what needs to be done. But it's even harder having to come up with a plan and a roadmap to get them there. Here's how we're going to do it. What do you think about this? Do you think this is feasible? How do you feel? Right? I might be wrong. Right? I might think that you're not meeting the standard when in fact you truly are. Right? But again, I try to challenge those assumptions to make sure it doesn't happen. We've already talked
about micromanaging everything. I think it's kind of agreed leaders don't have time to do it. I, you know, I hire adults. I hire professionals. Your job is your job is to do your job, right? Failure to do so will result in negative consequences for you, right? Like at the end of the day, like I'm not trying to be a jerk, but that's just where we're at, right? So, when you're struggling, raise your hand. When you're needing help, raise your hand. when you need something, raise your hand. The failure to do those things, I I don't know. I'm not a mind readader, too. Right? And then lastly is seeking approval over impact. So, new leaders often try to be
friends with everybody, right? They try to be friends. They try to win people over in that regard. Oh, they're a friendly person, right? But, uh, people instinctly could take your kindness as a weakness, right? Oh, I don't have to go tell this person that I'm going to go do something because, you know, what are they going to do to me? Yell at me? whatever, right? And so again, by setting those expectations early, by having those conversations early, by being the standard bearer and establishing those standards, right? You kind of help prevent all of that. So next is building your leadership style, right? So this is the fun part. So how do you do it? Well, it starts with your
values, right? So once your values is what is the core, it's what grounds you. It's what you feel is important versus not important, right? And then through your values, right, you'll learn to discover what are your strengths in enacting those things, right? You'll also discover what your weaknesses are, right? And so when you are discovering these strengths and weaknesses, right? Lean into your strengths, right? If you're great at talking to people, don't do a lot of your communication over written form, right? Go talk to people, right? Otherwise, you know, if you're I kind of tell my consultants this all the time. It's like you got to go do thought leadership things, right? blog posts on
various topics, conference attendance, right? But some people were like, I don't like public speaking. I'm like, great, go write something, right? Or I'm a terrible writer. Great. Go speak. Like, I'm bad at both. Well, pick one and I'll help you, right? That's kind of where we're at, right? And so from those strengths, like you'll lean into them. And then with your weaknesses, you also figure out these are the things that I need to work on, right? Uh lastly is the feedback. That's how you can also put that into, excuse me, that's how you can also put that into your strengths and weaknesses to help figure that out, right? And then lastly, there's several frameworks out there that you can
utilize. Servant leader, coaching, what's the other ones? Uh situational leadership, right? But that doesn't mean that you fall in just one bucket, right? You you should be adapting and you should be changing your leadership style to the person that's sitting across from you. I've got people on my team that sometimes I'm slowing them down by, hey, let's do a one-on-one. And they're like, can we do like 10 minutes instead of like 30 because I got a lot to do, right? These are typically my high performing people and it's like, I just need to make sure you're good. Are you good? Not good. How's life? You know, great. All right, get back to it. Right? I have other people that require a
little bit more attention, right? They need more support. They need more coaching. Right? So, uh, the last part of all of this is if you nail all those things down, eventually you will come out being authentic. Your authenticity will be there, right? And so your lead, your team members will be able to snuff out when you're not being authentic, right? It's very important. All right. So, how do we lead from the long haul? Right? Well, the first thing is you got to set boundaries, right? You got to set boundaries in your work life. You got to set boundaries in your personal life. The second thing is you got to invest in your team and you got
to invest in yourself. Uh lastly is avoiding burnout and then planning for your long-term growth. And the way that you do that again is by feedback, grabbing some mentors, bouncing ideas off people, learning to grow, thinking about what your next steps are and then working towards those next steps. Right? So the key takeaways, right, leadership is not is a mindset shift. It's not a title. You don't become a leader when someone changes your job title. You become a leader when your focus shifts. You don't need all the answers. You just need clarity and intention. Right? You grow through the feedback, not perfection. And you lead in a way that's authentic and sustainable. I kind of
rushed through this last couple slides. I'm running out of time. Right. So, now we'll move into Q&A. And now I'm going to go into hot seat. Who has questions? Yeah. >> Oh, she's gonna help. >> Um, yeah. Thank you. This is not on. >> Okay. Uh yeah, this is exactly where I'm at. So I I appreciate the talk. Um so earlier in the the slides you were talking about um the the trap of I could do this so much better when you're looking at delegating. And so I was I was wondering, you know, that ties into the micromanaging of if you have a a product, a deliverable for a client and it needs to be up to this standard, how
do you like if if I could do it to, you know, 95% quality and then the person that I'm leading would do it to maybe 70% quality, how do you um how do you avoid micromanaging with the back and forth of this is how you need to do it. this is, you know, some of that's this is how I would do it. Um, but how do you effectively lead and and shape that person to be able to increase the the quality to what the expectation should be for the deliverable without getting into that micromanagy territory? >> Yeah, for sure. So, with any given task, there's a time and a place, right? If the client is standing in front of me
and they're like yelling at me, now's not the time to go allow a consultant to go and talk, right? like now I need to not push them aside but step in front of them and handle it, right? However, if you have a deliverable and it's not due for a week, that might be a good time to let them do that, right? And maybe you're check, you know, it's Monday, you get the assignment, you check in with them on Wednesday, see where they're at. You might need to get your hands dirty a little bit because maybe there's a gap or shortage there, but you're still enabling them, right? At the end of the day though, it's all about enabling your
people and allowing them to grow, right? and what you don't you want to ensure that you're establishing the trust with them, but you also got to make sure the job gets done. So, there's a way that you can handle that. Whenever I find myself in that situation, it's like, "This looks really great. I'm going to bang out the rest, not because I don't trust you, but because this is due tomorrow and it's 5:00 and I got a wife and a kid and three dogs, right? So, I need to go take care of this." So, I you know, and then we'll do an after action review after it, right? Here's the changes I made. Let's walk
through it. Let's talk through it. You know, again, there's a you got to meet the deadline, right? Hope that helps. >> Leo, great talk. Enjoyed it very much. Um, >> in the transition from going from technical to leadership, >> a lot of us may have apprehension about over time losing those technical skills. They're eroding as we're focusing on leadership. Yep. >> What type of suggestions do you have for that? >> Oh man, I'm in this right now. Um, yeah. So, it's about managing expectations with your boss, right? So, if you you should still maintain some level of technical knowledge because you're leading technical people. You can't just ignore it, right? But at the same time, you
kind of shift your focus to what is actually do I need to be doing? Is it my job to actually deliver the pin test or do I need to coach people on how to do the pin test, right? And so, uh, but at some point your individual people are going through their journey as well, right? So, you're not going to have all the answers. So, you be like, you need to deliver a pin test. These are the core areas of delivering a pentest. I challenge you to go figure out what these areas are. Right? Now, when it comes to being personal and having to maintain your own skills, manage expectations. I I'm one person. I got 90
people on my team, right? You're asking me to do a pin test. I will do the pin test. But if the client comes back angry, you can't yell at me, right? Uh I I haven't done a pin test in two years. Little rusty. I'mma grab people I need to make sure like double check me, fact check me, right? The people that I trust to know that. And I think when you do that, it shows humility. And I think it also shows that you trust those people that you grab because you're like, "Hey, go look at my work." And like red ink it up, right? I don't care what it looks like. I don't care like make it the best
product possible because if it's not and it passes it, if I use my title and position to bypass the quality controls that we have in place, the client is the one that suffers. And then, you know, I'm it's going to come back. The client's going to be angry. You know, who's going to solve that problem? The problem's going to go to me, right? is typically how it goes. And so I I was like, you know, I so I try to grab people that I trust that I know that are very knowledgeable that can just give me the cliff notes that do what I need to do to enable me. Uh and then I try to
establish that bar and then I grab those people early enough so that way in case I thought I hit the bar and I surely did not, you know, I got time to react to that. >> Yes, sir. >> Hey, I appreciate it. Great talk. Um, so I'm kind of at that point where trying to decide, do I still want to be a star player or do I want to officially make the jump into leadership? You had to wrestle with that. >> Yeah. >> How did you weigh that decision? How did you agree to give up being the star player? >> Yeah. So, I knew early on that I liked being the guy in charge. Honestly, like
if if I'm just being honest with you, I felt like I had a unique experience in the various units in the in the army I was assigned to, the various missions that we did, the operations I was a part of, that I brought a unique perspective uh that the average person did not. And so I wanted to take those skill sets and utilize those in a way that I can be a force multiplier across not just my company but across our industry and bring those insights to help other people be better. Right? And I found that I enjoy watching people grow and develop and do hard things because not because of me but I enable them to do
those things right. Uh I found more joy in that than wrecking a client's environment honestly. Like that's fun and that's great and that's cool that you're able to do all those things, but you're one person doing one task whereas I can have an impact. You know, there were 30 40 people in here. 40 people might become leaders today, right? So that's a that's a better that's a better way that I looked at it. So if you don't know anything about anagrams, that's a naturalb born leader. Like I'm all about justice and equality. Uh and that's part of that whole thing. Uh and so I just enjoy like being the guy. I get that. Thank you.
