Cyber Security Think Tank Panel

get started so this is our cyber security Think Tank Channel I would like to start off with introductions so please answer the following who are you and what does your typical day look like all right I'll go first hello everyone welcome to bides uh my name is Dell Amo I am the Chief Information Security Officer for Thea Point uh we're a cyber security firm uh we we do contracts for different things I handle the VC so sides of the house so basically anything that deals with GC that deals with uh you know advising you know leadership stuff like that that's what I do what was your second question chis what does your typical day look

like oh my typical day well I said GRC so a lot of it is writing uh policies a lot of it is just uh you know interpreting things for risk management teams uh talking illegal you know things like that so somewhat boring but pretty cool I like it I get paid good hi my name is Anthony B I'm the information security officer for the City of Albuquerque thanks for having me here being part of this um typical day I think only exists in our heads I think when we start up when we wake up in the morning we have how we think the day is going to go but um it's really not under your control most of the time so

especially when you support a u a staff base of 6,000 people and several thousands of end points you never know what the day is going to bring so I think you you start each day with a good intention to the things that you're going to want to do um you know this particular time of year is our is audit season for me so I usually have between one and four different kinds of um audits that I'm working through and that usually goes uh through um um the month of November so I'll be quite quite busy with that plus uh responding in kinds of uh security events and and uh vendor reviews and purchasing um analysis risk

risk reviews that the organization BRS good afternoon everybody my name is Eric p and I'm the security operations director at solo winds um I been solo winds for about 9 years and uh typical day at Sol winds is almost kind of how you describe it right you try to set your day but then react most of the time um work with a Global Security team one of the things that I also try to do is provide top cover to all the off groups that I manage and again that takes up most of my

time I'm Philip Wy I work for Horizon 3 a security expert so I've been in cyber security for a little over 20 years in the offensive Security Site over over 12 so my role at uh Horizon 3 it's kind of twofold 80% of my time is spent helping customers with the products my customers are Consulting companies helping them get the best use out of the product and kind of guiding them and the other 20% is community speaking Stu like this evangelizing

my name is Josh van I actually work for ER at solar winds I'm a staff security engineer and only member of the security architecture and best practices um typical day for me is assessments diagrams and and review reports like it it revolves around assessing the technology stack that we have and the deployments that we have and then over so I feel like we just need to uh discuss this for a second there's a issue in information security where when someone gets attacked everybody else likes to jump in and go well if they would have just done X Y and Z it wouldn't have happened so hindsight 2020 let's keep that in mind so without victim shaming what can

organizations do to prevent becoming the next news headline for breach

all right um it's always easy to victim shame you know it's it's one of those things where you know as kids we grow up and and it's easy to blame I had a family of five so you know uh one brother three sisters and the women ruled the house you know so it was always easy to to point the fingers and blame someone because they didn't do something something broke my approach and and the way that I I I view this whole situation as far as VI chaining we've tried that it it just doesn't work right we try to scare people we try to use fear and oh if you do this this will happen and that'll

happen and they see all these things that that go on within the world like today and you know like some of the other organizations that have uh you know been through ransomware and those things are just not working so at my level I have to learn how to talk to leaders so they understand exactly what's going on and I have to talk to them in a language and I always tell people think of it like if you're at the sea level CFOs don't have a hard time talking about financials and things like that you know many many many years ago I I wanted to be a a CFO I wanted to be you know CPA and all that good stuff

they can talk to the rest of the sea Suite like it's pretty common and they understand and that's because when when you go to business school you start to learn those terms so I I think there's going to have to be a change and and more cyber security uh terms and understanding at that higher level has to be included in you know master degree programs and you know um you know just all different types of business programs so that when we talk to them they can start to understand what that impact is going to be so got a comment so one of the things I would guide we spent all this money on penetration testing all this time and

effort but these items are not always remediated sometimes risks acceptances are filed and these are leaving you open to to being exploited being breach and you know there's time and place for risk acceptances but use them where you need them uh don't just use it as excuse not to remediate because one of the things that we discovered during these pest these vulnerabilties that are exploitable are being led for ransomware another time attacks so making sure that you're doing timely remediation uh there is times where you need to file risk acceptance to get more time uh one example like to share from one of the companies I work for Consulting I was pentesting this company and from the

