← All talks

BSides Las Vegas 2019 Day1 - Hire Ground

BSides Las Vegas6:53:52314 viewsPublished 2019-08Watch on YouTube ↗
About this talk
BSides 2019 Las Vegas
Show transcript [en]

I think I'm doing half the pyramid later, so I'll have a shit-ton load with me. Do we have HDMI? I think I'm good. We got HDMI? That's really all I care about. Yeah, just open the AV. Pass around the mic, so in case there's any questions in the audience, pass around the microphone. And we're all set with the audits. We might wanna Check, check. One, two, two, two. One, two. One, two. One, two. One, two. One, two.

Okay.

So can you hear me here? Wow, okay, cool. So it's so great to see the room nice and full. If you're staying for Chris's presentation, stay in the room because we're not going to really let many other people into the room. I'm Kathleen. Yes, it's Kathleen on Twitter. I'm the Higher Ground Director here at B-Sides Las Vegas. I'm proud to say that this is the best career track that happens at Hacker Summer Camp. We not only give you... employers to talk to. We give you career content sessions to help you with your career development and your career search. It's okay. I'm not going to be speaking long. They're going to edit me out anyway. We also

have resume reviewing and career coaching that will be going on from 12 to 6 today. If you look on the Higher Ground track online, you'll see the bios for all of the career coaches and the mentors who are going to be here this afternoon. It is basically first come, first serve. So that area will be over here. We have a volunteer who is... It's right there. Thank you. I was up to this. I know. Go for the top one. When you run tracks and you have people like this speaking for you, you love them and you hate them sometimes. So the career coaching and the resume review is really very valuable. We've heard a lot of people say that they get a job, that they know more about

their career search. So don't be shy. Definitely come back once, twice, three times. Also, we have these great vendors in here who have all of their recruiters available to talk to you about just any career development, any career search that you're going through. If you're going to talk to the vendors during the sessions, if we can just ask a little respect of the speaker and sort of keep the conversations to a low, dull roar. So while he's doing his shot and hooking up his lav, I'm going to share with you why I asked Chris to come in here today and do our kickoff. So all of us, when I first started Higher Ground, it was

called something else, and everyone was talking about rock stars. And they were talking about the career path was based on the rock stars that they saw. And there was one really great presentation that happened that time, and there was a rock star who came up and said she never saw her children. She gained 200 pounds. It's always the bearded one, you know? Yeah. And so I really wanted to make sure that we had people that I consider to be rock stars come and talk about how they've gone through. Yeah, I know, you are a rock star because you give really great hugs and whiskey shots. But we all have a career that is good for us, and I don't want anyone to think that you need

to have a career that parallels or mimics somebody else. If the one thing that we know about this community is it's about creativity, innovation, passion, and trying to find the solution to problems that other people are not willing to go after. And that is why it's so great that this area is growing because I don't want you to all sit there and look at one of those three letter certification boards and follow their career track. I want you to really embrace the passion that you have for why you're here in the middle of the summer sweating to death getting dehydrated, or being a volunteer like myself and giving 20 to 30 hours a day. Yeah, I squeezed an extra six in there. Because this is about passion. That

is what the community is about. And I didn't think that there was anyone better to talk about passion and embracing the slobber because you've got to learn to live while you're also hacking. So I would like to introduce my dear friend, Kilted One. Made the airplanes go sideways for a living. Now hanging out with the ETVO folks, yada, yada, yada. Now the other reason that I'm probably up here as well is because of this. Sometimes our only simple role in life is to be a role model for others in what not to do. Quick show of hands, how many of you are fairly new in this industry? Like the last couple of years, all coming into it, wanting to know. The rest of you are cynical

old farts, yes? Excellent. All right, well this is kind of a bit of the other thing. This is the other pair that will feature fairly heavily in this kind of discussion. For those of you that follow me on LinkedIn or Twitter or anything, a pair of Great Danes have recently, last year or so, kind of come into the family. Daisy is about a five-year-old now. Milo is now about a 15-month-old, 115-pound slobber monster. So why are we having these conversations? Why are we doing the higher ground? Why are we trying to reach out and everything else? Well, let's put it simply, we're broken. As an industry, we have a few challenges. I'm fortunate, or not, but I get to talk about it a fair amount. Now here's the thing,

this discussion that we're having today isn't about the industry. There's going to be an entire week's worth of shit talking about it out there. We're going to talk about us. Why am I getting feedback? Is that because this one's on?

I'll leave it. I'll figure it out. It might just be me. Thank you. It's driving me nuts. Here's the logic on this one. This is how much money we're going to spend in our industry this year globally. $124 billion. That is a serious chunk of change by anybody's imagination. Having just come out of cyber week out in Israel, a very interesting individual stood up and put this slide up. That's how much shit we lost in January alone. Don't worry about it, go on. That's how much we lost in January. Almost 2 billion records. So the question is, what the hell are we doing? And quite honestly, this is kind of where we are. We're not in a good position. We're

spending more money, we're losing everybody's data. So this is kind of where we feel. We have upgraded from a dumpster fire. Let's first off have an apology. We screwed up. I've been in this industry for 20 plus years. Probably more than that if you count when I first started. And we spent a long time doing it our way. We spent a long time with us talking to us. We haven't done a very good job. That's the one. Sorry guys. I am being a pain. How do I turn? That works. Easier. Oh yeah, that is better, isn't it? Yay. Okay. So here's the thing that we need to really start talking about, and this is really getting to what Kathleen's

saying. This should be probably a fairly familiar image to all of us from the science realm. This isn't "help me Obi-Wan Kenobi." This is looking at everybody that's coming into this industry. This is looking at everybody that's around us, all the new folks, all the people that are here for the first time or second time. That's our future. Those are the people that we literally need to be taking aside and going, "How can I help you?" And not only that, anybody that wants to come into this freaking industry. People hit me up on a fairly regular basis, probably the same as a lot of us in here. Hit us up on a fairly regular basis.

How do I get in? What do I do? How do I start? Where do I research? I, for good or for bad, have got a set of blog posts that Chris Nickerson, myself, and a couple of other people I respect in this industry have done on LinkedIn and on PeerList. And I'll send those to people. That's like my first, "Hey, have a read of this. When you've gone through this, now let's have a conversation," because it gives them a grounding and an understanding. I sat down... When did I get back from Japan? I got back from Japan like Saturday or Sunday. When I drive, I'm sitting in a bloody coffee shop and I've got my,

do you guys, from years ago, EFF did the Fed shirt. Yeah, I was wearing that one in the coffee shop and a young kid came up to me. She was 16 years old. She's like, hey, are you with the Feds? I'm like, no, but I annoy the hell out of them on a regular basis. She's like, can I ask you some questions? And we talked for like half an hour. She wants to do like forensics. She wants to human forensics. I'm like his hack Natty stuff. Here's this stuff. Here's Nick as in his peer list This is our role and not only looking outside of our own industry for people in IT and everything else

I hear so many stories about the fact that we don't have enough people in our industry that we're missing two to three million people go down the fucking doll queue and Go talk to the pipe fitters. Go talk to the people that maybe aren't building houses. Go talk to those people and encourage them. Hey, you've got a brain. It works. You're inquisitive. How can I help you get into this industry? How can our industry help you learn enough to get a start? Because know what? One of my best friends, I probably spent two hours talking to him on the drive out here last night. One of my best friends works on trains. owns John Deere

Model As and Model Bs, can fix hit and miss engines from the 1800s, and as far as he's concerned, a computer and an iPhone is good at about 200 yards for putting a grouping of five 303 rounds through. But he's one of the best fucking people I know to talk to about our industry, 'cause he has an entirely different perspective. Absolutely entirely. He and I are the ones that did some of the car hacking at DEFCON number two down at the Pornhouse place. When we went out to ThoughtCon, like number one or number two, and we talked about hacking tractors. That was all him. The aeroplane stuff for three years. He and I spent time researching engines. That's his knowledge. And trains that I'm breaking shit on now. We

sit with people who are not in our comfort zone. Much more useful to this industry and quite simply our job from the obi-wan kenobi side is to help everybody in that field It literally should be what's our job? I know X amount of hours for work and X amount of hours for mentoring the hell out of people and the other part of it is We need them to learn from what we've done wrong Not necessarily to not let them do the same thing because it's interesting to watch other people make similar mistakes because you're like, "Hey, I didn't think about jumping off the cliff that way. I like it. Same result though." But also, yeah, points for sale, exactly. But it's also trying to help them

understand to make different mistakes. And we have done stuff right, so learn from the successes that we've done. Introduce them to other people in our networks, carefully sometimes. Now, from my standpoint, I've probably spent the last year or so learning from the dogs. I'm going to share some of this with you because it's kind of cool. Truth. This is a rough one, especially in our industry, because we all feel we have to adhere to certain things. The mental side of our industry isn't getting enough attention. It's starting to, but it needs a lot more attention. And a lot of it is because, you know, we've put ourselves and we have to be a certain way

and we have to do certain things. And it maybe goes against the grain as to who we are. And we fight that on a daily basis. But I'd argue at this point in time with the way the industry is and the maturity of the industry, find somewhere where you can be true to yourself. I'm fortunate where I am these days that my boss and I was actually sitting down and meeting with this morning. He walked down and the first thing he said is like, "Where's the kilt?" And I'm like, "I love you just for that." Now the problem is, is I forgot to bring a belt. I packed all my stuff and forgot a belt.