>> Yeah, you're very welcome. >> A great talk. Thank you. Appreciate it a lot. Um, kind of all along the same lines. So, uh, you talked about how you were essentially thrown into leadership to a certain extent and then you learned that you liked it, right? A lot of times I think in the workplace, um, it looks like it's inevitable that I you've got to go from this individual contributor to leadership, but that's not necessarily the case. People have told me, you know, you don't have to build your career of like going to leadership eventually, but do you think that that even if you are somebody who is an individual contributor, I should be looking for opportunities to manage and
try that out and be an individual contributor and try that out. I've had a lot of opportunities where I've been the guy with senior leadership being their technical hand. And I also had an opportunity where I chose to try that leadership thing and sank instead of swam and learned that maybe I'm not that guy. >> Yeah. >> But what's your position on developing that those two prongs? >> Yeah. So I man I whenever at my company whenever I have people looking to move into a leadership position like my leaders tell me like hey this person's a good candidate we should go consider them. I personally go have a conversation with them and I give them
the reality. I'm like, "All right, so you want to move into a leadership role. That's great, but it's not the only step that you can take at this company. So why do you want to be a leader, right?" And there's no right or wrong answer to this, right? I'm just we're having a dialogue. And sometimes I find that oh well, I mean, it's just the next thing to do. And it's like, okay, well, it's not the next thing to do. These are going to be the expectations of you now. These are going to be the things that you have to do and and do well. You don't have to do it alone. You have an
entire leadership team here to support you, right? But if you feel like you're doing it out of necessity versus you want to do it and you're interested in it, then you're probably not going to succeed. And so I'm somebody that if it's going to if the answer is going to be a no, I want to get to a no quick so we're not wasting each other's time. And again, just because I've had people be like, I see what you do. I don't want to deal with people. I just want to go in a dark room in a corner and solve a hard problem. Perfect. There's a place for people like that. 100%. Right. So, you
don't necessarily need to feel like you need to move into leadership because there's no other avenue for you. I would say maybe your company, you should challenge your company and try to see is there other ways that you can leverage my skills and abilities to where I can have a greater impact on the organization, right? And if not and you're mastered your role and you're not feeling challenged, that might be an indicator that it's time to go find the next thing, right? Uh but at the end of the day like I try very hard to make sure that we are my leaders know what's expected of them and they go in they go into the decision of yes I want to do
this with their eyes wide open and also through the training program that we created at our company our people uh our team members are also like they get four months to cut their teeth and at any point they can remove themselves from the program. This isn't what I thought it was. I'm not really liking this. uh I want to go back to just being a consultant, that's okay. But if you get past that point and then you're promoted, then you're held to that standard. And now if you can't meet that standard, which is what the program is supposed to be, if you can't meet that standard, then I have to hold you accountable just how I would hold any
other managing consultant accountable, right? And so if it's not working, probably a PIP is going to have to happen. But again, that's a whole other topic. I don't really try, A lot of people view pips as I'm trying to fire you from the company. I view pips as I'm trying to rehabilitate you. I'm trying to get you to that place. I've tried the informal manner. It just ain't working. Now I'm going to try the formal manner, right? Um and I view it as a good tool versus a negative. >> Spot on. Thanks. >> Yeah. >> Yeah, no problem. >> So, uh >> real quick, uh what college should I go to? First answer gets a book.
College of >> Huzzah. Who did it first? >> You I saw one hand. It's you. >> Uh I don't know. It was a good question. >> I got to get off the
Who here is moving into
Yeah, you're welcome.
It's good to hear.
>> Okay. There is >> we have an amazing talk in just a couple of minutes. Uh sorry, we usually have a little bit more room between talks, but that was very engaging. Um this is another talk about interviews you don't want to miss. Then we have our 3:00 SISO panel with the one and only Chris. Then we have our recruiter and hiring manager panel with Bruce Potter. And then networking at 5:00. So make yourself comfortable. Cool.
>> Do I need a mic or my >> I have a mic if you want to walk around. >> No, I'm good. >> Let me know if you want me to run your mic or set up for questions. >> Um I've timed it at 38 to 42 minutes. Um so I'm probably going to keep my little timer running as well. >> I'll, you know, I'll I'll do a better job. the cards up. >> Oh, no. Don't worry. Yeah, please. Um, but um I'm feeling like I can get this within 38 to 42 minutes. >> So, take your time and get you'll get a 10. >> Test. Okay, cool. You can hear me. [Music] Heat. Heat.
[Music] I'm [Music] a [Music] Uh folks, thank you so much for coming to my talk today. Uh, your interview game is week gamifying technical interviews through role playing. I've timed this between 38 and 42 minutes. So, we'll see where we reach with that. >> Oh, okay. Cool. >> There we go. Cool. I'll stand a little bit closer. Sorry. Um, cool. So, quick agenda. Uh, we're going to talk about who I am. U, why am I here? what qualifies me to present. Why you should listen to what I have to say? Uh the metrics on hiring that I found uh based on data from published research as well as my unofficial survey uh that I put together,
how I think our industry is failing us when it comes to interviewing techniques, why gamification works, and why I turned to use gamification for this process. Uh we're going to talk about the solution that I created. uh how it began, the kit itself that's available right now. It's it's live. So, if you got one of the little stickers, if not, I I have them in my pocket. Um so, it is available now. Uh some of the initial feedback that we got as well as additional information uh on the presentation that I'm giving uh and how to contact me. So, let's jump into it. So, who am I? Why am I here? Uh my name is Matt Torbin. I'm
also known as Ghost. Uh I am currently the manager of application security at Quinata. Uh I was a former fullstack engineer in a former life. So I did that for a while. Um one of my most proud accomplishments uh is I am a concept creator and co-founder of a conference based out of San Francisco called Day of Security. Um thank you. Um if if you are interested, Day of Security focuses on bringing more opportunities for women into cyber security. I am happy to put you in touch with the fine folks who are running that. I highly recommend that organization. Uh I'm also a former staff volunteer at multiple security cons including packet hacking village at defcon uh day of
security as well as besides SF uh public safety. Um I've authored a couple articles for 2600 on uh physical uh security and privacy techniques. Um I'm a huge fan of VR and XR in the workplace. So this week my uh hackathon team uh back in San Francisco is uh demoing their PC on bringing VR into our workplace. So fingers crossed for them. Uh and of course I'm a proud skateboarding dad. Um you'll notice that there's a big skateboarding theme uh throughout this presentation. It's because the interview kit that we built is based around a startup, a skateboarding startup. Uh so hence the theme. Unfortunately, I guess you can't see it, but in the background, uh, I had
a image of Alice in Wonderland popping an Olly North, which I thought was pretty awesome. Um, so what qualifies me to present? Why should you listen to me? Um, I've been in tech for 26 years and I've had two successful careers. Um, my first career was in development for 18 years. Uh, and it was, uh, the most senior role was a principal software engineer at RSA. I then transitioned into security uh eight years ago and my most senior role is manager of application security at Quinano. Um so I've taken part in countless interview processes. Um some of them I passed and some of them I didn't. I know there are some folks in here I've actually interviewed for. So
um yeah, it's it is what it is. Um I've rewrote and rebuilt multiple interview processes and I've seen what works and what doesn't work. So today this is really about uh what I think works well. So let's take a look at some metrics that I found and this comes from published data. This is as of 2025. 32% of job seekers say that they had a poor candidate experience in the last year. 26% of candidates declined an offer due to poor experience. Now this is down by almost half from the year before. And before we celebrate, think about this though that the job seekers today have lower expectations because of a tougher economic situation. Um, which is the reality. Um, although
91% of candidates say a positive experience influenced their decision to accept an offer. Now, this isn't rocket science. We all know this, right? A bad experience, people are not going to accept the role. A good experience, people are going to accept the role. But this sets the tone for what I want to present to you today. So, I did my own unofficial survey. Uh, it was anonymous. There was 18 questions at the time that I looked at the data. Uh, there was 35 responses. Um, it was posted on LinkedIn, Discord, and Slack. So, if some of you um did uh submit this res this uh survey, thank you very much. I really appreciate your your support.