internet from this web app pinest I was able to get command line access through a SQL injection vulnerability dump the password hash crack the password hash so so only the application was in scope so I probably could reuse that password on other servers but the company fil risk acceptance because it was a development server I was able to get that server from the internet it doesn't matter if it's development or not I could have gotten to other servers and production so use uh the risk acceptances as possibly and make sure your I think another thing that comes into mind is if you're getting shut down at different um points to get different Avenues to get your point across um take

a step back and maybe ask yourself what can you do what can you do to reduce the risk uh to the organization in the environment something that you have under your control it's usually um you know there's there's some tools or some rules that you can put up um to minimize the risk um to to go that extra mile and not necessarily um depending on another team to do the patching is not working um if if the department has filed a risk um risk acceptance for um you know and you still are the the type of employee that cares about the organization and protecting them ask yourself what can you do on this given all these other things and U

that might be get in so um just just approach it with a with a sense of curiosity an open mind um you might find that there is that you can do to lower the risk to the organization and then you can sit back and say well I I feel good that I've done everything that I could and I'll think back off of that and at times what you think you do is good I may not be good enough and and when something catastrophic occurs to the business um victim shaming you know typically happen but the challenge is do you fall prey to that victim shame right does it you know in my you it doesn't

Define you as a security professional it's what you do afterwards right do you do you fall you fall prey to the victim chaining or do you accept responsibility hold yourself accountable and then begin to take the steps to you know be better uh and then to wrap that all up it's transparency how can others learn from your experience and how do you share that experience so that it doesn't happen to that you know that next security professional or that next organization I think that's what's missing today so my kind of take on this is while while everything else said is 100% true that's all kind of hingent off your analysts understanding the business um often you see people come in

especially in earlier roles have no no understanding how your business Works how your business processes work work flows within key infrastructure and key departments that I found for me personally has been the best way for me to secure a workflow is to understand that workflow um when I first got hired by Eric I kind pull him aside say so I can tell you I came from Mexican food restaurants I could run Mexican food restaurant I can't tell you anything about software I need yall to teach me software as a business so I can secure and I think that's if I could tell any Junior or even kind of mid career security engineer analyst get to me your

business get know what you do um it will make everything much easier I want to I want to touch on that because that's a that's an excellent point you know know the business and know the business even before you go to the interview you know do some research understand what they do if you can talk to somebody there understand the workflow I think one of the biggest things is is not knowing the business and you know like you said you know you you run into problems where where are the pain points where are the areas that somebody can come in and attack and and that would be detrimental to the organization but then there's the other

challenge too because think about it a lot of times when an analyst gets higher how long do you stay at an organization right you're only there for maybe a year or two whatever the case especially if you're starting out you're there for a couple years and then you move on so then you start thinking well why do I need to learn that business and I think it goes to kind of C's Point earlier right you you take those skills you learn hey I I used to work at uh you know um manufacturing now you know working for dealerships right you know or whatever the case you can take those different things and skills with you but

that's a great Anthony I have a question for you 10 years ago the city of Al specifically APD was targeted by Anonymous what are the unique cyber security challenges faced by Public Safety departments and how do you address them question there's a lot there's a lot to unpack there all right um so definitely we would be considered a high value Target um you know for organizations and attacks like that um I was not at the city at that time I think I was a relatively new Al resident um or at least just visiting the area at the time so um I think on the surface the obvious challenge to um protecting yourself on that is um how do you maintain

operational continuity um with a lot of the um the attacks that you hear right now 911 systems in public safety are always mentioned in it some um cities have been fortunate enough that the attacks have have um affected other areas of the city and they always try to point out Public Safety was not affected or 911 was not affected uh since then I think we've been um I'm pretty um um successful in um keeping 911 up and running um to my knowledge when I was here at the city I think the U one of the incidents was uh uh fiber cables get cut um and uh the routing of information didn't um happen the way it we thought it was on on paper