So I could wear the kilt, but it would get hairy and scary at the same time. So I'm going to find a belt, then I'll put the kilt back on, I promise. We are not good at looking before we leap off the cliff at times. Watching the dogs is really interesting. Those two hunt in packs, it's awesome. They go against the squirrels. One antagonizes the squirrel, and the other one sits at the other end of the fence waiting for the squirrel to arrive. We should probably learn more effectively. I am one of those bad role models. I will leap off of the cliff and figure shit out on the way down. Sometimes it works well, sometimes it ends spectacularly. The

first time Milo saw snow, he went from the kitchen door, probably three bounds to get across the patio, landed in the snow, mouth open, and was like a hundred plus pound snowplow. and all you saw was this flurry of white, black and white and snow everywhere. He didn't give a shit, didn't know what it was, looked interesting and he went for it. That arguably is what makes us who we are in the hacking community. The inquisitiveness, the desire to challenge, the desire to change, to take shit apart and potentially put it back together again with a couple of screws left over. But I encourage all of us, get out and experience and step outside that comfort zone. Again, especially as we're

mentoring new people into this industry. One challenge I have for everybody here. How many of you do like the ISSA, ISACA, and the local B-sides rather than summer camp madness? Most of us. Here's my challenge to you. Next time you go to one of those, take somebody from the business or take a friend who's not in security. Drag the finance person along. Drag HR along. Bring legal. Bring somebody from manufacturing. If you have to tranquilize them temporarily to get them out of the office, so be it. Bride them with alcohol. Do something. But bring somebody along who's not part of this industry. The funny foot that the Wolf Mutt has, that is about the fifth or sixth.

Ooh, what do you have? Well, sadly, what I have is not whiskey with an E, which was the request. But I do have whiskey with a Y. Ooh! And it's not that. - Oh, oh, oh, oh, can we trade? - Yes, absolutely we can trade. - Excellent. I have this at the moment. Here, hold onto that for a wee second. We have to, that's, who's that? That's just general or that's for me? - That's for you. - Oh my God. - Whatever you want. - Give me a freaking hug. You're awesome. We have to share it with everybody. Canadian club small batch with, it's a sherry casket. I love the freaking gloves. - Thank you.

- Sorry, squirrel moments. Yeah, expect squirrels in this damn, we're gonna get yelled at. I didn't submit a talk. I got press ganged. Yes. So this is the outrageous speaker request. It was for whiskey with an E, sorry. I sent a Canadian to do a Scotsman's work. It didn't work out. Which Canadian did you send? You have a quite good voice. But still, very lovely. You guys are awesome. Thank you so fucking much. And there was also a request for puppies, but, you know, sorry. I was going to bring the beast with me. but a he wouldn't fit in the car and I wasn't too sure how we'd react in here problem slobber on everybody

oh that's totally cool huh that is true yeah that is a good point oh that is totally we all right this is getting shared with everybody or anybody who wants them we won't need more glasses in a week thank you so much thank you I tell you forgot did I put a request in in the moment of weakness much like when you accepted this talk oh yeah I better shut up and talk thank you yeah let's make sure that goes to everybody I try and try again so schools I'm yet he's got a little my funny feet has a thing with that damn dog the funny feet started off on the floor after each you

def you buried a couple in the garden didn't really damage them but just slobbered all over them they moved up a couple feet unlike kids as they get bigger and older they can reach higher also can he and they got high another on the shelf up here and he's still trying to figure out how to get the stupid things All right, communication. This is one thing we are not good at. We have to get better and not just among ourselves. Thank you. Oh, that's yummy. Oh yeah, that hits the spot. Thank you. All right. Oh, thank you very, very much. This is yummy. All right. I better finish this. I wasn't going to yell there.

All right. We're not good at this. Let's be perfectly honest. Not just among ourselves, but again, as we're bringing people into this industry. Help them communicate with a business. Help them effectively discuss risk. Help them have the conversations with the industry in a way the industry understands. If you spill my alcohol, I will... Exactly. All right, that's going up there. Do not spill the alcohol. I will retaliate. Oh, fuck it. All right. Thank you. You realize this is getting video. We'll have to edit the video. All right. Communicate. Shut the... Give me... Squirrels. All right. We're going on this one. For those of us that came out of the military, we actually had a different way of communicating. It was basically, be polite, be professional, and

have a plan to kill everybody. Try not to do that in this industry. Replace kill with taser. Is that fair? Good. All right. Carpe tempum. Seize the mo... God damn it. Fucking alcohol attack abuse. Bastards. All right. Now you can... They're not weighted. I feel like I'm in one of those damn shows. All right. You're awesome. Yes, I'm throwing dogs out. Okay, that one's good. How many freaking dogs did you got? I did. If I take these back, they'll last two seconds. I'll have a set of slobbered things. All right, these are going to thrown out in a second. All right. We're talking. This is great. I love this. Carpe Tempe. Seize the moment. This, for me, is a huge one.

This is an opportunity discussion. This is taking a leap of faith discussion. This is "I've only got 10 minutes left to talk" discussion. Alright, you get the idea. People here, conversation, step out of your comfort zone. And the flip side is, when somebody here comes up to ask you a question, maybe that's their moment. Give them the time of day, please. This goes back to this Rockstar Not Rockstar comment. That Rockstar mentality means I'm better than you. Bull fucking shit. I'm no different. None of us here are. If you end up in this space, be the same way, please. Give everybody the time that you possibly can. Make sense? Good. Learn from that one. This one's a good one.

We all love taking responsibility for the good things. But when shit goes wrong, and it will go wrong... Take responsibility for the bad stuff too. I've done a bunch of stupid things in my time. A bunch. Some of them quite publicly. And you know what? I took the responsibility. I fucked up. I screwed up a company. I screwed up a bunch of stuff. I screwed up a bunch of research. And it happens. I have logic for it. I have discussions for it. I'll own it. And I've learned from it. And hopefully that helps others learn. Do the same thing. Please. This one's a big one. Be yourself. Please. Be who you are. Be comfortable in your own skin. If you're not, figure out what makes

you happy. For me, it is these things. Not quite these things, but the bigger versions. And the whiskey. I love sharing the whiskey. This goes with it. Fuck what anybody else thinks. My mother follows my Twitter feed, which is both good and really scary. And I love her for it. And she gets all the pictures and all the other crazy stuff. But occasionally she's like, Christopher, do we need to have a conversation? Yes, mother. Okay. I have to temper it a little bit. My job with my, I'm sorry, I didn't mean to throw it quite that fast. The sole request from my boss when I started my job was try not to get arrested again, try not to piss off the president, and

try to leave airplanes alone. And that was literally it. And for that, I love him. I've been fortunate. I found a good place. If you're not in a good place, find another place. There are a lot of good companies and there's a bunch around here. Mostly a bunch. You won't let people be who they want to be, but we'll have that discussion afterwards. Most of the people around here will let people be who they want to be. Patience. Have some patience. I'm not good at this one. I will occasionally let my emotions rule everything else. Let's not do that. Will occasionally do that. I've had to learn I've had to learn effectively all of you do the same thing and as you mentor

people in this industry as you talk to people or as you are coming through this industry Take some patience take a step back Evaluate the situation and then move forward. Okay reality check when I first got the dogs I would chase them through the house with a cloth and Every time they came in muddily very quickly. I'm like this isn't working. You've got a cleaner It's easier, but there are definitely worse things in life than muddy paws on the carpet put shit into perspective All of us have been there We've all had really bad fucking days and we know people around us that have had really bad fucking days number one help those people and We're losing people in this industry. A lot of us are former

military and former gov. We lose too many people every single day to people who don't think they can get out from under their problems. All of us, help others around you, please. And if you do feel that way, for fuck's sakes, reach out. There's enough of us here to help and to listen. Deal? Deal. Good. So, wrapping it up. This was our history. To some degree, it still kind of is. This is our future. It has to take all of us. Okay? And I mean all of us. All of us in here know the challenges our industry has. We know the issues. We know the challenges from race, color, creed, orientation, whatever the hell it is. Your job, our job, as

people come through this industry, break those fucking barriers down. March side by side with that person to make those barriers broken down. Make sense? Because it's going to take all of us. And that's across the business. This isn't an IT problem, an infosec problem. This is everybody's challenge. We all have to figure out how to solve these problems that we have. Because we can if we work together. As I said, we have to collaborate and communicate a hell of a lot more effectively than we're doing. So as you talk to the vendors and the people in here who are hiring, ask them, What's your communication policy? How do you handle conflict? How do you have hard discussions with people?

How do you handle me if I turn up in trousers one day and a fucking dress the next day? How are you going to deal with that? Because that's who I am. Can you handle it? Because if you can, we'll have a conversation. If you can't, why the fuck are you in this industry? And advertising for people in this industry. Make sense? Good. This is the other part.