Um, I did have the data analyzed by Claude. Um, and this is what I learned is that the interview to job alignment was just about half. 60% of those uh who filled out this survey cited that arbitrary technical challenges were a top complaint. 70% valued empathy and respect most throughout the entire process. And over 70% of the security engineers themselves were frustrated with these irrelevant challenges. And lastly, over sec 60% wanted their time investment acknowledged, yet there was five plus hours pro uh of process time. So what I've learned from this is that the interview process only about half the time matched the actual job. There was arbitrary challenges that had nothing to do with the role. We weren't respecting
folks time and uh this was impacting security engineers quite significantly. and we're looking at five plus hours of interview time, which is not good. That's not the experience that we want to give our candidates. So, how much of this resonated with you? And these are some of the things that I've noticed over the course of my career that the job wreck required one skill, but when you get there for the interview, there was a completely other skill that was tested. Um, the interview process required over eight collective hours. I personally have had interviews that have lasted 11. Um there was a book on interviewing techniques that was needed to pass the interview. Not necessarily on the
content of the interview, but just the techniques themselves. Critical skills not listed in the job wreck were not were ignored. So basically, you might have come from another industry or another role and you had this really great skill that would have been valuable to the team except they didn't interview on it because that wasn't written into the job record. It was blindly based on another org's process as gold standard. Um, I'm not naming company names, but you know, we all have had this experience where company A has taken company B's process and without even really thinking about it said, "Oh, that works for them, so therefore it's going to work for us." Um, and that doesn't typically work out.
Uh, the tech challenge was all or nothing approach or worse, it was purely academic and unrelated to the role. Um, my personal favorite uh is focused on terms and definition memorization. Um, I personally do not have the OAS top 10 ready to read to you right now. Um, I am well aware of it and none of my folks that uh report to me need to recite that on a daily basis. So, not necessarily something that we hire for. So, I found two articles and I found these really interesting and I do have links to these articles. I highly recommend you read them if you if you haven't already read them. This particular article was written a couple
months ago. A student used AI to beat Amazon's brutal technical interview. He got an offer and then someone ratted it to him on his from his university. So the quote that I pulled from this is that Lee is a software at Colombia. He'd graduate in 2026 if he stuck around. He planned to get a degree from college and use it to get a job in big tech. Training for the technical interview killed his passion for the job. Now for the hiring managers in this room, that's the last thing that any of us want. We don't want to be killing the passion for anybody. My response to that is that if your process is so complex that it requires
this kind of fix, the problem is not the candidate. The problem is the interview. This is another article that I absolutely love. It's written by Eric Lou from Capwing. I highly recommend you read this article and it talks about using AI. So Eric writes, "For prospective job candidates, my advice is still the truth will set you free. Even if you do get the job offer in the end after misleading the interviewer, your experience at the company may be short-lived if your work doesn't meet expectations. Now, my feedback uh on this uh I just want to be very clear has nothing to do with Cappwing or their interview process. I know nothing about it. Um but my thought process is if you
if your process does not allow for the use of tools that are otherwise acceptable in the role, you're creating a hypocritical interview experience and your candidates will lie to you. I will tell you for our interview process we tell people you can use AI. You have to let us know but you can use AI. We don't do that. So we turned to gamification. Uh also I don't own that hat. Uh I own the other one but not that one. Um gamification has existed for years. Humans love games. This whole week is filled with games. It's shown to influence people's behavior. So 90% of employees are more productive at work with gamification. 83% of employees with gamified training
feel more motivated. This is a huge thank you to Adam Showstack's website who uh collected all of these these uh games, but I wanted to put this here so folks can see. Um this is a list of a ton of infosc games. Two of which are my favorite which are on the right, which is Elevation of Privilege and Back Doors and Breaches. Um, just completely aside, unrelated to interviewing, um, I highly recommend getting involved in these games with your teams. It is fun, it's enjoyable, and it just nothing but good comes from it. So, how did our solution begin? Um, well, it started with a team building exercise that we were tasked to do to
teach our team how to do threat modeling with elevation of privilege. And I created a company called See It Printed GPT or Sippy GPT. and mostly because sippy GBPT is fun to say. Um, so here's the company idea and I wanted to create something ridiculous. So a user will create an object in 3D using VR and then they put it up into a public repository and someone else buys it and then you get paid in crypto and oh yeah, AI is involved in there somewhere. And so it was this humorous company with lots of security vulnerabilities. And we used this idea to teach the team how to do threat modeling. So what were the results of this?
The team learned elevation of privilege through threat modeling. Everybody had fun. And then one of the first embers that we saw that we had a pretty good idea was this is that it was more engaging when you were inspecting a fake company. when you had something that wasn't a former developer piece of work or something the company did or somebody something that somebody has a a personal tie to, it was much easier to have fun and be engaged and poke at this fake company. And so this is how we started thinking about maybe we do this. So if gamification works so well in things like training and team building and collaborative development, then could it work for interviewing?
And this is how it began. Now these are the actual materials that I provided to my team to learn how to do elevation of privilege um for CIP GPT. We have a data flow diagram on the left and we have logic uh flows on the right. Uh if you are getting heart palpitations by looking at that dataf flow diagram good that was done on purpose. It is terrible. Um but it was good for them to learn how to find vulnerabilities. Um ironically and I put this picture up this because for me this was humorous. Um, you know, I remember back in the day when uh you had uh, you know, James Bond movies and you'd see the movie and
they'd have some like crazy tech out there and you couldn't buy it and then it went to James Bond films and a month later you could buy it. And then the last video that I just saw, the trailer, the car is out before the movie is even out. So, I bring this up because I came up with sippy GPT as a as a joke and I think like there's no way you could ever recreate that um until I found a way to recreate that. Uh so essentially with Tinkercad, Toy Box, Coinbase, Discord, all wrapped up and immersed, I basically created Sippy GBT. So there you go. Um so the interview kit that we built, the first version, and the version
that's available today is the second version. So the first version we started with a fake company that had some relevance to our industry and then we created challenges that directly applied to rule and this was this was key. The interviewers had a persona to play with motivations and I'll break that down as we want to do the walkthrough. The interviewees got the interview kit 24 hours in advance and the entire process was fun and engaging for all. I will tell you that we have people in my uh company who are lining up to be part of our interview process because of this. So, some of you may be thinking, well, wait a second, you're giving the kit to them 24 hours
in advance. Aren't they just going to cheat? And the answer is no. Because of the EQ aspect and the randomization that you'll see, it's almost impossible for them to cheat. Um, this is also the reason that we say please use AI because AI will slow you down. So the company that we created was called Board to Hack B2. Um it's a San Francisco espace startup. The idea is it's on demand access to information security services uh through skateboarding and longboarding uh because why not? And uh the people that provide that are called skate enable hackers or this is one of the core pieces of the uh rule book that you'll see. It's called the NPI. And the NPI is the non-playing
interviewer. And each NPI uh comes with a backstory. So in this case uh and forgive me, I don't have my glasses on, so I'll try and get this right. Um you are the current head of development efforts at B2. You're initially brought on as one of the original scrappy developers to help get the product's first version off the ground. Now you are leading the cloud platforms team and the software engineering teams, both of which would have some security related tasks as an independent security team has not yet been established. The goal of this is to really breathe life into these characters and to give some the interviewers something to to work with. They also have a motivation and the
motivation is how you play the character. So in this particular character, your one and only goal is to make sure that the executive team is happy. However, this includes not blowing the team's yearly budget out of the water. You're open to any suggestions or remediation efforts that are proposed. However, you're keenly aware that the budget is a concern. Therefore, you're looking for solutions that impact the budget the least and also resolving the concerns of the executive team. Now, what I will tell you before we move on is if you're going to try and employ this, the expectation is not that you rebuild this. It's that you understand what my thought process was when I built this and employ the
thought process. You're you're welcome to kind of rewrite your own uh book version of this, but it will take you way more time than necessary. Um, the other thing that I added is something called alliances, favors, and against. The alliances uh are which other NPIs this NPI tends to align with. So, as an example, during the interview, if the head of development isn't really feeling how the interviewee is answering the questions, but the product manager really is, there's a chance that there could be that alignment that those two could say, you know what, I'm really the product manager is happy, I'm going to be happy as well. Uh the favors and against are really the things that this
particular character is looking for. Things like uh solutions that are easy to on board, can be measured uh and players who are show a willingness to work with others uh and satisfactory. >> So we also built challenges. Now the challenges are directly from the uh the job wreck. So typically we start about four challenges. Uh and we rotate these often. Every time somebody is hired, we go through back through them and say, is this the challenge that we want to do? Did it work the way that we expected? Did the interviewee answer the way we wanted them to answer? Um we determine this based on seniority of the role. There's times I've done three, there's times
I've done four. Uh and approximately about 45 minutes per challenge, right? So, if you're doing the math, we're already with two challenges, we're down to 90 minutes of interview time. What we make sure is that this covers areas of the role being hired for. So, things like threat modeling, code review, documentation, cross team project negotiation, and offensive security testing. Uh, and this is how we actually test because we very much wanted to make this a realworld experience. The solution that's available today in the git uh in the gitlab will have what's looks like a rulebook and the player guide. The player guide is essentially what you would give uh to the interviewe. Um it's simply the rule
