Become a better security engineer (by not doing security)

good morning good evening and good afternoon to wherever you are watching this from uh man is Peter Jones I am one of the directors at bsides exitor uh one of many community-driven events as part of the wider International bsides family uh exitor being the first one for us um this year in July um welcome to the keynote that never happened uh on about become a better skute engineer I'm not going to steal Stewart slunder because he's already to do the the uction we are recording this section uh and there is also going to be an option for Q&A so in teams you've got a feature for adding questions throughout the talk and Adam and Liam will be the hostess with the

mostess going through the questions to ask Kane at the end of the talk um this year's event was beyond hour while the streams um it was the focus about bringing the cyber community together from Cornwall Devon Somerset and to Dorset and to The Wider cyber community we met lots of amazing people and on the day was incredibly busy we've also got a very busy Discord server which is running 365 so please come and join it it's getting busier every day uh big shout out and probably the last shout out we'll be end up doing uh to our 2024 sponsors uh without you this event was never going to be possible uh we do have our 2025 guide ready and you

all you got to do is got sponsorship bidex exit. co.uk so without further Ado off to you Stuart no worries thank you very much so yeah I'm Stuart one of the other directors at bsides um and it is my absolute pleasure to introduce um Kane he's a good friend of mine uh from Devon he's lived all over the world including Australia Canada and is now currently all the way over in New Zealand uh he traveled over four bsides exor this year um all the way over from New Zealand literally to wake up on the day not being able to speak so that was a a real shame but uh very glad that we can have

this uh keynote afterwards so Kane's been in the industry for over a decade now with a starting off in digital forensics um worked in places like the serious Fraud Office and has worked for huge companies like uh Allison Shopify and is currently the head of enterprise security at canva um and well over those years Kane his favorite topic and built quite a reputation about it is uh zero trust security um he's super knowledgeable in the area so if you ever want to speak to him about it I'm sure he'll love to do that um so yeah um without further Ado I'll pass it over to Kane he's here today to tell us about how to be a better security engineer so

Kane over to you sure thing you stilling some of my thunder here we'll be we'll be talking about some of this stuff as we go but just let me share my screen should all be able to see that hopefully and then I will dive into it so um yeah this is a bit of an esoteric talk but um you find a lot of career talks are about getting into security or getting into your first management position and they often propose the sort of very typical career path as a a a ladder or a set of stairs you know where you're kind of always on the up but that's not really how real life works and you'll you'll hear the term like

career Jungle Gym thrown around a lot I find in 2024 people move around and do stuff and so this talk is maybe how to embrace that or how to better embrace the jungle gym and so basically we're going to be talking about a little bit around the security industry um first of all just to understand um what we do because often we don't reflect at this second we're going to be looking at what I'm going to be calling multiclassing and yes there going to be a lot of Dungeons and Dragons references in this and then I'm going to be talking about some guidance on like I say how how you can better Embrace that model so uh I'll do a quick

introduction as uh as Stu said this talk was supposed to be in person and um woke up on the day with the flu couldn't speak for more than five minutes um and so I I think I've learned my lesson in that if I'm going to do talks do them literally the day after you arrive don't wait a few days uh because uh it's pretty pretty gnarly out there in 2024 uh but yeah as as Stu kind of talked about like I've I've moved around a lot I lived uh in EXO um for about the first oh 18 years of my life and so um it was very exciting to come back even if I didn't have as much time to spend there

as I wanted um but since then I've been on in a decent few roles decent few companies and we'll be diving into a little bit about my story and a few other people's as well um as we go now uh before we start a lot of people have this uh this vision of New Zealand is like exotic Landscapes and mountainous backgrounds and you know rainforests and that kind of stuff and don't get me wrong it is like if if you go to the South Island you'll you'll get views like this um like this is marous sounds um down in the very south sort of southwest side of the island but uh growing up in Devon you you kind of just

see sheep and Hills to be honest and um my friends especially Stu like to make fun of me uh these days because I moved to the north island of New Zealand which actually just looks like this so I pretty much moved to the other side of the world to um get the exact same view if not with a few more sheep this time and uh I do think it's funny because uh you know Jr tolken based most of Lord of the Rings around the English Countryside so of course when they go to film the movies they filmed it in the North iseland in New Zealand as as you do and so with that over we'll be

talking about the security industry uh and this is probably something a lot of people don't um understand or don't reflect on but security is a horizontal and not a vertical what do I mean by that so um I've taken this from my good friend Ross in his blog um but security is across industry and so it's across technology it's across customer and it will look very different depending on each one of these verticals that you cross so if you do GRC for the UK government your job is going to be very quite different to uh like a German Hospital you know or an American Bank that kind of thing so different things you're going to care about there's