so so we would have analogies like that and those have always been frustrating to me because if you cut theity communication off and the users can't use the system even though that the servers and everything and the database servers and the messaging servers everything is up it's still down so you you still have to look for those other um those other avenues that could affect um system downtime so that's always been um um a passion of mine to uh you know monitor the complete application staff not just servers is is the server up well that doesn't really mean so um you know also uh kind of considering data sensitivity challenges and um the other thing that comes up is

with um City U um support is uh the support of Legacy systems so Public Safety Tri uh typically has a lot of Legacy systems that they're supporting for one reason or another some are outdated government systems that um the city must use that um aren under complete control of the city or the code isn't owned by the city but we must host it and operate it so um the other type of where we see Legacy systems come in is where the city buys a new uh a new system for XYZ and there isn't a proper um um data conversion of all the historical data that the city is mandated to maintain so that creates other kinds of

challenges so you often find um you know the support of Legacy systems um presenting different challenges and I come back to my other um you know my other statement is to ask yourself you know what can what can security do to protect those systems and reduce the risk to the city um and all this goes without saying as we often find ourselves with limited budgets um and limited resources uh Staffing's always been a challenge um in all aspects of it especially at the government level I know many organizations struggle with the same with the same thing um and uh also uh the the other challenge that we have is the collaboration with other Public Safety departments as well so right now

we we're we fortunate to have good relationships with New Mexico Department of Public Safety and mdps and uh also with our local uh Public Safety departments such as burn and um we're reaching out to um city of R Rancho as well and trying to um work together on different issues that we're um also encountering so um it's it's really good to be part of that Public Safety Community um prior to the prior to this role I was the it manager for the Albuquerque Police Department for several years so that was my um um entryway into this position and that's where I started working with Del Moore when he was in this Ro prior so um that

that maintaining that collaboration and that that um that idea that you're not you're not alone in in any kind of situation so you can really leverage those Partnerships um to your advantage um it does take some um effort and some um um time to um establish those relationships and cultivate them but I think in the end it's a win-win for for all the organizations involved can can I highlight something there that I thought was really important was you were talking about you driving the reduction of risk I feel like often a lot of um engineers and secur professionals get really locked in on specific result right well I'm I'm going to ensure I have zero assets public

facing I want to ensure that my Pat mediation is at 99% something concrete solid and I think it's really important to highlight what she said where it's really not about that stop we need to stop getting locked in on such specific results and just focus on that reduction of risk at the end of the day if I'm limited through a technology stack or through a process or legal issues who cares what can I do to improve the state of my organization and reduce that risk it doesn't it doesn't need to be a specific outcome it's just that risk reduction so we've got a pretty diverse group here today with varying sizes for your organization so what strategies do you

employ at your organizations to educate and protect employees from fishing and social engineering attacks I'll take this one so um we have a internal red team and we we run uh active fishing campaigns against our users but where we kind of transition away from your traditional fishing campaign for training is we don't slack users on the risk or clicking on that fish um we we partner with the the organization like maybe we see a trend in maybe the finance organization and so we make the training relevant right and understandable U we don't speak in General Security terms we make the relevant to them uh the fishing campaigns also are targeted and so it's not a spray fishing campaign uh what

we'll do is we'll Target specific groups within the organization and craft the fishing campaigns again so that it's relevant to the B just to kind of build off of that the city does um quarterly fishing test of all the the employees as well um one of the things that I think um I've tried to do uh implemented this year was um try to make it a little bit rewarding for the employ who actually do the right thing and Report uh one of the uh fishing messages that they receive uh to the security team as fishing and who who obviously didn't uh take the bait is um we we collect all those people who submitted those um um um campaign emails

to us and we do a a drawing um once a quarter we draw about um a dozen names and I send them a uh personal sign letter and a little stuffed fish that they get so thanking them for their VI vigilance and try to try to make it a little bit fun that it's not necessarily you know a hammer always coming down on you because you failed but you know let's recognize the people that also do the right thing and encourage them to encourage others as well I I've got to set my boss up for this tell them about what we get we yes so um my prior background is in the the US Army and one of the things