book without a lot of notes in it and you'll see that. So some of the initial feedback that we got is that the vast majority of our interviewees thoroughly enjoyed this process. The testing process surfaced both uh uh technical and interpersonal skills which in today's world with the way that we do our meetings and our cross team collaboration is critical. The interviewees who were hired were some of the best I've ever worked with. I've had them on my team now for over a year and uh they are amazing folks. Some of them are actually giving presentations at uh at Defcon. So, we're going to quickly jump into the walking tour. And I love this image. Uh,
this image is exemplifies what I want you all to take away from this, which is this interview kit is like IKEA. Now, I'm assuming everybody is familiar with the concept of IKEA. Uh, when you go to IKEA, we don't look at the the mock rooms and go, I want that room in my house. You know, you go there and you say, okay, that table will look good in my in my bedroom. That painting looks good in my living room. Right? The idea is take the pieces from this kit and make them work for you. So, let's just jump over to that right now. Okay. Hopefully that fits on the screen. Um, I have the player guide over here as
well. Now, I'm going to walk through what is in this document. It is a 30-page document. I'm not going to read it all to you right now. I wouldn't have time. Um, but there's some things I do want to point out, and this is all available today. Um, so there's an introduction, which I just gave you. Uh there's a summary that talks about what the company is about. Um and then the scenario for the company. By the way, those stickers are available on that table over there and I have them on me if you haven't gotten one. Um the big things is to take some time and build out the organization that you want to
use for your process. The more creativity and character and depth that you put into this, the more it's going to pay off for the people participating. Um, I talk about preparing for the interview. Uh, when you have folks come in to do this interview, this requires people to be comfortable getting into a character. Um, we're not asking anyone to do anything silly or embarrassing, but they need to be comfortable that for 90 minutes they are representing board the hack. They are an employee of that organization. Uh, some terms and definitions, uh, breakdowns of the NPIs. uh we talk about sending out the materials and this these three bullets really wrap up exactly what I was talking about which is when
any of us do threat models or we do code reviews, we don't just hop in and do a code review. We're given time to process the material, review the material. It's the same thing for the interview. Um nothing is lost in transparency. Um all you're gaining is a little bit of trust. And the last one to me is the biggest one of the biggest gems of all. Uh we've had interviewees come in and say, "Hey, I took the code and I ran it through this scanner and I ran it through that scanner and I created a fake Jira ticket and like those are the people that you want to double down on because they took
the time to really show you what they can do." Um the rhythm of play, uh this is a conversation. Um we've had folks come in and just read to us. That's not how this works. Um you want people to be having a conversation with your team, engaging in those conversations. And you'll see that as we go through the challenges. Um I recommend if this is new to people to have what I call a day zero meeting, not a zero day. Um and that's simply to make sure everybody understands what role they're going to be playing, where the caveats are in the challenges, what they plan on uh bringing to the table. Uh this whole thing I call the campaign
and then each one has a chapter. So I've included four here uh that we have used in the past and I'm going to walk through some of them now. Now, um, also there's my my skate enable hacker. Um, so, uh, before we jump into that, um, you will see all of the NPI descriptions here. And again, um, in order to use this effectively, I'm not suggesting that people go recreate this document, right? The idea is this shows you the level of depth that you really want to present uh, your team with and what they should consider. One of the things that I am most proud of and one of the the first NPIs that I created was this uh
senior cloud platforms engineer. And the piece that I have here is if you find yourself having to prompt the player to ask questions, you'll begin to lose faith in the player and their ability to accomplish the task at hand. As this continues, you become less willing to entertain their suggestions. This is not a trap. This is real life. If I were to go in and do a threat model for a for a development team and tell them, "Okay, this is what you all are going to do. You need to fix this. You need to fix this. You need to fix this." Not only are they going to get pushed back on their heels, they're not going to be
interested in working with me because I didn't take the time to ask them questions about why they chose the things that they chose. Bear with me. I'm doing a lot of talking.
You'll also see um in here that for each one we have the alliances, the favors and against. Um I've written about five of these. Uh so it gives you an idea of how broad you can do this. Um the thing that I want you to take away from with this is for technical interviews you absolutely should be bringing in the other folks in the organization who are interfacing with this person like the QA like the pro the project managers because at the end of the day those are the customers and the stakeholders of your security team and having them as part of the the interview process is going to only elevate uh the entire enrichment of the this the process.
So we're going to jump into the first one here. Uh this is the threat model and I'll show you how I've built it. Uh what we're asking of the candidates is that you find as many vulnerabilities as you can within the time allowed. For each vulnerability that you find uh you need to give it a a severity score. So critical high, medium, low. Uh promo propose a remediation uh effort. Uh so the u the spec sorry specificity of the remediation is really going to depend on what information you give them, right? The more detail you give them, the more they can provide a specificity. And then we want folks to stack rank things uh based on what they find. So they might
say, okay, well, I found a cross-ite scripting issue here. That's a high, but you have a SQL injection over here that is a critical. I would fix this one first. The nice thing about having that conversation is because then the interviewe interviewers can kick back and go, well, hold on a second. That SQL injection is going to take a month to fix. This cross-ite scripting is going to take a week. we can do that one first and then it becomes a negotiation and again same keeping with the theme that's real life. Um there is a page in the rule book that talks about the team goals and the team notes uh some some uh example interactions that your team may
you know if they need uh a little bit of inspiration to ask and then of course a section here on like what does success look like and what does failure look like and I have this for each of the challenges. Now, if we go down to the data flow diagram, I'm going to flip over to the player guide and show you what the difference is. Um, so you'll notice very quickly that the rulebook version has some notes in it. And I've done that on purpose for people who if they're doing this for the first time and they don't know where to to ask, so the interviewers don't know really what to to focus on. This is a
great opportunity. And so one of the classic examples of things that we've done, I think you can see it from over there. Uh or maybe not. Um but it'll say uh htt, you know, the connection between the internal employee and the web server will take HTTP, HTTPS and SSH. This is an great opportunity for that uh interviewee to say, hey, why did you choose to do that? What was your thought process in that? And maybe one of our folks would say something like, well, just the health check is HTTP. So then if they're paying attention, they might ask, well, have you checked for protocol downgrade? Have you checked the other things? And now you're getting into this
really rich discussion with your folks with this interviewee, which is really surfacing the EQ uh aspects that we want to focus on. Um, when I typically build these things, I build them very vague and I don't provide any type of guidance as to what people should say. Um, our interview team is really good at riffing off each other. Um, I'll give you an example. We had someone come in and they said, "Well, how do you build your infrastructure?" And again, no notes. This is just off the person's head. She said, she said, "Well, we use Terraform." Great. So, everybody switched their head and now they're starting to think about Terraform. They're like, "Okay, we're going to
start focusing on that's how we do this." Um, that kind of randomization AI can't keep up with, right? Could somebody use AI? Sure. But it's going to lag the communication, right? This is very much what everybody should be doing every day and so it's it's a very low stake kind of interview. Um this is one that we've used uh in the past and I happen to like this one a lot. Uh this is called the addition and what you're asking folks to do is suggest some type of solution that's missing. So we're going to focus on uh secrets management for a second. Um, so they're going to propose a secrets management solution, whatever brand they
choose. Um, and the company will only pay for one tool and the team will only roll one tool out. Now, you have three groups of people uh that you have to contend with. You have the loyalists who will literally take whatever your solution is, no matter how terrible it is, and they're 100% on board. And then you have the skeptics, and what the skeptics will do is they'll pick an opposite tool. So if the uh interviewe says I want to use AWS secrets they're the skeptics are going to say I know Hashior vault I I'm friends with the developer I was around when they printed their first t-shirt I know this on a molecular level convince me why I
shouldn't use that tool and the denters are slightly comical but it's a group of folks who've basically built their own version of whatever it is in Pearl or Python and they're they're convinced their solution is better than anything else. Um, and the idea is you have to convince these three groups all to agree that this tool that you're promoting is going to be the tool that was going to go forward. And there's a lot of negotiation that goes into this. And I think of this as um one of those finger puzzles, right? You know, if you if you yank on it, it's going to break. But if you take your time and walk through it,
this is a very simple simple exercise. Uh we've also included uh in here a uh is it the code review. Uh so we've created some some pretty terrible code. Um I will tell you it is much more difficult to write bad code on purpose than it is to write good code. Um it took us quite a while to go through this and just find things that weren't just obviously broken but like semantically broken. Um so highly recommend that. Um the the caveat that you'll find with this is if you build it right um when folks have used AI and haven't reviewed what AI has given them, they're going to get it wrong and they're not going to
have the right answer. The folks who have used AI to write this then reviewed it generally will get it get it uh spot on. Um the last thing that we've done uh is we have a threat model. I'm sorry, a uh pentest and we pick any one of a open- source uh tool that's out there. Uh we we rotate them and we simply do the same thing we do with the threat model where we say okay we want you to find as many vulnerabilities as you can propose a suggested remediation criticality and stack rate them. Um you would be surprised with some of these uh how quickly this surfaces the you know the pros from the Jones.