different ways you're going to approach it and there's going to just sort of be a different culture involved in that and so when you enter the security industry you'll see job posts like this second GRC manager DNR analyst that kind of thing and it leads you to believe as a new person like these are the paths this is what you do they're all the same you can easily move across all of them but when companies are hiring they're hiring not just for security the horizontal they're also hiring for the vertical too and so what they actually want is something like this uh they're looking for an inant responder with SAS experience they're looking for an appsec

engineer with very specific language skills and so what this finds is that you'll you'll kind of find groups of security cultures you will find pentesters and consultancies tend to group together you'll find sort of security engineers at SAS compan compes tend to stick together they all kind of move between the same companies and occasionally they might jump usually requires a bit of work on on their part and so like I say when when companies are looking to hire they are looking for the best risk-free approach like it's kind of harsh to say it but it's reality they don't want to train people up they want someone who can go on day one if you could be that person

uh you're going to have a much better time than someone who needs to get into the role assuming that you're not a and so a great way to visualize this hiring uh is is with a chart on the x-axis we have security skills on the y- axis with have security specific knowledge and so I'm going to go through each quadrant I'm going to kind talk about what a higher in that bracket would mean so the best higher for the role the perfect candidate is going to have strong security skills and they're going to have high industry knowledge um and so they're going to have worked in that area before and what you'll find is that um

candidates like this are rare um rarer in certain industries and Technologies than others um you will find um IC people quite hard to hire for like I find that's a more Niche area in security doing Hardware stuff you'll find appsc people who do Java um maybe a little bit easier you know and so most security teams are small and a handful of people and so like I said if if companies want to give themselves the best chance of success in the security program they want to hire these people and you will find that people in this bracket usually command higher salaries a little bit better perks because of this um because often there's multiple companies fighting over the same

candidates but depends on the industry really next is that people with strong security skills who have no or low domain knowledge and these people given the right connections given the right Insight given time to understand um can grow really well and I think you'll find yourself in this um category in your career at least once um if not in your first job in future ones too but I do think the worst mistake you can make if you're a security manager is thinking these people don't need coaching um I I find it's quite common um that you will find you know someone who's done security for the government going to a startup um like I very much did that

myself and you have to change your frame of thinking very fast um the same stuff will not fly and if you are rigidly following the rules you'll find yourself um sort of not really succeeding in your role um people with high domain knowledge but low security skills are usually career switches so um it might be someone from it it might be some from procurement it might be an engineer uh and these people are great um like I've hired lots of people in this category over the years from other teams you bring them in and if you pair them with the previous two categories they can help bring domain knowledge to security knowledge so um pairing them with

someone in the bottom right quadrant here that we just talked about perfect like they'll learn off each other they'll give each other skills really great way to grow and uh the final one is people with neither which I mean hopefully it's a new career entrance but uh if if they're not maybe you've made their own higher or maybe you're just looking to to grow someone into a into a role very quickly but uh we'll see and so now we understand the industry I want to talk about what I call multiclassing so when I was coming up with this talk I was playing a lot of Boulders Gate 3 and so for those of you have never played a Dungeons and Dragons

game I'll give you a quick explanation of what multiclassing is in that cont context so uh in these games you pick a class like fighter like Ranger like Wizard and you have 20 levels to put in your class and only 20 so every level counts now if you put all 20 levels into fighter you're going to be a really strong fighter if you put all 20 levels into Ranger you're going to be really strong with the bow and whatnot now if you multiclass you distribute them across different classes so in this case we have a fighter who's also capable with the bow maybe not the best but um you've only got 20 levels total so you got to make sacrifices

right so you're maybe not the strongest fighter not the strongest Ranger and so in theory multiclassing gives you more versatility but lowers your overall capacity in a given area so it means you're less likely to be a true specialist but and I've put a star there versatility can be a specialization um in the context of what I'm talking about like careers and roles and stuff um you want to be sort of the best fit for a role like the most interesting person in your Niche that kind of thing and so having this versatility can be a specialization if that's what people are looking for right and so I'd argue there's probably more demand for people

who can adapt than people who are locked into a specific domain but um you're thinking Kane what does this have to do with security and so let's apply it to our craft so with the physical version of this talk I was going to ask people to raise their hand and stuff don't worry not going to make you do anything in the Q&A or anything but uh I want to give a few examples so I figured with the uh Liam spting his head up as well uh the the first example I'll start you off easy um we've got security engineer combined with a software engineer now do we think this is a good combo and this

is got my seal of approval yes um like a huge chunk of roles in security require coding skills the ability to build security software is a huge thing the ability to build paved roads which is like software that people want to use the building security into that is just really key in sort of modern day security being able to script up um sort of scripts for in sorry IR activities and things like that um a great Boon to have and so do I recommend everyone learn to code no do I recommend it um for specific domains to increase your skills absolutely uh and not not to mention actually building security products right like who builds crowd strike who