we did was um we did challenge points and so at solo uh We've Implement St Camp a challenge point for for to recognize individuals within the organization that extension SEC and so we issued out we issue out serialized Challenge and then we recognize those employees for the good work that they do and again it's awareness and those CL I do that's awesome I think I'd rather have a CO than a fish hey I I said limited [Music] budget what are some ways that the information security Community can collaborate to help prevent prevent prevent breaches and assist when they occur this is a pet PE mon so I'm going to hop in first our enemy does not care about money and

it does not care they do not care about acknowledgement they are going to share all of the exploits with each other constantly we in the United States especially are really we keep everything very close to us we keep everything very secret we don't want other people to know oh what if they what if we're not doing as well as so and so that's got to change um to to keep up with an adversary that has the most unilateral sharing platform which is the tour the dark web and and various other out of band highly anonymized networks like V just came out last year from from what account until we get on that level we're always I think one of the things that uh

again it's hard for me to to stand behind is how do you prevent something I how react to it it's going to happen right we can do as much as we can but it's it's going to happen at some how do you respond how do we react to that how do we become more collaborative as an industry as a community I think conferences like this you know is one of those ways and I think we need to be able to support the communities that do this kind of uh or set up these kinds of sessions to do that I don't think it's going to prevent security yeah you know it's really tough um and I

I I agree with both of my panelists here you know it's it's one of those things where you know how do we talk to each other you know some of some some of the people in this room might be the first time I've ever met some of you guys you know but you know where do we collaborate where do we find that platform that we can talk you know we have you know chili set right which is growing you know which I I I I love it because people are getting on there people are talking uh and you know and if you're you know if you're shy you know being on a platform where you can

just you know ask a question and not get vilified for it you know I think a lot of the platforms now just regular social media you know you get vilified if you ask certain questions I mean even in you know I don't going to show my age you know but I mean even going back to you know bbs's and and and things like that back in the day you know there's always going to be trolls right so we we got to you know get beyond that we got to create platforms and and and make sure that you know for lack of a better term a safe space that people can talk and and and really start to collaborate

because like you said our adversaries are doing and I'll just say um I've been trolled at RSA but I've never been trolled at death it's a different mindset a different right you're right yeah one of the things I think we we can do to help is uh you know we we think about going to all these different information security groups but I think one of the things we can do to help is you get some of these smaller businesses that are really don't have the security staff they're really totally outside the realm and understanding a cyber security I think really as professionals we need to get plugged into some of those groups some of those meetups and you know

Chamber of Commerce and different business meetings and kind of get involved with those organizations and kind of share what we're seeing and and try to give them some guidance great Point great so we always hear about how every company out there security team is underst staffed not enough budgeted so how can organizations continue improving their security posture while working within these limitations yeah it's that's Mantra that's that's what we deal with uh you know and for me of course I'm big on GRC I think it starts there um to start with your policies to start with the the fabric of your organization the DNA of your organization the culture of your organization and you know promote a

culture of security uh within your organization leveraging you know what we talked about up here leveraging the users within your organization you know uh giving them recognition for whenever they they see something I think that's how you start to do it that costs nothing right uh working your policies getting your policies to the to the point to where people can understand what those policies mean and you know not some crazy legales right you know when when you sign that when you get hired on and you sign that that document that uh AUP you know um uh you got to understand it you know when you read you got understand what is expected of you and and right away that that culture of

security should be in the fabric of your organization no matter what size you are um I I think that's the most important thing you hit the nail on the head with the culture I think uh being creative is one of the transferable skills if you have one of those if you have a being creative as a transferable skill it works great in security again with limited budgets limited resources um establishing a culture of security and then identifying security Champions with your organization because security team can't be everywhere can't see everything but you know others around your organization can and if you can build that trust within the organization that you're not the hammer but you're a

partner um then then the likelihood of somebody reporting something to you is is is higher and again that costs nothing but time over time right and so if you invest that time again we're on that journey and but it's in for us as well right so say no say not like that not like that much response sorry I didn't mean to interrupt but um the term JC has been mentioned multiple times but I don't think anyone's actually defined what what those letters mean and I just wanted to make sure for the people watching and everything that it's it's you know I don't think it's intuitive that everyone Miss yeah uh GRC is governance risk and compliance so it's