The other thing that I will point out in here, um, I do have a a scoring and a wrapping up, um, but the big thing that I think is very important is identifying suitable candidates. What you're looking for is someone who is both technical and EQ. And so you want people who have conference uh, conference experience, meetup experience, volunteer positions, you know, people who have social media presence, people who have written publications, people who have professional experience at conferences. When you start to put that filtering mechanism against your pool of candidates, it goes down real fast. Um, and that's not raising the bar. That's simply looking people who have a broad range of experience. So, jumping back to our presentation
here, doing good on time. Okay. So, to recap, uh, for interviewers, um, post pandemic, many more meetings are virtual. Uh the interviews can and should be about IQ and EQ. Cross team collaboration is critical. This is what we look for. You want to invest in your interview process. If you take the time upfront, it's going to pay off dividends in the end. And I have numbers to prove that at the end. Be creative. really envision who the person is that you want to hire and then literally filter out the rest for the candidates. Technical skills are only half of the solution here. Um demonstrate your soft skills. This is what's going to rise you above. Volunteer at conferences and
industry orgs. Develop presentations for conference talks. Uh get involved with blogs, videos, code repos. Um, this one is a big one. Um, find a mentor. I can recommend lots of them. Just real quick, show of hands. How many people in this room know of a mentor that they can recommend right now? Okay, cool. There are people in this room who can recommend a mentor if you don't have one. Um, please reach out to me or one of the folks who raise your hand. They can definitely offer this. Um, AI is a tool, not the tool. Uh so make sure that you know when you review what gets put out there. Uh vocalize your curiosity. This is a big one. Uh
ask questions during the interview. This is one of those ones I wish uh more interviewees would do. It's as much of an opportunity for you to interview us as it is for us to interview you. One more thing, and this literally happened last week. I was so excited to be able to show this slide to you. Um, we just finalized our hire last week with version two of the kit that we just had. And I have metrics. Okay. So, what did we accomplish? We reduced our hire time by 2/3. Start to finish. This took us two months instead of six months. We reduced our candidate pool by 5x, which means only about 20 candidates or
less went through this process. And this wasn't uh 20 people that got recommended to us. This was finding that pool down to those 20 folks and working our way through it. We hired an amazing candidate who met all of our needs. Uh we received at least a half a dozen compliments uh from candidates specifically about this uh this process. So if you're doing your math, 6 - 1 is five. So at least five folks who still wrote back to us and said, "Hey, I really enjoyed this process. I really it was comfortable. I learned a lot." Um so for us uh the next stop is to roll this out to other teams. There's the git uh gitlab repo. The QR
code works, the sticker works, the URL works, or if you want to go to the straight to the GitLab, you can reach it there. Uh these are the links used in the presentation. Uh I just put them on another slide so you all could see it. Uh and of course one more. There we go. Okay, cool. Uh most important one, this is how you contact me. Um so, uh one last thing I'll offer up. Uh it's been there for a while, but I think it's so fun. Uh if you happen to be a fan of Zork, uh and you happen to be a fan of the IT crowd and you happen to like JavaScript, cuz who doesn't? Um I
created a little game on my website. Uh when you solve the first challenge, it's going to look like this and you'll see a little terminal that will pop up. Uh there's going to be a command in there called Elfenheart. For those of you who are IT Crowd fans, yes, it is. And I and I worked real darn hard to make sure it was true to the to the episode. So, uh you will have fun with that. Um last but not least, I need to say this. Thank you so much to all these people who helped make this happen. This was not just my effort. This was, you know, Ricky, Kelly, Tibo, Darius Swain, Ian Young,
Idris Olawash, Silus Owal, Peter Shahu, Peter Segmire, Harrison Richardson, Sosan Win. Uh, thank you all to these people um for helping make this this was months in the works. Uh, so with that, thank you. I appreciate your time.
>> Yes, I can. And I'm [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Hey,
[Music] hey hey.
[Music]
[Music] Heat. Heat. [Music] Heat. Heat.
[Music] Heat.
Heat. Heat. [Music] Heat.
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
[Music]
[Music] Heat. Heat. [Music]
Wow. [Music] Heat. [Music] Heat. [Music]
Heat. Heat. Heat.
[Music] Heat
[Music] up
Heat. Heat.
Heat. Heat.
[Music]
Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Yeah, [Music]
[Music]
down. [Music]
Hey hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down down down down down
Down
down down down.
[Music] Heat. Heat. [Music]
[Music] [Music] Hey, hey, hey. [Music]
[Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat.
Heat. Heat. [Music] Heat. [Applause] Heat. Heat. [Music] Heat. Heat. Heat. [Music]
Heat. Heat. Heat.
[Music] Heat.
Heat. Heat. [Music] Heat.
[Music]
[Music]
[Music]
Hey. [Music] Heat. Heat. [Music]
Wow. [Music] Heat. [Music] Heat. Heat. [Music]
[Music]
speak right into that. >> I'll move it around. I really want >> I just I just I' I've avoided saying so many inappropriate things today, but I'm just going to >> Let's start it off, right? >> Start it off right. >> No, I can't. I can't. I'm not going to do it. >> It's besides black. >> But it's all on that. Definitely not. All right. How many minutes do I have? >> Right on the dot. Right on the dot. >> All the minutes are gone. Okay. Okay. Welcome back to Higher Ground. Don't forget we have the world famous recruiter and bonus hiring manager panel at four o'clock today. Hacker Tracker is wrong. The site is wrong. That's okay.
It's a hacker conference. And then we have a networking social from 5 to 7. And without further ado, the very prestigious, >> okay, >> route to CISO or Sizo depending on how you pronounce it. It's a debate or not. moderated by the one and only. >> It's not a debate. >> Chris, Chris rides and oh my god, Jake and Ray. >> Yes. >> Yes. >> Well done. >> [ __ ] nailed it. >> Yeah. Well done. >> Proud of you. >> Thank you, Kirsten. [Laughter] >> We were just discussing that. So, there was a reason behind it. Thank you everybody for joining us today. Let's do this. Here's some nice pictures of us, some things we do. We'll do the
introductions in a second. First thing I will say is that we've got 30 minutes. We'll probably try and get through this quite a lot because I I the Q&A part is the most favorite part for anybody that does a panel, I feel, and that's the way you guys get your actual real questions answered. Um, but if you want to know more about both of these, uh, they were both panelists, sorry, both guests on my podcast, which is called the Route to CESO podcast. So, um, >> Chris, can we just do live Q&A? Like people can put their hands up and ask wherever they want. >> I mean, we could do just change. >> Yeah, ask wherever they want. Whenever.