builds Sentinel one who builds like all of these tools that we use on the dayto day it's software Engineers usually with a bit of security background so um you know if you want to get involved in the vendor space obviously a great way the next one uh is a goat farmer do we think a goat farmer is a good uh com combination probably no so I've given this one my Laughing goat of disapproval I mean like you can certainly try but I I feel like it's too Niche right like it's too specialized how many people work like cyber security for uh goat farming companies maybe there's one out there if you're that person please message me on linkon I'd

love to know what you do on a day to-day but I find that more likely um you'd probably get special in IC Systems you might work in the agriculture sector they definitely hire a few people um and so you got to think realistically around what you're combining but if you do want a goat farm on your personal time all the power to you I'd love to do that to be honest so now now for a bit of a harder one um security engineer combined with a maritime specialist um very Niche very very Niche do we think it's a good thing surprisingly yes like this this led me down rbit hle when I was researching this but there are like you have uh nist

and sort of certifications and stuff there is a maritime cyber Baseline and a few countries have this basically what it is is it's it's an IC certification but for like boat systems really and so um really interesting world and I'm going to dive into some people who do this later on um but yeah really interesting area if you want to look into it I do think the the summary here is that most people never multiclass this is the same in tons and Dragons as it is in the corporate world um and the answer why is just it's complex there's no immediate benefit most of the time and it usually takes someone with a bit of a single

objective like you either don't know this exists you don't know these things are there or you just don't have the sort of knowledge to to get you there in the first place and so it's often no surprise that people don't do this because it is complicated and so I've said it's complex and so why would you do this and sort of what we talked about earlier is you're more likely to be the perfect candidate for a role and so some of these Niche roles that might exist like the the cyber security for Yachts um you know there probably going to be in the realm of like a hundred to small hundreds of roles worldwide for

this but the people who are skilled in that area are probably going to find roles very quick but there's of course going to be some limitations that we'll talk about later I do think that a really interesting one is building empathy and understanding with the teams that you work with I'm going to talk a little bit around this in my personal Journey but I commonly switch back between leading it teams so it engineering teams and security teams and often there's no better way to have empathy for your customers than to be your customer for a little while and so all that stuff that security people do vulnerability tickets and stuff like that um if you've

experienced it on the other side um you'll understand some of the pain points with it and then maybe you can go on and you can improve it and so next we'll be looking into some of the guidance I have around multiclassing how you can choose to take up the mantle and do it more effectively I think the first question you need to ask yourself is should you um like I said it's not for everyone it is complicated it may not make sense depending on your career goals so I'm going to try and dive into a little bit of um maybe recommendations so this isn't what I would call an exhaustive list but these are reasons you would so you have a

specific Niche you and joy and uh I might use this a couple times in the talk but I find it's a very common one um you'll find that people who work at companies like Tesla and Rocket lab people are interested in space stuff are like really really passionate about it and so if you have a niche for that there's only going to be a few companies you can work with in the world and so getting skilled in that area and then sort of moving into it in cyber security or engineering or whatever um sort of area you're in it's going to give you more chance if you understand the sort of core thing of what the business

does the second is that you like money uh there's certain domains obviously pay more um I find Finance is a great example of this uh and so again if you understand finance and you want to do security for finance companies you're just going to understand it better you're going to be able to spot things like Insider threat fraud that kind of stuff a lot easier you're more likely going to get into those roles uh the third is you just want to give back like nonprofits Healthcare very very common um like I did forensics myself and a very common um sort of reason for people getting into that is they they want to give back they want to

sort of help their community and that kind of thing number four is you just want to increase your resilience so it's been a it's been a pretty couple years depending on where you are in the world especially in the tech Market um and so you know one of the things is like I said if you were a software engineer and security engineer you increase your amount of total available roles this is going to be more applicable for people in smaller places like in the UK or the US for example there's always tons and tons of jobs every field imaginable uh here in New Zealand there's like what five million people we we're smaller than London and so there's just not that

many jobs and so you know you might find yourself looking for a sock analyst roll and there literally zero and so are you okay to wait for a while potentially could you also Al do something else um yeah maybe maybe that's something that you you want to do to increase that resilience and now on the opposite side of the spectrum we have reasons you shouldn't um so if you want to be a domain expert you want to be like the best in the world at forensics best in the world at um uh I don't know absc then don't don't multiclass like just keep doing what you're doing I think the the difference here is that the time that you would

spend multiclassing you're going to be spending time researching you're going to be spending time writing blogs books um doing research all sorts of things right the the fact is that like you're still doing the work you're just doing it in a different area um the next is that you don't have capacity like work work is busy life is busy sometimes you just don't have the time to do more that's fine often find myself it kind of es and flows on how much time I spend on this stuff um and the third is that you've already learned enough like you've already multiclassed you've already done something like I would maybe doubt this but again like there's only so much you