it's basically everything uh within your organization how you going to run your uh cyber security or information security program uh you know risk risk management how are you going to address the risk management within your organization in compliance how are you going to comply to the policies that you put forth within your organization and how are you going to comply with the regul Regulatory and legal uh you know compliances that are out there you know you know Pippa uh those are some of the things that come to mind uh PCI things like that so I'll just add a couple things one on the on your point about transferable um skills so I would say another another

good skill to have is uh that sense of curiosity so uh looking back at my own um non-traditional background if you will I would say U you know coming up through the ranks I started off out of school as an accountant um so I know one other panelist that shares that as well but I would say uh you know all the years as an oracle DBA and that sense of curiosity and and how to uh dig into something that you see as a performance issue on a Oracle database system um how to find U the root cause of something just being curious say I saw this when I was looking for something else but that

might lead to something else it might not but it's that that um that uh curiosity to actually go and look and investigate something that you see is that that caught your eye yeah kind of building off what you said uh I think it's would be a good practice to take different or groups within it and get them some security training get them some secure coding training for the developers and that way you kind of got more eyes and ears into those environments that are going to see it firsthand before maybe you're seeing malicious traffic or or seeing some uh cve that affects those areas yeah and that's much more reachable then it is going to be increasing your staff so

work with the staff that's already in your it organization kind of deputize them if you will into security practices and you can really greatly expand your reach in the organization and everybody benefits from that so how can organizations best measure effectiveness of their cyber security governance oh yeah that's a great question and you know you know short of everything that we typically do and especially everyone out here you know we look at metrics right you look at all these different things and and yes metrics are great uh there are organizations like like my organization that that will come in do assessments and you know give you a maturity rating and things like that and that's great you know but we talked

about you know organizations might not having you know enough you know budget in order to do that and and that's where it becomes tough right because yes you can do self assessments but you know again you know I look at myself if I'm a uh you know I'm a patient and I would I do a self assessment on my medical self right no I wouldn't do that so you might want to leave that to professionals but you would know how your governance is working because basically you have policies that are in place and if those policies are constantly being breached con constantly being exploited by your uh user base then you you you know that

you're not at the right level and that something needs to happen and something needs to change you know so so we're right in the middle of a big series of Assessments I'm doing and you're talking about like a lot of people have a budget for that right I've often seen that often SE that the assessment itself you can do it's going to be uncomfortable um I'm married I kids I'm sure many of you are when you have a partner you're being real with one another and my wife definitely lets me know when I'm doing something she does not like or that is maybe I'll SL the you got to take that same mindset going into those assessments I I've

ruffled feathers with friends while doing assessments of the members of the IT team that I'm close with the team just the other day me and er were talking about how I kind of had to shut a friend down during an assessment it's it's hard and but it's one of those things that you really have to look at if that partnership me and and that's why I think you need to Outsource it you know or have a you know somebody else come in and do that type of assessment and and I really just feel you know to any of the business owners we have business owners in here you know I think at a certain point in time as a business

you have to start thinking this is the cost of doing business like every product every widget that you put out there you know no one no one doubts that hey all the financial assessments that we have to do all the um you know audits that we have to go through from the financial side if you're a production organization and you've got to take and get your product you know uh uh quality assessed or whatever the case no one backs an eye of that and those organizations can raise their prices on how much they charge for you know checking out your widget making sure that it meets the quality standard right why isn't that that should be the same

for cyber security I I don't understand and and I think what's happening is is we're seeing threat actors and you know like today's you know just you know random well outages that just happened those things are are pushing organizations to start thinking hey this is going to have to be a part of our business and and I think that's where we're head and when you have those governance um discussions with teams who are impacted by policy or regulation or something where you can where you tend to see where it's working as if they they have this you're not coming after the mentality it's like okay how do I make it better right but that goes back