>> You really want to do that? >> Yeah. Yeah, 100%. >> Wow. Okay. Wait. >> Oh, yeah. Well, >> you want a mic runner or do you want >> Yeah, that'd be great. No, get Let's get Let's get a mic. Oh, whatever. I don't care. >> Whoa. We are going off script this. >> We never started on the script. It's fine. Yeah, that's fine. We didn't really have a script anyway, so that that was good. Um, so just a little bit about me. Uh, I'm Chris Rides. I'm the CEO and founder of Tyro Security. We're a cyber security staffing and professional services firm. Uh, started out of LA and we're actually I'm based here in Vegas or Henderson, I should
say. So, it wasn't very far for me to get here today. Been involved with Bsides for a long time. I think this is probably my seventh or eighth year speaking here. Um, I speak at a whole bunch of other places. I've spoken at Defcon, RSA four times, infosc world, uh ISC2's security congress. I'll be at both of those later on this year speaking as well. So hope to see anybody there. Uh very involved with the community, one of the founders of the SoCal chapter of the cloud security alliance and I sit on a few boards, the national cyber security training and education center. I lead the industry advisory board. I'm on UNLV's board here. Uh, also Washington Cyber Security
Center of Excellence. Uh, so that's me. Yeah, very involved with a lot of stuff. My background is recruiting. Been doing it for 25 years. Uh, and I know a bunch of CISOs and they're usually kind enough to chat to me about their careers. So that's it. Uh, Ry, over to you, mate. >> All right. Hello everybody. I'm Ray Espinosa. I'm VP of information security at Elite Technology. Um, I had the honor and privilege of being on Chris's podcast and shared a little bit about uh, my journey, but it was more of the technical journey route into security and then working my way up uh, to a CISO level role multiple times and then stepping sideways to a different type of
role as a technical program manager and then back to a CISO role. Um, so excited to share a little bit of that journey here. Um, hopefully can add some sort of value. Uh Jay Bernardes. I'm the CISO at a lot of anecdotes and a multiple time CISO as well. Do a lot of advisory work at startups, a lot of design partner work particularly in the Israeli ecosystem as well as a lot of the VCs as well. I've got a fairly standard background. I came up as a hacker. I was terrible at web app testing, even worse infra testing, but it worked out after a while. I was quite good at social engineering and breaking into things. Um so that's how I
actually got my first CISO job. I literally stole someone's backpack from a Starbucks, tailgated into a building, sat down the CEO's desk, and went, "You've got a problem." Um, I got hired. So, >> I'm the problem to being a CESO, but apparently it's not a long technical road. It's just you just have to be a thief. But, um, yeah. Cool. >> Okay. I'm not saying that that is something that anybody should do here, right? So, uh, there we go. Well, we I was going to we we were going to sort of talk a bit about our careers and and or their careers and and how they got it. think it would be good for them to have
a little bit of a background of of the journey and then really yeah I mean if people want to dive in with questions at any point just put your hand up come and ask a question you got two set multiple time CISOs here if you want to be a CISO or if you're thinking about or you don't even know whether you want to be a CISO yet then these are the people to ask so uh Jake do you want to just give a bit of an overview of you know you you've given a a pretty brief overview already but give a little bit more detail maybe on that and you know anything that these guys would find interesting.
>> Yeah. Oh, I haven't even started yet. His hand went up. Go ahead. What are you gonna ask? >> I've got a question for you. >> Wait, let's get the microphone. >> She's running. >> A can't get the employees nowadays. >> Still didn't work. >> Just shout loudly. I'll repeat it for you. >> We got to get it recorded. >> Hello. >> Yeah. Go on. >> Can you guys hear Yeah, you got it. >> All right. In your roles moving up to CISO, there's lots of times where you don't have the money to do much more for your sock staff or whatever. What were things that you did on the way up? You've kept the the little cherished
nuggets that I can do this to help my support staff without costing a tremendous amount of money. >> Um, great question. Should >> I go? >> Sure. >> I've got two lessons I've learned as a CESO. Uh, one is don't piss off engineering. Um, so like your best friend is your CTO and your next best friends are your SRRES and your next best friends are your devs because they're the people who can either like completely railroad and destroy your program because they don't want to do any like vulnerability management whatsoever or they can just start building crap really fast and causing even more problems for you. Make friends with them and make them your allies. If
like you build security culture, you build it inside of the engineering team. That's the only bit that really matters. Like that's where it works. Um, the second is design partnering. It's like I've spent my entire career being very open to any conversation that any founder reaches out to me on LinkedIn and it happens a lot multiple times probably a week. Um, and I'll look at anyone's product and give them my time. The reason partly is because I kind of believe in pay it forward. I'll look and say this is a terrible idea. Most of the time it's usually actually it's a great idea but like you don't know what your USP is. You don't know how to sell
yourself. But we have been in the first 10 customers of multiple now significantly exited businesses uh by being early doors and that meant that we had grandfathered deals like I I was paying whiz like 10 grand as an example. So I think yeah I think that's the one right get in early look at other people's work share your expertise and in doing so take their products for free then you don't have the cash flow problem. >> Okay so um I'll echo on some of that. I think being having been at multiple startups a lot of times you have to be crafty. I think the first thing is to help your team understand what's the landscape and what are we dealing with
and being honest with them first and foremost and trying to find ways to add value to them and their day job. Uh but if you're trying to solve problems like in the sock or other things you know as you mentioned finding startups and design partnerships or finding ways that you can be mutually beneficial I think are hugely valuable in a way to solve a security problem while also leaning into the ecosystem and driving overall change. um building relationships uh trying to get crafty with solving problems. There may be times where I was able to work with technology and development teams to create some tooling that we needed to solve a security problem which meant I needed to better
evangelize what the problem was that we were trying to solve. So I think it's it's a ton of PR and building relationships internal and external that can really make the dollar stretch a little further. >> I I want to add something actually as well. I'm talking from a recruiter's point of view. So, I see why people stay at companies. I see why they leave companies. Um, and I think in terms of getting more without being able to just throw the money. Most companies can't just throw more and more money at people. Um, the really key things that I I think make a difference is um having a really great mission, right? A lot of companies and and teams um keep their
staff because their staff believe in the mission um and want to work and want to move forward. and if they have to get paid slightly less than someone somewhere else because they believe in the mission, they'll still stay there. So, that's one thing. Um, and I guess that kind of also feeds into um feeds into sort of them feeling part of the team is like making sure you listen to them. People want to make a difference at a company. Um, and the best thing that I think CISOs and leaders can do is like engage their staff, listen to what they're to their thoughts, ask them their opinions on some of the stuff you're doing, right? Can you bring them
in? If you're doing some PC's, can you bring those staff members in and get them involved so they feel like they're having an impact in your business and in the team? So, that's what I would add. >> There's one small point that I would add to that because you can be very pessimistic to be like, "Oh, this sucks." You know, we have no budget. We have all these problems. We can't do anything. A lot of times that negativity will breed negative feelings across the team. But helping them understand, I think Chris is spot on with finding ways to have them connect with the mission and what we're doing. And that was part of what I was trying to say, being
honest of where where we are as a business and what we can do and what we can't do. But um yeah, listen to them and being having them be a part of the ride is is huge. >> I I think we survived 11 minutes. So I'll break it by saying AI. But um like that's ch that it has changed the game in this respect. So like when I when my team come and say we need money for this, my first response at this point is can we just rep it and zap it? like do we do I need to buy a tool because there's multiple things in my stack right now that we just built. Like the
the the idea that it's completely natural language processing and you don't actually need any competencies in coding is complete BS. But like the reality is it's much easier than it used to be and you can build a lot of the tools on the market right now in security yourself. You can build integrations very quickly. You can do a lot of this stuff now in a way that you couldn't do before on a a headcount budget you couldn't have thought of before. So I think that's changed a lot as well in terms of budget constraints. >> Good stuff. Any other? Oh, yep. Another question here. >> I ruined this, Chris, right? I've actually love it. This is the best. I
love these. So, this is the best way to do it. >> Um, hi. This question is for Jake and Ray. And no offense, Chris, for people who are kind of more technical and you made your way into CISO role. >> Wow. Okay. All right. Thanks a lot. >> Unless I'm wrong. Unless I'm wrong. I'll see you later. Um so the question is uh and for the context I've moved from being a highly technical person now I've moved to become a security engineering manager for a while and I feel like I'm missing out on doing hands-on work. Um let's say from 100% now I've moved to like 50/50 and from looking up top looking at our
seesaw I can see that that is going to translate into like not doing any technical work at all. Do you miss being part of teams that did like highly technical work? >> I'll start. So first I think it's completely dependent on the organization. I mean I've been at large enterprise companies uh and I've also been at startups and so I've been the CISO at publicly traded and startups as well. I I'm in a hands-on technical role and my company is probably mid to small enterprise. So I think it is absolutely um company dependent. you have the ability based off of the skills that you bring to add technical value. Uh there are times where you do need to think
strategically. You need to make sure that you're showing value above the team, you know, to uh the rest of your executive leadership team and the board, etc. But it's highly dependent on the organization. Like I'm still tactical and technical, but also strategic and with the board as well. So it's it's not just a oh you see them in sort of the ivory tower and they come out, you know, with the tablet says here's our strategy for the year. I don't know if that's a role that many CISOs have outside of maybe Fortune 100, but >> uh I think you've got the wrong people in the room as well on the panel. So both me and Ray come from technical
backgrounds. There's a lot of CISOs come kind of audit advisory backgrounds and I think they then create this persona of this completely non-technical CISO like it's not the reality in most people. Uh most of us crave and still find a way to be involved. So I I think point one is like you have the requirement to be the one thing I hate most as when I was coming up is like you'd have a cease or a leader who just threw vms over the wall was like fix this you're like context like exploitability like reality any of it like in the reality you have to understand the text stack that you've got in your business you have to