can do like you become a specialist in something after five to 10 years of working on it and so you're going to get diminishing returns after a point and the last one is you just don't need to just don't have a desire you kind of happy what you're doing and and that's fine so if you want to multiclass how do you get started started and the first is the most extreme um it's probably one of the harder ones to do but it is the best and that is you just take a different role um so if ideally you would do this in your company um and I I'll get into a few of the reasons why in a bit but

again I'm going to use the software engineer example um if you're a security engineer you want to become a software engineer for a while maybe you can do a um a sment maybe you could go over temporarily 3 months 12 months you can learn from the team and and come back with all that knowledge or maybe you just do it full-time for a year or two um maybe you go to a different company um really depends on what you're looking for um two is you can pick up related projects in your current role a lot of um security Engineers um do other stuff right they um help in the procurement program they do a little bit of coding

to do some scripts and stuff like that it's harder because you often don't have someone to learn from and you don't have the dad at time to make meaningful progress and so that's where three comes in um just doing it in your own time um I think there's always some sort of element of self-driven learning and so you know if you're going to do two maybe pair it with a little bit of three you'll probably get almost as good as if you were doing one these are my six tips for people who are interested in doing multiclassing I'm not going to go into all of them I think number two three and six are my

um sort of stand outs so number two is look to see if there is an actual market for this in advance look for jobs um if you are geographically limited to one area you might be limited to all the jobs in that area so if you wanted to go work for Tesla and I don't know you uh live in slow uh probably not um like you're probably going to have to move to Florida or something like that and so be realistic um and do your do your um sort of research first but I will say that um there is also growth you know so like if you did AI security 5 to 10 years ago

you might have found a role but they were they were probably pretty Niche whereas today um you could probably find that role wherever you are as a remote job and so like people are so desperate for AI security Engineers that um you know it's not hard to find these and so you may want to look for growth areas in the future when you're doing your Market research not just how the market looks today but you are taking a little bit of a risk so that's number six which is take calculated risks like security Engineers are a safe Bunch we spend all day uh thinking about risk and so unsurprisingly we we don't like to take

risks but risk is a good thing like companies wouldn't exist if we didn't take risk you know you probably wouldn't uh have a house or you know take a morgage all of that and so uh like Risk is a good thing it's just calculated RIS risk and everyone has their own um variable on what calculated means generally I say for security Engineers be a bit more risky for everyone else maybe maybe calm it down don't deploy to prod um without Security review please and so number three is leverage opportunities unique to you so um you might have a specific location like I said you might live in Florida so you might be great at working at Tesla that

kind of thing you might work at a Healthcare company so you might be able to get into that um these are harder for other people easier for you definitely use what you can and so there's a few recommendations I have when it comes to multiclassing and how you do it so um I don't really think of my career as a bar chart but this was probably the best way I could visualize this to be honest um in the first example we have someone who has switched around done a year as an appsec engineer year as a software engineer etc etc is this good pattern no absolutely not the realistic thing is that um you want to get at least to a mid level

ideally a senior engineer first so if you're constantly jumping around that's fine if you're looking for like your calling or what you enjoy maybe you did these things you didn't enjoy them but if you are looking to multiclass generally isn't the best approach because you're not going to become really really good absc in a year you're probably going to take two to four years would be my recommendation you don't want to go too much um because that's a problem that we'll be talking about next you don't want to do too little either and the second example isn't a a bad thing like you may find yourself in this um it's just more of a like something to be aware of which is

if you do 20 years as a sock analyst and then you do a year as a software engineer and then maybe go back to being a sock analyst again you probably didn't do enough software engineering but also you probably did too much time as a sock analyst now maybe you just want to change and that's fine but on the next side we'll be going back into that I think the ideal Pat is something like this so you get to a sort of midlevel to senior engineer you do four years in appac go over you become a software engineer for a year or two you gain that experience you already in abs so you probably had a good idea of code maybe

you weren't coding on the dayto day but now you're like really building those skills you're becoming a good coder you can build secure things from day one and then maybe you go back to being an appsec engineer and you start building those secure pave paths we were talking about start building software that people want to use with security builtin and then AI comes along and so you go take a year of being an ml engineer you start building security into ml or you start building things in that Realm order to bring it back to security and so what this does is it sort of um helps you fix a problem which is that if you are a senior security

engineer if you're going external you're probably not going to be a senior developer you might be able to get a senior developer in your current company with like a lateral move if it's a big one but you're probably not going to be able to move diagonally or even laterally because you're probably going to be a much worse coder than you are a security engineer and so generally like I was saying you want to kind of hit this middle point where you're not too senior you don't want to get a principal appsec engineer because then you know you're probably going to go back down to a a base level coder a junior coder you're probably going to have to take a lot