Red teaming's cool. You know what dressing up, especially at this age in a frickin' red spangly jumpsuit and jumping over fences, that ain't cool. I don't look good in red spangles anymore. Trust me. Not really, no. It wasn't pretty. The hairy legs just didn't work well. Fixing shit's a whole lot harder. So my challenge to you, Focus on bringing people in, but bring them in so they can help defense. Bring them in so they can help the blue teams. Bring them in so we can do what we're meant to be doing, which is protect. Our job in this industry is to protect the people who aren't in this industry. You bring people in, help them

understand they're responsible for the charges that are around them. I like this one. This is like one of my favorite ones now. We've all come at this from different angles. All come from different places, but you know what? We're all in this together. Work it out. We as individuals will fail. We work together, we collaborate, we help one another at individual levels, at business levels, in industries, we help everybody up. Then we'll succeed. Traditional end slide, as always. So long and thanks for all the fish. All right, questions. Got it. See? She's prepared. I'm not. Two questions. Any questions? You don't get alcohol unless you ask a question. Let's just make it simple. Oh, for God's sakes. Come on. Yes. Now is a good question. See, that was

easy. Go for it. Ask a question. And I'm not as daft as that sounds. It's actually probably the most important. How many of you are probably sitting here going, you know what? I really want to ask this, but I don't want to look like an idiot in front of everybody. Put the fucking testosterone away and ask a damn question. And the same thing goes in life. Hey, why does that work? How does that work? How do I do that? Can I do that? Why can't I do that? Please, go for it. Who are some people in the industry that you look up to currently? Katie probably is one. God, in our industry, that's an interesting

one. There's a bunch of folks I love in this. Mark Miller. Mark's awesome. He runs DevSec, all-day DevSecOps, all-day DevOps, whatever the hell you want to call it. He is really spearheading a ton of trying to get development, security, and operations to work much more collaboratively together. That make sense? So Mark would definitely be one. I mean, but there's so many people. You've got one standing at the back. Kathy took a fucking flyer and said, hey, let's do a talk. What do we do? We did a talk. What is she doing now? She's kicking ass in this industry. Justin Whitehead, he's running around here somewhere as well. We took a flyer on him five, six years ago. He's kicking ass in this industry. I look up to him because

he took, he just took the, the, what was given and just made the best. And he's kicking ass. I know there's so many good people in this industry. Jack, wherever Jack's running around in a multicolored suit. I love him. I mean, he's like the grandfather of our industry. I don't know who else. I mean, there's so many good people. Hello. Katherine, I mean, God's sake, do you know how much freaking effort it takes to put on this kind of stuff? Anybody that runs like a local B-Sides chapter needs to be cuddled and hugged and probably fed alcohol on a daily basis. Yeah, I mean, that takes so much freaking work. I look up to those people because that takes a ton of dedication and work. And there's so

many other good people in this industry who have managed to effectively bridge the gap from the technical industry to the business side and who are doing some amazing stuff. Ruben over at IOactive, I mean some of the research he's put together over the last couple of years is amazing. No, really stop now. Alright, I better shut the hell up, otherwise I'm getting yelled at. Did that help? Awesome. Thank you very, very much everybody. We have alcohol while you're getting set up. Would you like some as well? I better shut up, haven't I? All right, get up here and get alcohol. Put it outside so that she can do her talk. That would be great. Yes.

They're all out there somewhere now. I know. You might have to get them thrown back. Oh, I know. Yeah, they're all just hanging on. When I unplugged it, I got no more feedback. All right, so... Feel free to pull yourself something from that, and I'll hand these out for you.

Yes, yes, I know. That is a Microsoft. No. It is. You're right. Yeah, it is. I wonder when they changed it. It's in the other bag. Yeah, this is in YouTube. That's amazing. It's really beautiful. It's really pretty. It's how you go. It's it? side dragon man move your laptop

I was doing the second screen thing. So you're good? I know you are, sweetie. I'm just letting your line know that you're moving as well.

out there we'll find a space are any of these yours or are these just trying to do it is that okay so check the mic can you hear it I don't know. No. Making a noise. Hello. Yes. Yes. Yeah. Oh, yeah. I mean, I can... I didn't think the mic I can't do this myself at the best of times So I'm watching him Good It's good for doing that like blind and backwards. Okay, so we've had a really great kickoff. So thumbs up for Chris kicking it off this morning. Woohoo! And so sorry to kick him out, but you know, we're on it. You know I love you. So what's great about being part of B-Sides is that

you have the opportunity to submit a talk. And it is the community who evaluates the quality of the talk. And I'm going to remind everyone that we're having a content session, so please have your conversations at a low volume, please. Thank you. And so Sarah submitted this talk and I thought it was great as a follow-up to Chris because we keep hearing more and more about the nonlinear career paths. And she had a really great idea and background on this and so I'm going to turn it over to Sarah for her career path talk. Can everyone hear me? Yeah, good. Okay. So, for a start, totally feeling pressure because I don't have alcohol or fluffy toys to give out, but

I do have stickers. And I have Clippy stickers. So, that usually goes down well with everybody, so we'll go with that. But I want to say thank you for coming to my talk. I really appreciate it. It's really cool to be in Vegas. I've never been to Hackers Summer Camp before, so this is my first time. Yeah, and this is my talk about, talking about nonlinear career paths into InfoSec. I'm basically mostly going to tell you a little bit about me and how I came into InfoSec, I wanted to share the story of how that happened, cuz mine is slightly non-standard. And I hope it will encourage other people who've done the same to share

theirs. Really quickly, who am I? I am an Azure Advanced Security Architecture Global Black Belt. That is genuinely my job title. You can think of that as what you will. Obviously it means I can tell people I fight hackers, which is kind of cool. I don't, I'm solid blue teamer. I really don't fight anybody. But yeah, I work for a small startup called Microsoft. You may have heard of them, I don't know. And I'm based in Australia. I'm based in Melbourne, which is down here, if you don't know where it is. So there's a quick geography lesson. I'd like to see if I've come the furthest when I come to conferences. I'm not sure I

have. I'm sure someone's come further than me. But Melbourne's quite a long way away. And I also need to apologize because my flight got canceled and delayed by like 12 hours. And so I came in very late last night. So I'm kind of dying a bit. So don't mind me. Another really quick note of caution, I have a very common first name and a very common last name. You'll see Sarah Young, the Christian author. This was her, I found her book when I was in Hawaii last year. I didn't buy it because it was $30 and I'm cheap, but, and not religious. No offense intended to anybody who is, but I'm not, so it probably

isn't worth it. And yeah, the other thing I can't put up on a slide, if you Google my name, is there's also Sarah Young, the late 80s porn star. It's true, I'm not joking, so do Google that with caution, or Bing, I've gotta say Bing, right? Please Bing with caution. I work for Microsoft. And really quickly, I always cover this off when I'm in North America, just because it's something I seem to get asked a lot, which is, this can kill you, this Australian animal can kill you, this funnel web spider can kill you, this jellyfish can kill you, this crocodile will kill you, this really ripped kangaroo will also kill you. And I don't know, cockatoos drink beer apparently. A lot

of people ask me about living in Australia and yes, it's true. Everything in Australia is trying to kill you. So yeah, if you'd like to talk to me about that afterwards, please do. The reality is if you live in one of the big cities, you never see any of these things, but there you go. So moving on to actually what I'm going to talk about today. I've probably wasted a good like four or five minutes of my talk. Didn't have a standard start in IT. I don't have any tertiary qualifications in IT But I've been working in IT and and infosec for like the past 10 years or so So I want to do a

couple of things with this talk Which was tell you my story about what I did and how I ended up in IT and then also give you an insight into some research I've been doing about diversity in general now. I'll say right from the word go and My research is not scientific in any way, shape or form. It would not stand up to scientific methodology. It's based on me talking to people I know and colleagues and my experiences in the various different workplaces that I've worked in. So don't ever come and talk to me about how scientific it is because it's definitely not. But it is a snapshot and I think we work in such

a big industry and there's so many different people and backgrounds that it's always good to get these different snapshots. So, yeah, that's what we're going to look at. And I also wanted to look at is there a standard path into information security? You know, lots of people come in from lots of different places. And how do these diverse candidates that we have influence the workforce? And then on the other side of things, there's also the side of hiring managers. I don't know, is anybody here a hiring manager or has hired people? Sweet. You know, these, you know, and you'll probably well know, in fact, I've definitely had a discussion about it with people already in

here, that it's really, really difficult to hire diversely, even if you try. There are challenges around that as well. So I just wanted to talk about that. I'm just one lady who's done a bit of... done a bit of research, so don't hold me to it. It's just a snapshot. Your experience may be different, and if it is, that's awesome. You should talk about it as well. Get up on stage and talk about it. Anyway, so I love the fact that now I work for Microsoft, I get to use the cute little bit raccoon drawings. I'm actually not a dev advocate, and I'm officially not allowed to use them, but whatever. Okay, this I only

decided to put in my slide like 15 minutes ago, but this is me when I was 10. It really is me. It's such an awful picture. My mom was supposed to send me a nicer picture and she didn't, so I had to get the one I had on my phone, but This is me when I was younger. I'm about 10 in this picture. I was big into video games. I was big into computers. I managed to fix a printer jam when I was seven. Very proud of myself. And my dad taught me to change config sys and autoexec bat in MS-DOS so I could change the processor interrupts on a game so I could actually

get the sound card to work. Didn't really understand what I was doing, but I was copying him and I was smart. Oh, I thought I was smart. What I used to do when it became obvious I was quite interested in video games, when the internet was in its infancy, I used to download some totally legitimate copies of Pokemon games onto an emulator, and I learned hexadecimal from hacking the... from altering the codes and using the built-in GameShark. That's how I learned hexadecimal. As we know, hexadecimal goes to 256. At that time, we were on the second generation of Pokemon, so we could go to 251. So all the variables were just in one line of code. That's really cool that I actually know that and I can

tell you for a fact if you look at Pokemon gold silver or crystal that all the Pokemon are filled up unsurprisingly till slot 251 and then the next ones are empty and full of glitches. That's cool I know but that's kind of how I started messing around with hacking things and changing things etc. When I went to high school or secondary school in the UK, here's a picture of me. I literally couldn't find one again. So that's me with a vending machine, which is terrible, I know. I used to fill up the vending machine. It was my job when I was in the last two years of school. So that's why that picture exists. When