understand how the code is built like you the same speaks to AI when we talk about AI or CESOS and whether you're going to protect against it or allow it or shadow it whatever it might be right you've got to understand what the hell you're talking about or else you lose credibility instantly so there is a degree which says you have to grow up like you have to gain new skill set. You have to become financially way more bilingual. You have to become capable of talking strategy. You have to become better at hiring and getting people in place who can do the stuff that you no longer have the time but maybe you do have the capability to do. So you have
to get a way in which you enjoy that and some people don't right if like if you want to stay deeply technical don't be a CISO like you're not you are going to lose some of your technical time like and you're not going to lose salary for it. I know guys who are deeply technical who get exactly the same pay as I do in the company. Um but that's staying in their lane of what they wanted to do and what they enjoy. So I think it's work out what you want to be and be that. But this concept that CISOs are not technical is certainly not true in most of the CISO rooms that I sit in. Most of
them can speak to their entire codebase can still hit like can still speak to it can still hit the command line and >> do whatever they used to be able to do. >> I'd say and I know it's not a question for me but >> yeah you didn't say you could answer. >> I love Yeah. didn't say I love the sound of my own voice. >> Don't assume that recruiters aren't technical either because Chris can speak tech. >> Yeah, I can speak tech. Thank you. Um, what I was going to add now and now I'll probably give a really bad answer and like, oh, what on earth that Chris bloke on about? Um, yeah. So, what I was going
to say is I did a I've done a couple of things. So, I've got I've so far interviewed 30 uh CESOs for my podcast, two seasons, 15 CESOs a season and about to start recording season 3. So, I've got a lot of data from that. But I also went out to over 500 CISOs two years ago. Um, and I asked them for the most important attributes that they felt they needed to be a CISO and I can promise you that being technical um, is absolutely one of the top it was in the top five of the of the things you hear. So having that background, having the knowledge as these two have said to at
least be able to call [ __ ] on some of the stuff that's maybe going on, right? Um, but also to be able to help people and maybe guide them a little bit more. So you will always have that but you are right the big as the companies get bigger as Ray said you get further and further away from being technical and you end up being a much more strategic. The ones that I know tend to be like if they still love their tech stuff they're still playing with it in the little bit of time that they've got at home. Right. But anyway, there you go. Any other questions? Yeah. Well, good. Look, we are definitely going to get through this
with with just quick Q&A. This is lovely. >> See, I had a plan. >> You did. I love it, Jake. I want to do these always like this. This is great. >> Um, so on the other side of the skill set, like what skill sets have you built or grown since becoming CISOs? And what are ways that people maybe communicate with you differently now that you're a CISO and not in a technical security role? >> Yeah. Um, communication. I didn't used to wear knitted polo shirts. So like communication and presentation definitely change. um you have to kind of grow and mature a little bit when you sit in a lot of the especially in the
VCs a lot of the time um you have to kind of fit in. So I think there's a way of speaking you have to learn to translate tech and security to non- tech and security people. You have to learn very competently and acutely to speak about risk um in a way that people understand and get. I think you have to understand finance. Like the the best thing I've learned is you have to really understand accounting. Like if you want to the guy at the front, if you want budget, you need to understand how to explain what the cost implications of not doing your ARM. And then strategically as well, you have to think outside the box. And I
think that if you sit in executive team, I'm sure they'll agree CISO is your title, but it's not your job. Your job is to help the business grow and develop. So you've got to develop skill sets around understanding go to market about understanding product design and development around understanding finance around understanding CS and relationships like support you have to understand this because in the end like I sit in a room of eight or nine people between us it's our responsibility to make the business grow um and they will contribute to my world I will contribute to theirs so you kind of have to develop this way broader understanding and skill set if that makes sense
>> it's a perfect answer I mean he was checking off things on my Nice. Yeah. Good. Yeah. I think the um the stuff that I would say I've seen because again, you know, I'm not a CISO, right? I'm a recruiter here. But um I think the things the big difference I see with a lot of CISOs is like building and growing their business knowledge. And actually, I think that's something you got, you know, you all could do from the start of your career. you know, understand what's going on in the company, read stock market reports, you know, try and get an understanding of that because you will be able to build and you not only a better career path,
but also your your pro your program and your reputation within the business um very quickly understanding why the business needs the security, right? And if you can sell those two things together, your program will be more successful anyway. So that's that's probably the number one attribute that I saw come out of top CISOs is their real understanding of the business. And um I I'll give you one example of of a from a CISO that um she she was on a panel of mine in Houston and uh she told me about something she does which I thought was amazing. And for her to to bring stakeholders to the table, she has individual meetings, right? Everybody does that. That's fine. But she sat down
and she asked them, "What is, you know, what what are you bonused on? How do you achieve your bonus?" Because if I can create my security program in a way that helps you achieve your bonus, because she knows the bonus is tied into what their bosses want is tied into what the company wants. If I can tie those things in together, I'll have a successful program. You'll be happy and you'll do, you know, you'll talk to me and want to be part of the security um goals that I've got. and the business will be happy. So, I thought that was really interesting. She's the only person that's ever told me that and um and I
think I've spoke to a lot of CESOs about it and a lot of them have been like that's a great idea. You know, a lot of them don't haven't had that conversation before. So, who else had questions? Just as I say go to the nearest one first might be. >> So, thank you for your uh for your time. uh apart the uh experience which education uh like >> could you move the mic a little bit closer to you because I can't perfect better yeah thanks >> which um apart the uh experience uh which kind of uh education bachelor's masters and certification lices uh do you recommend to being a >> okay good question So that was um
certifications and education. >> Yeah, I'm glad this is being recorded. Certifications are BS. >> They are absolute nonsense. Like a C CISSB means you can memorize crap. Like it means nothing. I've I've interviewed plenty of candidates for jobs who had every letter possible and knew nothing about the job I was interviewing them for. So like build actual knowledge. Like there's two types of actual knowledge. Whether it's Pluralsight, whatever other platform you've got, go and listen to people who actually educate you about like how cloud security architecture works, about like how AI security looks, about how AI functions full stop inside of like a SAS product. Learn about actual technology in a way whichever works for you best,
right? Maybe that is watching videos, maybe it's labs, maybe it's hands-on yourself, I don't know, it depends how you are as a learner. Then whatever that first method was, get hands on and do stuff. Because I can tell you that whenever I hire, my first question is going to be like, "Show me you can do this." Whether it's a hack the box or whether it's like standing something up or whether it's like explaining what I'm showing you in code, like I'm going to challenge you. Like the letters need me nothing. And I can tell you that 95% of CESOs will agree with me. And they won't hire based on the letters after your name. They'll hire based on what you can
demonstrate you've learned, why you learned it, and how you can apply it. Uh, and that is a skill set that you can't get doing six-hour pointless exams on machines. Um, I would say it's a it's a bit of a bonus to a degree, right? Like going through it, you may be able to learn a few things that you can apply. And I think it's awesome. Like if you are going to invest your time to learn new some new skills, um it can be beneficial especially for your resume to have it. Completely agree with Jake. You have to be able to demonstrate that you actually understand what it means. But if you're searching and just trying to develop in
new ways, you're going to learn new skills. You either have the ability to apply it and learn it in your job or you need to find ways to seek some of it out to get yourself ready to go. So I think they have utility. They are not the if you have them then you get hired piece. um you know like I didn't graduate from college and so I had to learn a lot about business and my like initial f my first CISO level role I was a CISO at proof point absolutely was not ready I came more so thinking about it from like a security security operations point of view and you know I fell on my face
after the first six months or so because I couldn't articulate to the business I didn't understand how to make the business successful and minimize risk and how to speak about it so I had to learn those skills along the way and so you can develop those in the classroom you can develop those you in your in your job. So I think having those skills and understanding what the business needs and how you can enable them to succeed is the most important. Like I still don't have a college degree and that hasn't stopped me from you know finding the success that I have in my career. It's not a path that maybe I would tell my kids to continue to follow
and hopefully get to the same spot but it's you know it's not impossible. So they have utility. >> Yeah. I think um I'd add again from a recruiter's point of view, you know, when we're looking at what clients require, of course, we'll see certifications in job descriptions. Um but the truth is then at this point they're never an essential. Um and there's nobody ever being got rid of and rejected out of a job because uh they they didn't have a certain certification. Occasionally, we get clients that still expect degrees. Um, but it is very rare even even for that. Especially if you we're talking about experienced people here getting into the into the role and applying for jobs,
your experience generally will count more than a degree. Um, I would say if you want to spend your money on certifications or or more education, great. Good. Good for you. Um, do it because you're interested in whatever the subject is. So if you're going to like if you're asking like which certification should I pick, pick the one that you're interested in, >> right? or the one that maybe you can utilize in your role so you can turn it from sort of I know a bit about this to actually I've implemented it and and and I know how it works. So that would be my p piece of advice. I mean >> spot on >> like we talk about me not I've been in
the industry since 2012 just in cyber security and and as a recruiter right I you're right I'm not going to sit there at a computer and be able to do a lot of this technical stuff. Um, but I did my this the ISC2 CC. Um, I did went and did that because I thought it'd be interesting to pass it. I passed it first time. I I get 60 70% on the CISSP exams. So, I mean, I don't know what that tells you about about that stuff, but I'm not going to be able to sit down and and do the work, right? And yet, I can still get that stuff done. So, it's it's interesting. I think, you know, do
the stuff that you're interested in. Do the stuff and be able to speak about it. Nothing worse than having a certification and then when somebody asks you what did you learn? How have you used that? And you just say well I passed it. So more questions.