less money unless you get very lucky but there are some skills that um synergize well where you might be able to move back and forth and I think absc and stuff is one we'll be talking about some of those um synergies later but first i'm going to talk about finding your path so um how do we find the PATH that's right for you so uh there's a concept in games called fog of War um and the idea of this is that there's a big map um you haven't explored it so you can't see what's there so in this example I think this is Civ four or five I can't I can't remember which one but um you can only

see where you've been all the rest totally unknowable to you but you might have some idea of what's out there so in this case you know there's some cities about and um I'm going to apply this to uh a career uh and sort of what you're doing so let's say you get into security you know GRC exists start your thing you want to get into red teaming so first you start learning about red teaming and you realize you you probably need some it skills so maybe you do a degree maybe you go into help desk maybe you get some Network um sort of security skills and from there you leverage that to get into your red teaming role um you

stay there for a little while you get fairly senior edit but you decide you want to start this multiclassing thing and so maybe you go and become a security engineer uh sorry a software engineer so that you can build automated testing and this is actually how a lot of startups formed um a lot of the attack surface management um startups um totally started this way like people who got into pentesting maybe collaborated with coders or became coders with themselves decided to build a startup based on

that um so um my career is taking me on a bit of an adventure as well so every few years I pretty much changed up what I'm doing as well I think all of these were things that I person personally sort out there like a change I wanted to make and so like I started in digal forensics that's kind of my entry level role into security and it and that kind of thing and um fun story actually Pete on the call um hired me into my first job so um we go back a long way but uh from there I decided that digital forensics was slow it was painful there was too much manual stuff that annoyed

me and so I became a software engineer focusing on digital forensic processes I wanted to improve the stuff that was going on um and especially when I worked at the serious Fraud Office a lot of what we were dealing with was you know pedabytes pedabytes and pedabytes of data that we needed to review and you you cannot review that manually and so a lot of what we did was Fuzzy searching keyword searching that kind of stuff building tools to process data so that we could do that and from there I felt like I I wanted a bit of a change and so I went over to become an IT security engineer um over at alassan so I did that for a

year and I got promoted to manager and I did that and so I was using a lot of the skills that I built in digital forensics in that role anyway like a lot of it is Hardware security it's securing laptops it's securing Mac OS Windows Chromebooks browsers um stas tools like all of this stuff that I've been seeing in years past and then I decided to make a a pretty drastic flip so I've always been interested in it actually um my my sort of first roles was sort of dabbling in sort of doing my own business running like it companies and so I kind of went back to that almost and so I ran an IT

engineering team um like I say it was very much on the other side like there was a security team I partnered with so I've been in that role I kind of knew what they did but now I was uh responsible for maintaining the networks and making sure people get their laptops and building software that people want to use um in their day-to-day so it's very different from the security stuff and so you almost need to um keep Security in mind but it's not your primary focus you know and I did that for a little while and then I went back to an IC it security manager and kind of I'm using that experience that I I gained to to do

a little bit of everything to be honest it's like helping out our it team here it's um sort of building the security stuff that I was doing before and so while it may be similar it's sort of coming at it from a different angle and so if we take all these skills that I've learned um in all of these roles this is where I think I kind of am today um like there's some things I'm good at there's some things I'm bad at like I was a developer so long ago that like all the coding I do is on my home automation setup like I don't I don't really code a lot in my day job today um

but you know I still have a lot of those it skills because there was a Synergy with them right like I was doing it security then I was doing it engineering and then back again doing very similar stuff and so um you know it's easier to move between those roles and what I found is over the years kind of my multiclassing journey I guess is taking me very much in the it realm and I love sort of scale up companies not startups not Enterprises I find when I get to the Enterprise stage I I get a little bit annoyed at processes and red tape like it reminds me of my government days a little bit too much and so I like

things that are fast moving but um I definitely like having a product that works and has customers it's like when you're going through sock 2 and ISO and the company is starting to care about security like you're not the single engineer who is trying to do all this stuff themselves for the startup and so um I picked William here as an example as well um I reached out to him on LinkedIn um because he is in a very Niche role um like he started his early career as assist admin at like port and Maritime companies and so he liked what he was doing but he wanted to do more so he trained up as a pentester

in his personal time and then eventually he sort of Amalgamated these skills and now he's sort of the CEO of a security consultancy and a lot of what he does is that Maritime security stuff that we were talking about earlier so things like certifications for super yachs and stuff like that and so it's like a very weird set of skills where he was in the right industry doing the right things learning a bit on his own time when he sort of brought all of these things together to build his own business and and work on a very very Niche area which I think is super cool so I've got some final takeaways as we look at ending this talk um and that

was as I mentioned a few times get good at one thing first like Specialists get paid more you will do better if you do something for two to four years before you do anything else um so build up that reliable base use that to improve and avoid the temptation to like I said do too many things or not do one thing enough um again as we mentioned um some areas have better synergies than others appc development we've talked about it and Enterprise security loads of others too like if you want to work in cyber security sales um B2B marketing is what you need to get good at uh not many Tools in cyber security are customer-driven like