I was at school, I actually didn't do IT. I was supposed to do IT, but I fell out with my IT teacher because I wrote some... We were learning how to write websites, and we were writing HTML, really, really good HTML, very basic, but I wrote a website that said, we hate my neighbor. We were doing it as a joke. We both wrote the same website. My IT teacher got to me, saw it, dragged me out of the room, and told me that was the terrible thing about the Internet, and she was going to kick me out of IT if I ever did something as terrible again. By the time we got back into the

room, my friend, who had twigged on to what was going on, had changed hers to the We Love Sarah website. Cow. And so, yeah, so I didn't do IT for a couple of years at school purely because I fell out with my IT teacher and she threatened to kick me out. Yeah, but I didn't want to commit to it at a degree level. So I did go to university. Here's me graduating when I was 21. And I don't know if you can read that on the screen, but I actually graduated with a history degree because that was the obvious choice for someone who was very technical. The reason I did history, my... My logic for

doing history was that I didn't have to commit to anything and it was general and it was solid academic and it would be great and I wasn't really committing which was my main thing. However, it did become apparent in the first year of my degree that I really, really couldn't stand history and I really didn't like my course mates. We didn't have a lot in common and I basically spent most of my time messing around on the internet. I mean, that's not different to any student ever, I know, but like... I spent a lot of time messing around with IT stuff anyway. I was going to quit my degree and start again, but in the

UK at this time, they just changed the rules. I know this is very different to other places in the world, but it used to be in the UK that you would pay £1,000 a year for tuition fees. Bargain. And they changed it the first year I was in university to £3,000 a year, and if I'd have quit and started again, I would have had to pay £3,000 a year and I didn't want to. So I just finished my history degree. Yeah, so that's why I ended up with one. I wasn't failing it. And, you know, I mean, my dad always said that if I'd actually turned up to any lessons, I probably would have done

better. And he's probably right. But there you go. Next, I did a gap year. This is me in New Zealand. I went and worked in a school. A gap year, I know, in North America is not so common, but if you're not familiar with the concept, essentially, you take a year off either before you go to university or afterwards and go and work or do something or just travel, and it's really fun. Again, I'm basically not committing to doing anything. I actually signed up to do a law degree as well, a law course when I got back so I could be a lawyer because I thought, "I've done history. Law sounds good." But when I

was in New Zealand, because I realized we're getting to a where did you end up in IT, Sarah, I actually ended up doing a lot of IT work, an awful lot of IT work for the school. And when I came back from New Zealand, I really missed it, wanted to go back. And the only way I could go back was to get skills, Sarah was told, because my visa had run out. And I was told that if I did law, because law is very specific to each country, and I wouldn't be able to move with it. So I decided I would go back to IT. And that's literally the reason I ended up back in

IT. Because we can see here, how the heck did you end up in IT, Sarah? Because so far, I've done nothing technical. I didn't do an internship. I want to stress as well, by the way, I'm not saying this is like a recommended path. But I haven't done an internship. I have no tertiary qualifications. I haven't done any work experience. I did work experience in a cake shop. I really like cake. Genuinely, I told them I was interested in hospitality, but really I just wanted to eat free cake for two weeks. And I did. It was great. As you can see, I've been very career focused my entire life. But I decided that I really

wanted to go back to New Zealand. And to go back to New Zealand, I needed to get a job in IT. So I got my first IT job. I worked on the service desk. I actually found a picture of me and my team from like a long time ago now. That's me and my team on the service desk. All I did was pick up the phone. I didn't know what I was doing. I remember a lady rang up and was like, I want you, I need you to help me with my MPLS phone. And I was like, what? I have no idea what that is. And also, now I actually know more about that. I'm

like, what the fuck is an MPLS phone? It was VoIP, but I've never heard anyone legit refer to it as an MPLS phone, so there you go. Anyway, I worked at this local IT company around the corner from my parents' house. We did manage DSLs, manage backups, and hosted things in the data center, which is where I learned to do hands and eyes, my Cisco CCNA. I did ITIL, good old ITIL Foundation version 3, and something called an SDA certificate, which is service desk analyst certificate. I have no idea what it is. It's probably expired now. But that's where I started off. And I talked to a lot of people who say, even Even graduates,

I mean, I was a graduate, remember, you know, will say, oh, you know, I need to do something more than an IT job. I shouldn't be on Service Desk. I should be doing more than that. But, hey, that was where I started, and I really don't think there's any shame in starting on Service Desk. You learn so much stuff from working there, and you also learn how incident response works, et cetera. I worked there for a couple of years and then I got a place on the Accenture graduate scheme in London, which I was very lucky. I'll point out to everybody here, so pretty much every company I've worked for, I have been rejected from

at some point in the past. Accenture rejected me, Ernst & Young rejected me, pretty much every company I've worked for, well, maybe 60%. Microsoft have rejected me before for a job. The other thing I really want to stress is that if you get rejected at some point, it doesn't mean you will be rejected in the future. So do remember that. It's really, really important. Anyway, so I work for Accenture in London. This is me at our training in Chicago. This was the first time I'd ever been abroad for work. And I'm like 22, 23 there. And I was super excited because I thought this was very glam. Nowadays I travel for work literally all the

time and have realized it's significantly less glamorous. But at the time I was very excited. When I worked for Accenture, I used to do a lot of infrastructure transformation. I got flown all around Europe. It was very, very hard work and really difficult, but I did learn a lot. It was great. And that's when I got a lot more technical. And finally, I had enough skills to go back to New Zealand after about three years of doing that. So I went back to New Zealand. I got a job with Ernst & Young. They told me that I would be doing exactly the same things in New Zealand. But no, that was not true. When I

got to New Zealand, they were like, hey, we don't actually do what we said that you will do. And we don't really do that infrastructure stuff. But you're technical, right? And I was like, yeah. And they're like, go work with security. And that's how I got into security. Completely by accident. Very lucky. Yeah. Because I realized, in fact, security was then just, this was 2014, so it was really, really picking up. It was starting to just go on the upward curve in terms of awareness, et cetera. Yeah, that's how I ended up in InfoSec. And then I worked for a bank. I worked for an AWS partner, hello AWS. And now I work for Microsoft.

I probably shouldn't, hi Microsoft, even though you're not in the room, I should probably like wave at my current employer as well. Yeah, so that is how I got into security. IT and how I got into security. It's not -- I don't want to -- I realize -- I want to say I overcame so much adversity. It isn't really true. I kind of stumbled around and was a little bit lucky. I did work really hard, particularly when I was doing the service desk job because I had a massive gap in my knowledge. So I did a lot of technical certifications in my own time. So I realized like me kind of gliding through it at

this makes it a little bit more glamorous. I mean I did spend my life, I had my own lab, I had my own lab in my bedroom doing my CCNA and stuff. So you know I don't want to make it sound super easy because it's not and as we all know that this is a continually learning thing. To remain relevant in IT, I mean now I do cloud and Azure The stuff I did 10 years ago is almost completely irrelevant now. It's good for a background knowledge, but one of the things that really strikes me about being in this industry is just how much we have to keep evolving. And in a way, that's really,

really great because it means you're continually learning, et cetera. But particularly for people who are trying to enter the industry, like, Like the stuff that we know now that we're dealing with now in a few years will probably be obsolete. So it's always if you can get right the right wave at the right time, it's a really good way to get in to the industry in my opinion anyway. Again, one woman's opinion, it's all good. So that's my story. And then I wanted to talk a little bit about some other paths into InfoSec. Now I see this as the kind of four main routes in. which is tertiary training in information security, computer science or

something similar in some kind of tertiary, I always say tertiary rather than university because I know there's a lot of different university things. There's a lot of different other things that aren't necessarily university or college out there. So I'm trying to kind of encompass all of them because I don't discriminate, I don't mind. A lot of us of course traditionally would try transition from another part of IT, which is what I did, and then there's on-the-job training like apprenticeships. I think these are still really the main routes into information security. They're not exclusive, but I think the proportions of where people are coming from have changed. Again, you may have seen different to me. I

think this tertiary training in information security is very, very new. I mean, universities and higher education institutions have only really started offering them in maybe the last three or four years. Definitely in my part of the world, they're definitely only the last couple of years. We're just seeing InfoSec graduates coming now, so like three or four years down the line from those original courses. computer science, that's been around a long time, a long time, and so I still think a lot of people come in from there. People are still transitioning from another part of IT, and that on-the-job training, the apprenticeships, that's again quite new, but I think this trend towards apprenticeships has been coming from really a lot of kind of a backlash from that everybody needs

to go to university and I don't think it's an IT specific thing but I think apprenticeships are really really useful and they do lend themselves to certain careers and I think IT is one of them so it's definitely something we should be looking at. What's your standard path then? Well based on again my entirely non-scientific research I would say maybe. In general, the older you are, the longer you've been in industry, the more experience you have. I've just realized what I've written on the slide. Oh, my God. The less likely you are to have formal training in InfoSec. And that's just because it's only become really a specific focal point very recently in terms of training. We know now if we remove the tertiary things, we've also got things

like Security A+, CCNA Cyber Ops. There's loads of brand new security qualifications popping up, loads of them. And that's only really recent. And as I said, it's only become very formalized in the last few years. And I reckon that, again, based on the people I've talked to, the things I've looked at, About 50% of people in InfoSec have a Comp Sci degree. That seems to be my completely non-scientific research, so take it for what you will. Let's look at the who and the what of diversity. So who in here considers themselves to have had a non-linear path into InfoSec? Pretty much everyone. This is why it's so difficult to try and standardize this. That's great.