Uh so obviously everyone's situation is different but do you find that it's easier to make the transition from like a technical individual contributor role to a leadership role by you know internally or by looking for a change you know an open role in another organization and you know either way like do you have advice for the best way to sell yourself that you're ready for this kind a different type of responsibility. >> I definitely got the answers the answers to some of that, but you guys have the actually experience of doing it. So, Ray, do you want to talk through your career? >> Sure. So, I'll say it really depends on the company that you're at. If there's
if you built enough goodwill and enough trust, sometimes you'll have the opportunity to step into a new role because people trust. You're just somebody who gets stuff done and they'll teach you on the fly. Like my first role into security was at eBay after seven years of being in operations on the technical side as a Windows Unix admin and then a a manager. They're like, "Hey, come and build instant response for us because you have the relationships. You know how to run a sev. Um we'll teach you all the security stuff that you want." And so they were willing based off of my reputation to give me that opportunity to be able to do that. You may be at an organization
where it's just not there. there's either a glass ceiling that you're already hitting and you look for other opportunities and you're really trying to sell the attitude, the mindset, the experience that you do have and why it's applicable for this new role. So, it's tough to say like one is more than the other because I think it really does depend on what your overall situation is. But, you know, sort of golden rule of thumb for me that I tell lots of folks is treat people well and kick ass at your job. And and if you do those things, many times those opportunities may find you or you're willing to seek them out and have enough goodwill and
trust to be able to have a conversation about why it might work. >> Yeah, I think I think Ray's point on treat people well and kind of just be a good human is a great one. I think you recognize very quickly if the person you work for wants to actually advance your career or not. Like I I've said a lot in public place on LinkedIn a lot that like my proudest moments are where the people that I've trained or have been employees of mine have gone on to become CESOs and are sitting in the same communities at the same tables as me. Like that's the greatest achievements I've made is watching those things happen. And I
think if you identify very quickly if that's your boss, great. Like that's the person who will guide you and either give you the opportunity in the org or will help you find it somewhere else. If it's not, then get out. Um, but I think the the one thing I would add is you mentioned about like self-selling. The best skill set you can learn at all like to advance your own career and be a leader is storytelling. Like you have to learn to be able to say like what you're good at. Articulate why that's relevant and tell it in a convincing, approachable, like consumable way. Like there's the other thing I think I' I'd say one more thing
and I'll give back to Chris is like we have this obsession right now in this culture in this time that like you should find your flaws and improve them. Like I think that's BS. Like work out what you're good at and double down on what you're good at. Like I know what I'm good at. Like I'm really good as a startup scaleup CESO building security making it better getting a point to a near exit and going into it and again because I hate I hate enterprises. I couldn't have done what Ray does, right? I couldn't have been those. I'm not built for kind of the blue tape and the governance. So, I I think find out what
it is, whatever it is that you're really good at. Make sure you're the damn best at that. Find out if your boss wants to accelerate your path from being damn good at that. And if they don't, then go and find someone who will. >> Yeah. Yeah. If I look across um when I look across sort of multiple roles that we feel, I I'll say a few things. First off, in the current market, it is extremely difficult for you to get the promotion by applying for a new job because there's a lot of people that you're your competition are people that have maybe been let go, you know, laid off that have already done the job at
somewhere else and are making a lateral move. Some of them even making um, you know, moves dropping down from from stuff they've done previously. you know, we've got a we got director of cyber security role that's reporting into a CISO and um I've got a hell of a lot of CISOs that are reaching out um and they might be some of them might have reasons for why they would want to do that, you know. Um but some of them are kind of forced because they're not working currently. So, it is tough. The best and easiest route is getting a promotion internally. Um and being able to do everything that these these guys have told you will really help you with that.
But there'll be a point where at some point maybe the person above you just is never going to move, right? That you know the only way they're going out of that job is in a box. So, so at that point you either got to try and create a position and a leadership position in some other way there or you've got to go elsewhere. So, >> or you could reach out to Chris on LinkedIn. >> You can of course >> that is his job. >> That is my Yeah, that is that is what I do. So, >> hi. Thanks for doing this. Um, just a question. What are your favorite sort of generic KPIs? Ones you find really
creative ones that you might have came up on your own for upwards reporting. >> Um, so it's only really in the last year or so I I to your point about budgets earlier, I put a budget up. Um, my CEO looked at me and went, "That's nice." Like why are we buying any of these things? And it made me rethink about how we actually define and design security programs. And I went back to going well actually let's look at all of the risks in my risk register. Let's look at every tool I've got right now, every headcount I've got, every consultant, every program and align it to the specific risks that I think that's reducing or
mitigating. Let's look at what remains and then let's look at what those percentages I think are likelihood or or impact and what I can reduce by doing something. So like my first KPI which is not really a ground to your question is that you have to talk in risk. I think that that's the fundamental one. You have to be able to say here's the risk that we have. Here's how much I've reduced that risk portfolio. Here's what remains and here's what it would cost to bring it down X% or to remove it entirely. That that's number one. Number two I'd say is ROI. Like I think we've been saying security for long enough that we're not a cost center but still
CISO struggle to show that. like the ROI that I hear in boardrooms. I advise in a lot of boardrooms and the the CISA will stand up and go well this is the cost of a breach. So that's how much I should get to spend. I'm like that's a hypothetical tragedy. Like you can't build on that. Like you go into a sunglasses company like a Maui gym or someone I need to tell them you can sell X more pairs of sunglasses because of the dollars I'm going to spend. So you've got that's the next KPI is what's your ROI on your security program. So you've got risk, you've got ROI and security program. Then for me right now
I go to human security. That's my third and I think the one that's most relevant. Not internal fishing like simulation crap about gold mines in Africa. Like not about like training scores but like actually measuring in some way how competent your internal employees are in defending the business whether you want to start hacking them yourselves whether you want to use some kind of automated tool whether you want to whatever you want to do to measure them. Um produce metrics around that. So those are my three. It would be risk, it would be ROI, it would be humans or people security. >> So I I would say definitely those three. One of the things that I learned in uh
in like my second or third time being a CISO is how to sell, how security is impacting sales. And that's um positive as well as negative. Anytime that we have a uh a close lost for an opportunity because we didn't have a certification, we didn't meet their security bar. return from procurement perspective. I was able to tie that back to how do we help the business win overall as a whole as well as the opposite if we've invested in in certifications or we've invested in additional diligence that we had to provide. That's a net positive for the business that security program uh is adding that's tough to uh it's tough to talk about if you don't necessarily have
that there. Um the only other thing I would add to that is you know when I've been at startups or early stages many times I'm selling security maturity. We didn't have these capabilities before. we didn't have the ability to respond or address these specific risks and now we do. And so this is what the roadmap is going to look like on our path towards maturity as a whole. But that that only gets you so far. That's like one indicator along with still how do you help sales win and then how do you drive down risk for the organization and then how do you spell ROI like critical >> stuff more questions? >> Yeah, that was an awesome awesome question.
whoever asked that, that was really really good. So, I just have uh my my question isn't so much on the trajectory of how you become a a CISO. Mine is, and you kind of just answered it in a weird way, but mine is around how much influence you have in that position to enact certain, you know, technologies, processes, and how do you go about learning of the things
Related talks
51:51
32:48
33:48
54:33
31:06
20:51