I am probably not buying many security tools maybe one password or last pass or something like that but that's probably it so most sales happening in security companies is to other companies so that's what you got get go got to get good at um and there's tons of others right um like you kind of need to make your own path as I said but there's also plenty of examples of paths more tread than others I would say and so these are kind of the ones that came to mind for me and do your research like I was saying like I think you you do really need to be realistic like I say you will have

your own set of constraints whether that's um location whether it's time whether it's um you know the opportunities that you can get um but you you can look at different areas and so there's always different things you can do um I would consider that if you do find yourself having blockers um you know consider like like I said maybe you really do want to work for space companies and there were loads of people who wanted to do that in Australia and that was nothing for many many years but now it's kind of a growth area they're starting to get more and more in O so um it's not impossible it's just unlikely in certain circumstances so it is

something to consider I would recommend just looking on like then for certain jobs honestly just reach out to people like people are so friendly um sometimes where you can just reach out and say hey I'm considering doing this do you think it's a good idea what's the experience and so definitely reaching out and getting insight and knowledge is is is a big win um and you do need to plan your path like if you just start doing stuff um you're going to find yourself getting too confused and I know a lot of Juniors that I've mentored over the years they get into security and they get into like their specific role as a grad and they

want to do absec and they want to do like red teaming and then they want to do pentesting and then they want to do Enterprise security they want to learn all the things but it doesn't make sense to quite frankly um unless you are going to go work at a startup as the single security engineer who's going to do everything it doesn't make sense to do all those things like you're you're not going to be better at your role it's not going to be something that's going to be super useful to you so you can do that if it interests you but it's not going to have any major benefit so something I would say is be flexible when you're

making your plan um you you might build a plan you might be following it for a while you might hate it you might find something that's better so uh as GC people would say consider it a guideline rather than a standard and um like finding your Niche uh isn't a science it's a bit of an art and so um most of us probably don't have the skills or the time or the the real desire to to become like a top red teamer or something like that some of us might be able to become the best um I don't know red teamer who does crypto or has like a very specific niche and so you can sort of Leverage your your

skills to kind of Market yourself a little bit I do find that's becoming more and more um required in sort of like modern day job hunting and finally our last slight um growth happens faster when you leave your comfort zone everyone's going to have a different comfort zone but do know that like growth is hard like something I often tell my team is that like if you're struggling you're probably learning and so if it's too easy you're probably not learning fast enough you're not learning well enough but everyone's got their own um sort of preferences right like I would say my growth zone is pretty big uh like I don't I don't get stressed super easy

when I'm taking on a lot of work some people might have like a much smaller stress Zone it's a bit of a muscle I would say that you have to work and so it's something you can improve over time um and so don't feel discouraged um especially like you know a lot of people want to become red teamers pentesters they want to do offensive security especially when they're younger in their careers and the reality is there there's very few red team roles compared to everything else in security because the idea is that we want to prevent bad things happening we don't want to find them and then fix them afterwards and so it makes sense that security is a funnel

with more blue team and then smaller red team um that doesn't mean you shouldn't try it just means you if that's something you want you're probably going to have to put in the work and so I was a red team of again for very very little period of time really I loved it most interesting job I had couldn't see myself doing it in the long run to be honest with you and so that's something that kind of I thought about was maybe a constraint for me so with that in mind that's pretty much it so thanks for coming everyone today like I say sorry I couldn't give this one in person but um uh super

enjoyable and I think I'll be giving this one a few more times as well so um thanks for coming

along um feel free if you've got any questions to Chuck him in the Q&A although it looks like Liam might have uh a few for me now I was going to say we've been collecting a few and uh thank you so much for that talk Kane it was uh really insightful really interesting as as someone who has one foot in the kind of software development and one foot in the security world it was uh quite interesting to see all that stuff um so yeah we've got a a few uh questions if anyone has any more please use the Q&A button uh at the top to ask as we go through them and first one is uh is

there any benefit to trying to plot your career for a dream job or um or find how to link your skills in multi in multiclassing instead yeah that's a really great question um it's funny because I find that like I said you you you can plan for it and assuming you don't have any constraints like you know location family Etc um you can but you will find that it might change so like I find that when I was younger my dream job was to work at Google like anyone in Tech um and I actually interviewed there and got offered a role that I declined um because I found something else better along the way you know and so