Loads of people do. I think we don't really truly have that kind of linear standard way in. And that's good because it means we get lots of diverse people. There are so many real life stories. I can't talk about any of them in detail just because of time. But these are some people I personally know. Like a lady came from business continuity planning, which is kind of a decent segue in. Lady who was a nurse and retrained. And there's also accountants. Now, accountants I always think are the funniest ones to go into InfoSec. Now, largely they go into GRC. But I know an accountant who went in as a pen tester, which is very different.

Yeah, I know. I know. I've got surprised faces there. So there's all kinds of things you can do. I just wanted to put up an accountant picture because it amuses me because I work for a big four. These are just a few of them. Like I said, don't have time to go into them in a load of detail, but I'm sure, but they're all great people. I know them personally. They're great people. They're great InfoSec people. And they got into InfoSec because someone gave them a chance. They'd done their own things. They'd done things online and in the community, but essentially still they needed someone to give them a chance to get their first foot

in the door. And they're great people. So we need to do more of this, but it's hard. And looking at the influences of these people, again, I could go into this forever, but generally people's managers and teams would say that engagement's higher. This is stuff you probably already know. Diverse teams make for diverse opinions, and that's a good thing. And it's a bit of a domino effect as well, as in... When you start having more diverse teams, those teams become more attractive and then you get even more diversity. I'll just say as a quick note, when I talk about diversity, I often talk about gender diversity just because that's my personal experience of that in

IT. I realize that diversity has many facets. I'm trying to be inclusive, but I might keep saying gender, so apologies, but that's just my personal experience. I mean, talking about my personal experience, having more ladies in the teams, in teams that I was working in, is definitely a really good way to encourage more people to come in. It takes a particular character of person to be the only woman or gender fluid or whatever person in a team. And not everyone's got that personality. And that means that you might miss out on some really great people because that shouldn't be a deciding factor on whether you take people in. I'm not saying I've got an answer

for how to deal with this. I'm just kind of talking about it because I just think we need to talk about it as much as we can. So we actually start to formalize some of this thinking. On the other side of things, though, it's not always positive. I've had bad experiences. I'm sure plenty of people in here have as well. Like, the journey to diversity is not easy or straightforward. You can still have, even if you start introducing ladies, there's, I'm going I'm going to, like I said, I'm going to say ladies, but again, we're just talking about my experience. If you become the token female, that can make you not feel good as well.

Like no one wants to be the token diversity hire. So it's a really difficult thing to manage. And you can also end up with cliques. I mean, I had to put mean girls up there because, you know. Yeah, I know. It's totally appropriate. And again, so it's not just a case of, oh, look, we've hired someone for diversity. Now we have to leave it. This is a constantly evolving thing. You need to be working on it. Managers need to be working on it. It's very slow and you might take two steps back at some point. I know it's even if you hire like say a couple of women if you've got kind of a strong

for one of a better word bro dude culture that's not just going to be get got rid of by hiring a couple of ladies. So it's a bigger. So we don't. I think sometimes there's a danger particularly maybe in larger organizations that we're just doing a tick box. Oh look we've hired a lady we've hired someone from some other kind of background. It's not good. To give them their due, looking at the hiring manager's perspective, where do you start to create more diverse teams? How do you start? It's difficult. And hiring processes, traditional hiring processes, particularly in big organizations, lend themselves to accessing people through more traditional pathways, which aren't necessarily where you'll get these diverse candidates from and these nonlinear candidates who've come from other places. And

then, as I said before, you've got this danger of this token hire perspective. So what do you do to access the right candidates? What do you do when they don't apply? I think sometimes positive discrimination isn't always effective. There's a couple of organizations I've worked for where you had to shortlist at least one female for a job. And if you're a manager and no female applies for the job... How can you do that? And also, I knew, again, in a previous role, I know a manager had to shortlist a lady purely to tick the box that he shortlisted a lady who didn't actually have the skills required. And, you know, that's not fair. It's a waste of time for both the organization and the actual individual. So, again, I'm

not saying I have answers to this because in some ways positive discrimination is a good thing, but there are downsides to it. So I'm more just... Encouraging you to think about it. And job descriptions still discriminate against nonlinear candidates. So we know, I spent like an hour trying to find some of these examples, which clearly I couldn't find when I was writing these slides. But we know that you can have things like junior InfoSec analyst requires 10 years worth of experience. I mean, come on. So really think hard about your job descriptions and how you write them. I know that often if you're a hiring manager, you're either getting a standard template or you're just

doing a brain dump of everything you want. But And we know that particularly ladies, there's loads of research around women will only apply for jobs if they've got 90 to 95% of the qualifications and dudes will do it at about 30. But I think we need to, I think there's two things. We need to encourage people coming from different backgrounds to be more confident. But also I think we need to be more mindful when we're writing these job descriptions because we're kind of excluding people without even realizing it sometimes. I think I'm nearly done for time. So Again, my conclusions. Just a couple of things. Celebrate your nonlinear path to InfoSec. If you didn't come

in in a standard way, which basically none of us did, make sure that you celebrate that. There's no shame. I have no computer degree. Everyone laughs when I tell them that, but I really don't. There isn't a standard path, I don't think. I think it will become more standardized, but... But, you know, and of course, you know, there's the obvious places to look. Look at universities, look at colleges. But don't discount maybe trying to find some other people. And it might take more effort to find them. Hopefully that's going to change as we kind of progress this diversity thinking. But I don't think we're there yet. And diversity and breadth of experience makes teams more

engaged. I haven't got to talk about this nearly as much as I wanted to, but hey. And don't forget that hiring in a diverse manner is hard and can take time. It really can. This diversity thing is not going to fix itself really, really quickly. It's a journey for everybody. And I don't think anybody's got it right yet. So I think we're kind of all muddling through it together. It's a bit like DevOps. Same thing. No one really understands how to do it properly yet, I don't think. So don't beat yourself up. Keep going with it. I really encourage that, particularly if you're a manager who's had a load of diversity targets just thrown on

them by upper management. Because I think that's kind of a bit of a... I think it's a difficult thing. That's me done. Did I click? Yes, I did. I put up a couple of things. Microsoft is big on diversity in tech. It's not a plug for Microsoft. There's plenty of other things out there, but I put a couple of links up. I have a ton of stickers and leaflets. Feel free to come and get them. And thank you ever so much for listening to me. I've never done this talk before, and I'm horrifically jet lagged. So I really appreciate you listening, and thank you very much. I'm one of those older workers. For the rest of the crowd. I'm one of those

older workers that you referred to. I took my gap year after about 30 years in IT. So now, you know, when I saw the title nonlinear, that seemed to fit kind of where I'm at. And I wondered if you had any thoughts on people who are looking for not necessarily 100% full-time jobs, career positions. It seems like your talk was more about the getting into the infosec space from different starting points, but for someone who has been in IT for a while, has gone out, now is looking for something to, some way to contribute still. That's a good question. I think there's a lot more focus, at least in larger organizations, but actually I think

even smaller ones, in flexible working and part-time stuff. I guess it would depend precisely on what you were looking for. I know... lot of companies are big on at least in down in Australia in New Zealand They're really big on job shares and stuff it so if it's a job because we know there are some jobs that don't really lend themselves to being part-time I would say actually security possibly is one of them depending on precisely the role And a lot of companies are big on doing job shares now one of the companies I used to work for They and their head of security awareness so a pretty senior role is now a job share

as well. So Two ladies do it part-time. Yeah, they both do it part-time, but it's the same role. So there's stuff like that. I think there's also, if it's a small, I say that big companies have more flexibility with that, but I also know that if you look at more boutique firms as well, they would probably actually, if you could connect with them, they'd probably be able to have a discussion and see if there was something you could do. Again, I'm very much focused on my side of the world. I know kind of the states here is a little bit different, and the way employment laws are super different over here. Like, you guys only

get two weeks holiday. Oh, my God. Paid leave, crazy. But I think there's such a shortage of workers that if you're qualified and you know what you're doing and you've got something to offer, I think as long as you present that in the right way, there's definitely, like, a discussion you can have with people. But... Again that probably comes down to more networking and stuff as well to get yourself in front of the right people. Our concierge is right there in the orange. She can help you, direct you to a resume reviewer or a career coach. We also do have three ring binders that has all of the bios of all of the different career coaches. So you may find someone later on today that you want to

meet with. Thank you. And thank you. I have loads of random stuff. I should get all of my cards in the room. Damn it. Oh, I know. I'm so going to run out of these, but let's see. I'm going to say I have Clippy. What do I have? I have all the diversity stickers. They're good. I have so many stickers. Yeah, you have a gap year. I know, I know, I know. It's like, what's that? We don't know this here in the United States. Yeah, I know. That's why I explained. I was like, ooh. So much freedom we have. Yeah.

Jerry. Test? Good? All right.

My name is Sherry. So I'm going to suggest you move it just a little bit. So we're all sweet puppies. Because they're down. Test, test, test. What if I like... Is it good? You should be fine. Sound? You should be fine. So here, I'm going to...

Test test test. Am I on? Yes, you are. Okay. So you should be good to go. I've got everything that looks all right to you. Okay, very good. Thank you very much.

My, my.