to what we talked about earlier about the culture of security right and I think that's the that's the key point is partner with other groups within your company with your organization help them understand that yes there there's there's governments and regulations and and guidelines and guardes that they have to follow but if they understand why the why behind it it makes it a lot easier to have that conversation to get their gu and that's where I believe you can see whether not the Govern so in case anybody is playing bus Word Bingo we have to talk about AI f predictions how will AI impact cyber security yes that's it thank you folks no it's it's it's so true AI will

impact on both sides we're already seeing it on on the threat hacker side you know it's easier for them to code it's easier for them uh you know from from other countries you know back in the day and again I'm showing my age back in the day you would get uh email and you read it you're like what in the world oh that's F now it's pretty clean because AI has gone through and written it for them and it looks really really good it reads really well and it can get you to do things or your user base to do things that they never would have done before um you know on our side I I think

you know from the defensive side you know we we're seeing a lot of products starting to incorporate that in into their products and into their services and I think it's going to help us but again we're always searching for the Silver Bullet we always think that there's something out there that we're going to buy that one product and I think business owners think this too we're going to buy that one product we're going to get that one service and we're going to be protected forever you know um that's not it there's multiple layers that you you have to put in place in order to protect yourself so AI yes will affect see yeah from like the defensive

security side it's helping us scale because as you mentioned ear you know just kind of the shortage of talent uh some of these AI products that are coming out are able to take someone that could be without any type of pentesting background just the organization I work for Horizon 3 we have autonomous pentesting product and you really don't have to know anything about PES to go run it so I see more options like that to be able to scale the people you have and it's just a natural progression into tooling within cyber security because once upon a time we didn't scanners all that had to be done manually but vulnerability SC scanners helped us uh

you know scale what we're doing as well as like from the pentest side some of the exploitation tools like Med exploit makes it easier for lesser experience so I see that helping and I learned of a tool earlier this year this started called Uno AI they've got like a co-pilot for Defenders that you can go in and ask guidance and specialized towards Defenders and so I think things like that are going to take uh new folks scale them up quicker and do more of less I this going be a good thing a lot of times you hear about uh what you see on the offensive side but I'm really curious to see what it does with some of

the defensive tools what the capabilities that we're able to come up one of the things that I'm keeping my to the ground discussion on is again fivey who who holds the data um and you hear a lot of discussion around you know Reg ation and and how do we establish guard rails the challenge is the adversaries don't have that they don't care they don't are not bound by regation and so again as we have these discussions you know there's that balance right and we have to come up with some way to make sure we are still Asos as we can otherwise we get that was that was very much was throw there was it's it's

no different than any other hype cycle with any other piece of technology the importance to adopt it along with them right we just spoke I just brought up the uh the intelligence share we never caught up to the adversary with how we share our intelligence we have to make sure we keep up with how our adversaries are using AI or we're going to end up in the exact same V so we often hear about cyber security Gatekeepers and there's a lot of students today people trying to transition to cyber security roles and it's interesting you hear about how there's this cyber security Talent short but then people who are trying to get cyber security are having difficulties

doing so so what advice would you give someone seeking their first cyber security R I don't know if any of youall noticed but cyber security people are kind of cocky so don't listen to them if if someone tells you you can't man that's my biggest fuel ask him I don't know how many times I've probably done something he said don't do that I do it anyway don't listen to the people tell you you can't get into the field find a way find the skills that you have that that contribute to it I also came from a I don't have a degree weighted tables built irrigation pumps I learned the value of hard work and that's really

been incredibly beneficial to me in my career and I've had plenty people tell me oh you don't have experience you have the technical chops you don't have this why of to learning and that's the end of it so like don't don't let them get you down don't be scared of you want yeah I agree with that uh I'll give you a little bit of my background and this kind of goes to the previous presentation um you know I grew up really poor in New York um you know we didn't have much uh you know it's tough sometimes with food and things like that uh my mom picked us all up and moved us out here so I wouldn't get into any