for me I think the idea of a dream roll can change so don't don't constrain yourself too much but I don't think it's a bad idea to to have one and so it's kind of a bit of a copout answer but it depends on you and it's not it's not a bad choice it's just don't don't be so M to it because I like I find the idea of a dream job kind of bad these days you know like uh it's kind of like I think the dream job for me is like the things I want to be working on the research I want to be doing the interesting stuff and so you know while my my dream job

may have been Google back then I think I've changed Google has changed these things have like diverted you know and so um that might happen yeah no that's a really good answer I think um like you said when you first go into the industry and you're young in your 20s you've you've got a lot of time you've got a lot of focus but as you get older you have different responsibilities and therefore your dream job made change you might prefer bit more of a work life balance or something instead and so the next uh the next question we've got is how do we use uh multiclassing to attract new people to the industry who are highly skilled

uh and also with transferable skills yeah um I used Dev as a very common example but um I think I I use it in in the example I'm going to give now so um like I said I've kind of Switched between it and sort of it security type roles and I've always hired people from our security team sorry from our it team uh into the roles that I'm I'm working in and often it's people that I see who are commonly working on security incident tickets you know like we have a request to disable a laptop because of malware or something like that and it's always the same person who's in it because they're super interested and I

find those people are people you can like cultivate really well because they they're often looking for something new you know like they're looking to get into this and it's hard to get into security these days as a junior but like coming up through it and maybe making a lateral move is a is a great plan and like I said very early on in those slides the people who don't maybe have great security experience but have great industry experience they're just such a great pair to put with new hires with security experience like they'll learn off each other even though they're both relatively Junior on your team perhaps they'll both sort of build each other's skills and so I find that's how you can

do it in your existing role um but I do I do think it's just a case of if you are a manager who is hiring don't um knock someone without security experience you know because I have seen software developers who are like so interested in security that they spend their spare time like fixing bugs in open source software and stuff you know and so people like that are very rare but incredible to work with so that's kind of an interesting point to leave that because the uh the next question is about um like people who work in security with development skills and how that works with communicating between those like Devon engineering teams in kind of your

experience or in your world do you find it's much easier to um to like push things to them or or do you think you get a lot more push back when you have less technical skills good question like I find having someone with Dev experience in the team helps because they're often a little bit more attuned to maybe what the dev teams feel um and so like I used vulnerability scanning as a great example you know like I I know a lot of companies just scan a bunch of stuff make a bunch of tickets developers go out and fix it and developers often push back going like why am I fixing this thing in a code

path that doesn't exist it's code we're going to delete in six months do I really need to fix it and like all of this stuff is things security Engineers might not be aware of and I'm not saying you need a perfect fundability scanning solution but it's stuff that um may not immediately clock in your brain when you're working on this stuff unless you have someone on the team who does it dayto day and so it's great to have those people in the team and like I I do think that you can sort of use them as a first um first customer but don't get into the idea that they're like the only person you need to go to

like every Dev team is different so so don't be like oh yeah we talked to the dev in our team he said it'll be good uh and off you go you know okay um how kind of important are soft skills such as communication um especially and and kind of how you adapt it as well depending on who your audience is who you're talking to yeah um interesting one I find that probably most roles require a minimum bar when it comes to soft skills um it's something you can improve on but I do find it something people don't if that makes sense so it's much easier and more fun quite frankly to get better at your Craft um like you know you can

learn a new skill you can have that feedback that you've learned a new language or you know you've um done a new security certification it like gives you those endorphins and it it's very measurable it's very like easy to feel like you are progressing but when it comes to soft skills um it's really hard to know that you're improving um it's it's not as measurable and you have to keep doing it um like one of the things I do is conference talks for example and I don't do conference talks super often I maybe do three to five a year but I try and keep that up because if I just don't do it for a year those skills are

gone and then it's hard to get them back you know and so um like I say for most security roles you're going to require some soft skills um I would say that is a weakness of a a lot of security Engineers um just make sure you put the time in to improve it and sort of there might be roles where it's they're less applicable but I would say there isn't any where where there's none you know like even if you're a pentester working in a room on a product by yourself uh 24/7 you're probably still going to need to communicate your results to a customer are your manager and the better you do that um the better it is

really okay um so all those first questions were Anonymous but we've we' finally got somebody who wants to put the name to it so we've got uh Muhammad who first wants to thank you for talking to the exor students um so assume he's from the uni he says he uh he loves blockchain and wants to help secure it what role as an MSC in cyber security should you first get into oh yeah great question um I have a few friends who are into this area and so none of them came from a particularly dedicated path like some were absc some were Enterprise security um some were bit like even program managers and the likes um I think it's just one of those