Test, test, test. Hey! Thank you, sciatic nerd, for being AV superstar. Thank you. Woohoo! Let's give it up for Steven. Woohoo! So thank you for coming for the afternoon shift of Higher Ground. As you know, this is the most integrated, leveraged, interconnected career track happening during Hacker Summer Camp. Because what we do is we bring really great content sessions. We have phenomenal, involved... employers and then we have resume reviewers and career coaches. So nowhere else in Hacker Summer Camp are you going to get this kind of career support. So let's give it up for everyone in the room that's volunteering. My name is Kathleen Smith. Yes, it's Kathleen on Twitter. I've been doing this for almost five years

because it's my passion to connect job seekers with employers and for me the biggest challenge is that we have a failure to communicate. But I think one of the really key things about learning how to communicate your passion is to find your passion. Understand what your passion is about being involved in this community. It can be everything from connecting people to solving problems. So some of the things about being in higher ground is that while content sessions are going on, we ask people to have their conversations at a lower level level. I'm going to point somebody out, maybe. But we have really great resume reviewers. They can still talk to you while the session is going on. We also have really great exhibitors. They've just agreed to keep it

at a lower volume. As I mentioned earlier, the community submits talks. So these are not, I have a really great idea, I have a really great story, and I want to share it with the community. We had a really great talk. selection of people who submitted and it was really hard to select. But I was really excited about Sherry's presentation about finding your purpose. Because a lot of us go for our careers and we sort of go through these steps. And we just go through these steps because we think we're supposed to go to the next step. But as you've heard from today's discussions, it's really about connecting, finding your passion, solving the problems, asking

the next question, connecting with the next person. It's really about being passionate in the community and finding out what you can do next. So without further ado, Sherry, tell us about finding your purpose in cybersecurity. Thank you. Thank you. My name is Sherry Burgett. I currently work with the Mining and Metals ISAC, which means that I work with many mining companies to get them to work together. And I work with governments and countries even sometimes, helping them with their overall strategy. So I get to work with a lot of moving parts and I get to meet a lot of different people at various levels, whether in their cybersecurity career or within their own company and

organization, their maturity level as they try and build their own cybersecurity programs. So here's just a brief overview of what we're going to talk about today so you can decide whether or not you want to sit in these chairs for the next 20 minutes. Let's stop pretending that there's a defined career path into the cybersecurity world. I'm going to share a couple personal stories about how I got in. I'm going to talk about how you can customize your education to get to where you want to be. and focus on your strengths and your interests. And we're going to talk about the gaps that are definitely apparent to everyone in the industry. If you spent any amount of time in cybersecurity, you know where those gaps are. You know

where point A and point B do not connect. And we're going to talk about how to find a mentor, how to connect with the people that's going to help you grow as a person and introduce you and find opportunities for this career. So it all started at DEF CON. I was a stay-at-home mom. I had not worked for any employer for 15 years. I decided on a whim that I wanted to go to DEF CON. And the only way that I could afford to get there was by bus. And it was a four-day Greyhound bus trip. And that bus trip was incredible. If you've ever taken the bus across country, you'll know how many people you meet at the back of the bus. that will share with you their

personal stories. And so as I'm telling them where I'm going, they're sharing with me where they're going. I got to meet people that were just getting released from prison that hadn't seen their families in 20 years. I got to meet a family that was traveling around the world from France that decided to take a short jaunt across Arizona. And so I got to meet all of these people along this journey, which finally led to DEF CON. So after I got off the bus, I went straight to DEF CON and got my badge and sat down in line. The very first person that I saw and met and talked to, I got to share these stories

with. I got to tell them why I was there. It wasn't like he gave me a job on the spot or you need to work in cybersecurity, but I got to make friends at this conference. And so for the next three years, I came back to DEF CON. I wasn't looking for a job. I was just kind of looking to be around what I felt were my peers. I wanted to be around smart, intelligent people. I wanted to have fun. I kind of wanted to start a little mischief when I could. So that was six DEFCONs ago. After the third DEFCON, this first person that I met said, why aren't you working in cybersecurity yet? Why haven't you gotten off your butt and gotten a

couple of certifications and got in? And he was right. And so what is my background anyway? So my background originally was theology. And so that's why I thought that this... A reporter picked up on my story and I think the headline makes some good click bait. So theology is the study of ethics and personal beliefs and how those beliefs affect society. And so if you think about, you wouldn't think that that's the obvious crossover from religious studies to cyber security. But if you start thinking about cyber security as more of a human problem, tracking organizations and groups, you start to see that maybe somebody with a broader world view could perhaps draw some connections, whereas

someone who is more technically focused would miss.

So, when you're creating your own path, you still need to get the right training. And that training may be the traditional, you know, cybersecurity degree. It may be a various numbers of certifications, but what's going to help you fine tune what you need to do has more to do with what your interest is, what your background is, what you're looking to do. And that's why getting a mentor and talking to people in the industry to find out which certifications are actually valued. what employers are looking for and it's okay to be different. It's okay to be the outlier because it's often those outliers that get the job. One program that I am currently working through is an interdisciplinary studies degree and I'm working with the

University of Maine in Augusta to develop a cyber intelligence program with concentration in psychology and political science.

So I work for a nonprofit and ISAC is a nonprofit organization. We do not, we don't have any goods to sell. Our services are member driven. One of the things that I have learned is that most of the cybersecurity world is very profit focused and profit driven. And so your needs are whatever the vendor says you need. because they can sell that product to you. But oftentimes things that make a difference you can't sell. The things that make a difference are people, you know, basic hygiene. Basic hygiene doesn't cost a lot of money. It doesn't, your vendor for the certain, for your system actually has, you know, included in the cost of the license patching.

So when profits are off the table and funding is tight, we started our ISAC with five companies who kind of believed in a dream. And they brought me on board and said, "Okay, this is our dream. Let's make it happen." But what we didn't want to do is we didn't want to ask for government funding because we wanted to maintain control of where we went. And so funding was definitely tight. And this sort of ended up with a journey for us to define what we could do as a small organization that would make a big impact. Things that we focus on are human factor security, both adversaries and defenses. So I like to profile groups and

organizations, but I also like to identify what's going on within an organization that leads to some of these pitfalls. I help companies and yes, even some countries develop a cybersecurity strategy because there is very little support in this industry on developing a strategy. That is the CISO's role, but nobody really has figured out how to do that effectively yet. Getting some CISOs with experience and discussing it is a way that we can start creating what these best practices should be. And innovation support. When I work in an industry that is on the cusp of digital innovation and cybersecurity is often seen as like an afterthought. They give you a shiny new product, now how do you

secure it? And so what we've been promoting is secure by design. We've been promoting bringing your cybersecurity guys to the table during the develop or as early as possible in the developmental stages so that we can talk about security and talk about where we should, how we can support them through the innovation process. So where do you fit? Your challenge is to think about cybersecurity differently. Everyone has an idea of what cybersecurity is and a lot of people think that it is SOC analyst, pen tester. But cybersecurity actually involves so much more. We are not talking about, you know, war games, whereas kid versus kid. We're talking about businesses versus business, corporate versus corporate. The bad guys are big

corporations. with office buildings and they have planning and they do their own tabletop exercises. You know, they have a sales force that are fully trained to help their people become better social engineers. So we're thinking about cybersecurity wrong. We need to have a much bigger overview in order to support it. And definitely the most important thing that I want you guys to get from this is that you need to network with people. The only way that you can get into this industry is not by following some predefined path. That path doesn't exist and we're giving each other terrible advice about it. We have very well-intentioned people who are cybersecurity professionals that says, if you do A,

B, and C, you'll get to D. And that's not the case. And I'm not sure where I was on time. There were some questions. So can you talk a little Okay. So, okay, so I work for an organization that, well mining and metals was actually a kind of late to the party as far as cyber security because they were largely an ignored field and so no one was really after them. Nobody attacked them. They didn't get hit with anything and so they didn't really invest very much into cyber security until a few years ago. And so a few years ago they were hit by a financially motivated threat actor that hit a series of mining companies. And so these mining companies

decided that they needed to get together and work together in order to combat this because the problem was bigger than any one company should be defending against. And so So, well, yes. Yes, absolutely. Natural resources. Part of mining and metals is also oil and gas. And critical manufacturing is a part of that as well. But a lot of these weren't hit until everyone was getting hit. And so as cyber security was kind of rare, cyber threats were ramping up, they were also at the same time creating an environment where they were opening the doors per se because of digital innovation. They were connecting more to the smart grid. They're connecting more, they're doing things more remotely. And so this organization sort of came in right

at the perfect time to for these guys to decide oh we're gonna we're gonna solve this we're gonna solve it together we're going to collaborate and we're going to work on these projects we're going to we're going to conduct the research necessary to do it. How did I get the job? Well after After a few series of DEF CONs, I went home and I studied. I got certifications. I enrolled in college classes. But the people that I knew, that I met at DEF CON, knew my background, knew what I did, and they decided, "Oh, you're ready now. You're ready to help us put this organization together." And they wanted me because I had a different background. Any questions for Sharon? Just on the mentoring concept, how would

you recommend someone who's, you know, we know about students, they've got professors, they've got internships, someone who may be like your kind of age, our age, you know, how do I go off and find someone to sort of say, you know, if I was brand new to this industry and I was coming to DEF CON or B-Side for the first time, who do I turn to? So, absolutely, and I think cybersecurity is a perfect second career. I believe that you have to come to these types of events, and you have to talk to people. You have to, and I'm willing, I've actually put myself out there as well, and I know other people who have gotten into the industry in a similar fashion where they were

sort of mentored in, have returned the favor by doing it for others.

Iced coffee, cream, sugar. Oh my god. More sugar in case I didn't do it right. You did it perfect. Thank you. Thank you so much. That's awesome. That's a reward for ending 10 minutes early. I am very brief. When you submit a talk to any peace side, well, to Peace Side Las Vegas, there is a question in the proposal that you submit. Outrageous request.