trouble so uh came out here uh my brother really smart um got a scholarship to alquerque Academy which is one of the top schools here in New Mexico um one of the first we ever got was one that he won because he won the super Computing Challenge and it was the most expensive thing we ever had in our house and so we looked at this thing and you know turned it on and he was showing us some stuff and yeah that's how we got introduced to TCH and computers and things like that so you know for me I have to give back you know the opportunity there I I Mentor whenever I can you know the

organizations and Chris knows this and you know Anthony this the organizations that uh people uh either see me in and they if they come up and talk to me and say hey I'd like to get into it then I want to take you under my wing and I want to tell you how to get through it because literally and it sounds cliche but if I can do it anybody can do it and and I and I mean that and and the gatekeeping with the with the technical terms and you know us speaking cing on and things like that uh we need to stop that we need to stop it's just like any other job it's

just like anything else uh if you're curious if you if you have dve and if you have motivation you can be very successful in this field yeah I'd like to to add to that so I've uh taught at Dallas college for almost four years do a lot of mentoring uh run a death convert and I help a lot of people get in the into the industry but as far as like kind of the difference between some of the Gatekeepers some people are genely trying to be helpful and I think you have to follow that path to be a like a pentester for instance because I had you know some of my students before because I was a system

administrator before I became a pentester and I had students one of my students came in one semester first or second week said yeah I would be at your level but kind of do it quicker and I told them yes the more time everything you spend into it you can get there sooner and I've had people ask me do I have to be assist admin no you don't have to you just need those certain skills don't need you don't necessarily have to be in those roles don't as mentioned earlier don't let anyone tell you no just be persistent be motivated and do what you want to do you know you can do it it's not that difficult

because my background I was a former pro wrestler never thought I'd use my mind for a living didn't take High School serious enough that my grade point average for on my in my uh college entrance exam test scores were too low to get in unless I had like eight letters of recommendation from uh my teachers so I pursued Pro career but then later on get got into uh you know a career in it and then cyber security and pentesting so don't let anyone tell you no and along with the gatekeeping thing find allies if someone's only giving you negative and they're not trying to help move on and find someone else find a mentor and another tip on mentors you

don't have to have just one find several people that are available to to have talks because not everyone has the time to take a monthly or weekly call with you but they able to speak to you once once a month or ever so often and typically the way I like to do because I don't like to turn down any mentees but what I'll do is I'll have an initial call get their background give them some steps on what they need to do next let them go off and do it and they can ask me questions and just answering a few questions through a text message or LinkedIn message or email is not enough then we have another call again but yeah

just reach out to people a lot of people are willing to help you so find Al people are gatekeeping just avoid them they're not going to do really good I was going to I was going to just add you know the question is always how do how do I get my foot into the S sa Security Board I think Security leaders in these rooms also have some some responsibility to help find those people who are interested and so changing the narrative just a little bit right um it's it's incumbent upon Security leaders um to be able to identify those very interested and not I'm going to also say two things uh when you Mentor someone encourage them

to mentor and and have that grow and when they Mentor someone encourage that person to Mentor so that's one thing the other thing lab every day so I'll just had one thing everything's been really great so far everybody had to add um practice the proximity principle so get yourself where where cyber security is happening I don't think the majority of the people in the industry don't have a a straight line between I started school and I went right to cyber security we all have VAR backgrounds and um various paths leave yourself open to that and grow wherever you're at get some skills with what you know whatever your first job is um prior to coming to the city I was a it officer

at the University of New Mexico and I employed it student employees that is a wonderful opportunity available and you cannot ask for a better job while you're going to school where your employer respects what what your school commitments are and you're already on campus I tell you that I've had some excellent um mentoring capabilities with some of my past student employees several of them went on to cyber security careers but it it wasn't always a direct uh direct path um you know maybe they went through CIS admin they learned about um securing servers that way they all brought skills with them along the way that aided to their overall success so don't don't put such

a burden on yourself that it needs to be a Dre path and if somehow you're over here you want to be over here you're still F you're still able to grow over here and trust me you'll be a better when you finally get to where you want you'll be able you'll have that perspective to look back and see connected dots with every single position that you've had and you'll see how that made you the person that you are and and and prepared you for Success right well thank you panelists we are out of time but I appreciate and I think this has been awesome thank you [Applause]