cases where like I said like that is a great example of an industry vertical that you need to have some experience with because if you took a security engineer who knows nothing about crypto you put them in a crypto company they're probably going to need to do a lot of learning very quickly um probably the best though would be application security so I would do a security degree I would learn to code while I was doing that and I would learn secure coding those would be the skills that I would really focus down on additionally in your spare time I would learn a little bit about crypto functions stuff like that nfts all of that business like there's so many areas

of crypto from like nfts and gaming to sort of more blockchain database stuff to the more Finance aspects so um again like maybe just try and Dabble Le a little bit of each um don't don't overwhelm yourself because it is a lot cool okay uh I think we're just on to the last question and it's from me actually um I just interested to see in kind of getting to your kind of like your career path in your say dream career how important do you think it is to kind of do that in public so what I mean is like how how much of a role do you think kind of social media LinkedIn like people going on podcasts doing

talks then writing blogs how much do you think that can benefit somebody especially when you know if you're going for like a job interview and and people look at that first can it be a big benefit yeah um uh Daniel misler I think if I'm pronouncing that correctly has a great blog on this it's called um uh let me see if I got it here um it's called how to build a cyber security career 2019 update I'll will even Chuck it in the chat for those of you who are oh no it's off uh maybe not uh but great um blog from him I think it was written first in like 20 201 3 or something many many

many years ago um I think there's really two aspects to to getting a job or changing careers or getting into something new one is getting into the interview stage and two is getting through the interview right and so doing public stuff will help you get to the interview um and something I always tell students um is like write a blog or something and people often be like but no one's going to read it well trust me like if you put a link to it on your resume I will read it and uh one of the students I hired some years ago had a Blog really not really about security it was just um like they worked in AV and they liked to

reverse engineer all the props and stuff that they did and it was so interesting like it was hacker mindset like turned up to 11 you know like and it was really great to see that and it made me immediately want to go talk to that person and we hired them um pretty shortly after and so do you have to do it no is it going to make your life easier yes could that time also be spent on something better also yes and so really depends what you're doing like if you find your consistently getting interviews into the roles that you want ah it's up to you if you enjoy it do it if you don't don't bother um but

like I say it can also be useful to move like I was saying like one of the big points I had in my talk was a security sorry a senior security engineer is not a senior developer like it's just not an equal thing however if you have GitHub where you are coding open source stuff or a Blog where you're writing about the things that you're building then maybe you are and so you're more likely to be able to do a lateral move if you talk about that stuff and so I I do encourage people to to sort of publish and and do public stuff even a little bit to give people an idea of kind of what you're

into cool that's a great answer uh we've actually had one more question sneak in U before actually so we've got um krie who asks uh as a ceso an extremely multiclass including being a salesperson as well what do you think about the need for multiple experience es to climb the ladder um depends on what you wanted do at the end of the day like if you do want to be a ceso or a CIO or something you're going to have to like um like you you will find cases of security Engineers who have joined startups and then have been the most tenured person and then they've gotten the RO as the ciso and they do fairly well at it and I find

that those examples are rare because the person was given a chance um first of all they were given that slow time as the company grows to also grow with it and gain those skills um but more commonly you will find that people hire external and they need a lot of this stuff in the first place to like just as a minimum bar of entry into the role and so you probably will have to do a little bit of it if you want to get into management or if you want to um become like a really strong individual contributor in a different area um again is it is it necessary should everyone be a ceso no that

shouldn't really be the goal of everyone I know everyone wants to be but um often you'll find that you'll get to that point you make a lot of decisions um you're basically the the fall person um for the company the company skategoat um if there's an incident and so I do know several people who have either become like a manager or director done it for a year hated it gone back and then um those people are really great to manage because they've done it they've experienced it they they know the other side but um like don't be afraid to try at the end of the day like I I find those people even though they went in that

manager experience they didn't like it um they probably came out the other end better for it you know learning that it's something they wanted to do maybe they didn't enjoy it maybe it wasn't for them at the end of the day s a learning experience excellent well once again thank you so much for your time Kane it's been a brilliant talk I'm sure absolutely everybody's appreciated it I'm going to uh pass over to Liam now to uh close it up thank you Adam um yeah well thank you very much um everyone for attending this talk um looking forward to seeing you in um 25 for our next event which is on the uh 26th of April um watch this space um

about a special extra day coming up um that's all I've got to say nice and short uh one for me this evening one last thing to jump in based on what Kane said if you you know if you want to do something a bit more public and you want to get some uh you know do a talk on something we will be having a call for paper so you can you know first time talk do it at bid exit if you want to want to get out there and support the local you know local industry yeah definitely thank you sh um yeah well thank you very much everyone for coming much appreciated