Yeah, he brought me napkins. Well, now my question is, was that your outrageous request to drop a cup of coffee in front of everyone? So there's this thing I get to travel all over the world and there is sort of a tradition. I have two traditions. One of them is I want to go to a McDonald's in every country so I can order off whatever their crazy menu is. And the other one is I want an iced coffee and they never have it. So my original question was are you still coming to DEF CON by bus or have you upgraded to an airplane? So I have upgraded. That was a one-time experience, but I actually wouldn't have had it any other way, and

I'm not sure that my experience would have been as good had I not had the four days of social engineering practice. It was a good warm-up. Oh, so that was from Alabama. I no longer live in Alabama. Hey, how about at Rochford? I'm sorry it slid. Yes. Let me turn it off.

Thanks so much for the talk. I'm sorry about your coffee. Sherry, do you want to take these? I do. Thank you so much. I just wanted to say thank you.

Thank you.

test

Thank you. Thank you. Okay, so, we're eating. Okay. I'm a marine wife so good afternoon sorry as you all know we've been having AV problems all day So there's a reminder we're having a session going on so we're going to ask for conversations to be lowered. Thank you so much. We won't call out tenable for loud conversations. So no you don't get a t-shirt. So as some of you who follow me on Twitter know I'm a Marine spouse. I've served in the Marines as a spouse of a Marine captain for the last 25 years. And one thing that I've really tried to do with Higher Ground is make sure that we invite the veteran community to hear about other

people's stories, but also hear about unique stories about funding their own companies or finding their career or changing careers. Somebody I interviewed was a hospital corpsman. in the Navy, but then because of his home lab that he was building, he ended up leading a cybersecurity practice for a major DOD company. So it's always great for me to hear that story. We also, Higher Ground and B-Sides Las Vegas Board voted to at least provide five veteran badges so that veterans can come in and experience the B-Sides community. Totally, you know, en gratis for the community. I started that program also at Black Hat, so it's really a passion of mine. So when I saw this young man's, and you're young because you're younger than me, proposal about

serving in the Navy but then going through his career and then starting his own company and finding ways to fund it, I figured that this would hit two points within the community. People who are interested in starting their own company and also successful veterans going on to go on into a career in cybersecurity. So for no further ado, thank you for your service.

So let me just take a look at the time. Can you all hear me okay? Deciding to be closer. All right. Is that a what? All righty. So I'm John. So hopefully you're in the right spot. So we'll be going over a whole bunch of stuff really quick, but I wanted to make sure I gave you all something tangible to take away. So I'm going to try to fly through this as fast as possible and still leave time for questions. And just to say, I wanted to use the phrase hack apart since it's so cheesy so many times. I used to have an email feed for the word hack, and then one out of every

hundred, it's like wife gets angry and hacks apart her husband. So I'm so happy I was able to check that off my bucket list. So first a little bit about me, because that's kind of the impetus of this talk. As I mentioned before, I was in the Navy seven years, had nothing to do with cyber. I was a Korean linguist. I was really shitty at that. I was then a postul linguist, which I was less shitty at, and then moved over into counter-terror, so the analysis side, and a little bit of cyber, but no training. I was a German major in college. And so, of course, when I got out during the first sequestration in

2013, I went to the corporate side because they said, "Hey, what do you know about computers and servers?" I said, "I speak Pashto." And they said, "Cool, you're hired. You should definitely come set up people's sims." So I did that for a while, learned a lot of good things, spent about 11 months at a big firm, then moved to a startup. Just quality of life issues, right? Big firms are great, they have good money, quality of life, work-life balance not usually the best. So then I went back to the, well I went to the Department of Army, went back to the gov side, did some freelance stuff, went on the actual offensive side. So by

this time I had went and got another bachelor's degree in something computer-ish, that was whatever. But I learned a lot of great stuff when I went back to Army Cyber. Like I said, working in the operations department. What I kept noticing is I really dug the mission when I was in, right? Because you're not worried about revenue, you're not worried about the bottom line for dollars, right? You're really focused on the mission. But it doesn't pay terribly great. And in true Army fashion, there was a pay snafu, so after like a year-ish there, I then did some more freelancing, did a startup. of my own and that's where I'm at now. So that's kind of

what it feels like day to day. But it's okay, right, because it's a little bit more fun and I actually don't work that hard. So again, so going back to why we would want to work for ourselves, right, so I kind of tried to focus on like do I enjoy every day? Like doesn't mean every day has to be like an amazing, like life-changing day, but there was a guy when I got out of the Navy during like one of the out processing briefs, he had been, I want to say a pilot in Vietnam, could have been Korea, but I'm not sure if he was that old, shot down prisoner of war, right, it's been

a while. But he would always, he was just like super jovial guy and he would always be like, I never have like any bad days. Like some may not just be as good as others. Right. But he's like, I never have a bad day. And I was like, yeah, I'm sure after being like stuck in a cage for like months on end. Right. Like it like it shifts your attitude. So that's kind of what I was trying to I set out to do when I spun off into my own company. I just really, I noticed I kind of didn't care when customers would call me and they have some SIM that goes down at midnight

and they're like, "Hey man, we need the server back on." I was like, "Cool, but that could wait till the sun comes up. I don't care." But you can't really tell people you don't care, right? So I was looking for that balance. And so now kind of like the current state of affairs, I feel like the cybersecurity, cyber whatever realm has kind of redefined and reshaped and then a lot of us kind of blew it. So we said like, yeah, we want all these like super cool perks and we want to be paid a ton of money and we want all this really nice stuff, but you can work us to death, right? Like we'll

do 80 hours a week so long as like we feel like we're kind of in charge and like get to be like the coolest kids in the room. And we fell like right into the same trap, right? And that to me is kind of a waste. So I see a lot of people at these conferences, like big conferences, little conferences, I see a lot of people that have a lot to offer that are generally kind of marginalized for one reason or another. And it's generally the bottom line, right? Like the companies we work for generally like are there to make money. So that doesn't lend itself really well to doing stuff outside of the norm

and utilizing people's strengths, right? So enough of that, things could be better. Okay, so in this talk, like i said i wanted to give you all something tangible something to take away so funding sources my goal is to give you all a strategy where to look who to talk to for these types of funding sources um i'll say grants a lot in this it's not really grant money and i'll show you why it's not really great many for but for all intents and purposes it's great money All right, so when I wrote this, I was like, let's break down the big picture, and then I realized I'm totally not breaking down the big picture. I

am breaking down the offshoot of one branch of the big picture, but it's like big picture-esque. So, okay, what I'm gonna focus on are Air Force small business set-asides. This is kind of how it's laid out. So, within the DoD, within the government, there are things called SBIRs or SIBRs, right? SBIRs are, or SIBRs are small business set-asides. It is a pot of money that people, that is given to certain groups, right? Everyone from like NIH to DOE to Air Force, you know, all the service components. Everybody usually has some way to get their hands on SIBR money. SCTRs we're not going to go into. SCTRs are for non-small businesses, but for people that want to spin off tech from research institutions, right? So from colleges or whatever. So

we're going to focus on SIPRs. Small business, need to be under 500 people, can't have a current contract for the tech you're soliciting with that agency. So you couldn't double tap the Air Force, right, if you already had to deal with the Air Force. And US owned for the most part, right, US citizens. Okay, so now under the Ciber umbrella, there are a couple groups, although this is by no means all of them, that are kind of like the tech accelerators, the incubators, whatever, the people that are supposed to go out and kind of like make all the connections. And they've all come up at different times. And so some of them have a lot

of overlap, but some of them say they do the same thing, but they do it way differently. So the ones leading it, AFWERX, CyberWorks, I would say maybe now AFRL, which is research labs, Wedge is a smaller one, and then Kessel Run is a software, it's kind of a software partnership in Boston with the Air Force where they bring in industry and then they kind of co-locate and solve some of the problems. So if you're looking for what I tend to think of as some of the better ones, we'll focus on these companies. and then the subset of that of what kind of proposals like what do their rfps look like open calls traditionals i'm

not going to get into the traditional as much at pitch days open calls and pitch days are almost the same thing except in pitches there's an in-person component so i'm not really going to go into that just know that what i say applies to pitch days just put an in-person component so an open call right we're going to walk you through a proposal for that make sure i'm still doing good on time all right so An open call. Generally the way these things worked on the traditional side was, hey, we have this problem. We need a red teaming tool. We need a whatever tool. We need body armor. It could be anything. What do you

have that can fit that need? Or what can you build us? And show us that you can build it. An open call is backwards. It says, what do you have that's super hot in the commercial side? And how can the Air Force use it? Now give us a pitch on that, and we'll give you a bunch of money. Or it's a bunch of money to me. We'll give you money. I guess a bunch is subjective. All right, SIPRs go in phases. Phase one, customer discovery, feasibility, which is like their catch-all term. They give you money for three months, right? It's usually a $50,000 or $75,000 cap. That doesn't mean you have to work full-time, right,

for three months, but it means in the three months you need to come out with an Air Force customer that's going to say, hey, I really dig what they have. I'm willing to do a POC on it, right? And so that leads you to a phase two. A phase two, just think of it as a paid POC. So when I first came across this, I was like, holy shit, this is awesome. Like who pays for a POC? Well, the Air Force does. And so the rough idea, 12 to 18 months, POC, it's about a $750,000 cap. You can get matching funds. So if people bring in investor money, they'll match it. So you can take

a million from an investor. You can take a, and then 750 from the Air Force. If there's an Air Force customer that actually wants to do it, because remember, this comes out of Air Force research money, not the customer money. So there's ways you can actually like kind of like exponentially grow your money on that. Should wrap up in a year, year and a half. You can do it for short. Some people do for four to six months. It's a paid POC. Phase three takes it out of the green money. So out of the R&D money and it rolls it into a legit GSA sole source contract. Key term there, right, is sole source, right?

Not open to other people to bid and snake you on your technology and the work you've done. You will own that for however long you negotiate for. So there's a little bit of work to do but i will say this is like the easiest process if you've ever been uh forced to do like a gsa rfp proposal like those are the worst ever this one the way you start right you got to have a small business incorporated somehow you go through getting a duns number you get a cage code get the same stuff not important what that is start with the cyber site i'll give you it walks you through all of it right The

legwork to get this is maybe like a day tops. The wait time though is like six weeks for the government to process all your stuff. So just keep that in mind. All an open call consists of a 15 slide pitch deck. So if you're already a small company, already repping some sort of product, odds are you already have a 15 slide pitch deck. A five page tech ball, which is not much of anything. There's a couple of boilerplate things, right? Background, you can expand on the tech if you need to. and a cost ball and some business info. Takes like 15 minutes. Phase two, so for that paid POC, Same thing, 15 slide pitch deck,

15 page tech ball in case you really need to break out what you're doing, you need to include statements of work, stuff like that. Again, you're getting paid to do all this, so if you've already gotten to phase one, that's what you're doing in phase one, is writing this. This takes, again, like a day. The 100 second video, because I really suck at making videos, is by far the hardest part. And you have to come with a customer MOU, right? You come with an Air Force customer, like I said, that says, hey, this is super cool, we're not gonna pay for it, but we'll let you pay us, right, to then, like, kind of kind

of run a trial with this stuff. These are the sites, the two sites I would recommend. The top one, not to be confused with the other Cibber site, which I have no idea why the other Cibber site exists. This is the one you go through, it's the portal for all the stuff. You start to log in here, it walks you through all that other stuff I told you about. The second one is specifically the AppWorks version, it's just more explanation about what they're looking for. Oh, and Twitter, just follow these groups on Twitter, they all have a huge Twitter presence. All right, community and networks. Okay, 11 minutes. Community networks. So a big part of

why I'm in this now had nothing to do with me going out and knowing about any of this stuff. There's a group called DEF or DEF X. I really don't know if the X is still on there. I don't know how to explain it. They're a group. It's a lot of DOD. It's a lot of ex-military. It's a lot of current military. They don't really back vendors. It's just networking, but it's like everybody. It's kind of like the new mafia that wants to replace the old mafia. So they're trying to push out a lot of, or get the focus off of the Lockheeds and the Booz Allens. And they'd be like, no, we'll do the

same thing. But we're cooler and younger. So they've been awesome. They have a Slack channel. It's fantastic. You can go in there. I found tons of customers that way. They're overall just really good people. Okay, so this is my info. I am totally here to help. 10 minutes, all right. I'm totally here to help anyone that wants help. I've done it for a couple folks so far. It's gone really well. We've got a couple folks moving on to phase twos now. Totally for free. I have no problem doing that. The only thing that I always thought was like the unspoken rule was like please don't be an asshole. Like if you're just like a really shitty salesperson and can't make your quota and think like I'm going to

help you beef up your numbers, like I'm not going to do that. And please don't call me at midnight to talk work. I will totally talk to you at midnight, but not about work. So, that's my info. Like I said, if you want to talk more about it and actually write one together, these things are super quick. And in fact, after this evening, it's like six to seven, there will be a couple people from the deaf group that I'm just going out and meeting up and having drinks with. We'll be at, is it Pub 365? Is that the name? The spot that's here. So just look for the yellow hat and feel free to come

over. We can talk shop. Right after this? No, 6 to 7. So I'll just be hanging around on there. It's not anything formal at all. Okay, so I want to make sure I get the questions in case there are any, but I can talk ad nauseum about this. So there's a whole bunch I didn't cover. Questions? Questions? I'm just a few examiners.

Sure. So everyone has their own brands of Sibbers, right? The Air Force with their open calls though made it a lot more attractive to someone like me. They're quick. So a normal Sibber is about 20 pages. It's a white paper with about 10 that you actually have to write. So it takes a little bit longer, right? Maybe a week. But the Air Force came out with this open call. It blew up. The first time there were like 100 of us that applied. I think like 50 of us got it. The second time there were like 300 that applied. This last round, which was the fourth round, had like 1,600 applied or something crazy. It was

huge. So the word is out. What I don't like about it is that now groups, because these are small business set-asides, the Lockheeds, the Boeings and all that, will back companies and be like, "Oh, hey, no, we're not here. We're just helping them." But they'll make all the connections and take a piece, and then you get a bunch of the same old, same old in there. Well, I'd kind of rather see some more diversity. The Navy is starting to do this. They tried to put out a version, and I'm not really sure what it was. It's in this really shady page. That I really didn't want to enter my info in. And it was on

Facebook. And I was like, "Mmm." And then, Army is starting to do really good stuff. They opened up an Austin office for AAARP Advanced Labs, I think. They're doing something like this where you essentially do a quick page of, like, here's a pitch. And then they will contact you if interested and work you through the same process. Because they have all the same authorities. But yeah, Navy is still a little bit further behind. I will say I'm not sure if they know how to quite do this. The nice thing about this is that if anyone's ever worked a normal GSA contract, it takes months to like a year to get awarded. From my submission time

to the time I went under contract was like two weeks, which is unheard of. Like that just doesn't happen. So they are really moving fast on this stuff. I mean, they now have hundreds of companies in there doing this stuff. And the whole thing is like it's okay to fail. Like, We, they are totally expecting to toss out, you know, a thousand solutions and like 900 will not make it. That's okay. Because they tried. They gave the money out there. If there was a need, it should have been met. You would hope, right? The link has been made. And so they're okay with having a hundred really great solutions if 900 fail. So... They do. So you can petition for feedback, although the Air Force now

just packages it in, and it's usually something along the lines of, you know, commercialization wasn't strong. You have to show that you have a commercial route for this. Sometimes I'll get really random feedback and you have to go back and be like, "Are you sure this is the right person?" They're like, "Oh, sorry." Sometimes they just have too many good proposals, right? We've been on plenty of lists being like, "Hey, you were number 101 out of 100. Sorry, apply next time. Maybe we'll like it more." But you do get feedback, which is really good because the more you submit, the way better odds you have of winning. Have you encountered any processes that are open to non-US citizens or US-owned companies? So this

one in limited fashion is, but there are caveats, right? You either have to have like a US partner or something like that. I haven't seen any that have been totally funded through the DoD by non-US groups. However, groups like the deaf community, I always feel so weird saying that, they have on their site, we have people from all over the world that come to these conferences and like just to network. I've seen people do work with them from outside. So like one was like the, like the Swedish Army, something that was totally random, but this really nice general that came in, and they're like this big, right? So they're able to work really easily with small companies. So

I've seen more through there, but not through USDOD. I don't know of any. Is there any variance of preference for selection? If not, is there from the funding aspect for outside fundings? So, sure, so you said are there any preferences for selection criteria? Oh, for veterans. So there are spots where they will, so the question is kind of are there like special selection categories that would influence, right, the selection of your company or their awards? So yes and no. It is not like GSA where a certain portion has to go to, you know, Servers disabled, veteran-owned, women-owned, the whole SDVO, whatever. However, there is like a checkbox when you go through the portal that asks you for those. So I'm assuming it is factored in somewhere,

but it is not as transparent or as widely used, I think, as like a GSA one. How much initial can it start, or is it all just based on the frame? Yep, all based, so did I have to come up with any additional funding to kind of run away this whole thing? No, so I started submitting when I was still with my old company. Super long story there, they were okay with it. But yeah, so I just started writing these up on the weekends. I'd like grab a six pack and type up some proposals and When I started winning I was like, hey guys, I'm gonna it's time for me to move on But that's how I rolled into it because once you're in

phase ones would be a little hard to live off of right if you're living up maybe like 40k for but 750,000 I was able to make that go a pretty far distance, right? So yeah, once you're in it and then yeah, it's just snowballs after that right? I've won multiple ones. You've got that pressure Pressure off you. So, yeah, no additional backing up to this point. Thank you. Oh, a little gun shy. So, I'm sure John will be in questions as they gather 6 to 7 down in Pub 365 tonight. I will be drinking at Pub 365 from 6 to 7. Thank you, and we're still going. Yeah, that's good. How do you know we have to do

the same work? I never used Twitter. The only time I ever used it is when I worked on the offensive side and there was people research I wanted to follow. I used it like bookmarking. I was like, nobody needs to see what I've done. So, a quick question. I say, hey, shit. I have students who say that. No, he's your trouble. She asked me for a letter of recommendation. I know. I still want to see. Oh, there you go. - So it used to be the other way, right? - There's a problem with the . - There's a problem with the . - Right. - Cybercrime. - Right. - So that's . - There. - So I had

to make some stupid ones that I had to fight for. Right? So I read, I don't say I read, but the way it worked is I was looking for an alteration. I did some volunteering, and Jay came up with a solution, and I was like, oh, we can alter it. And it was like, all the data that you should support, like, I'll do it. I was like, that's a good idea. I was like, well, I read a century. I was like, we can do that. And so I really, like, I was an engineer, but now I'm just doing projects. So I'm having a lot of fun. All right. Yeah. Thank you. Thank you. Yeah, we've

also had six minutes. - You're never gonna be in this stuff. Thank you. Sorry. Thank you.

- I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that.

- I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that.

- I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that. - I can tell that.

- I can tell that. - I can tell that. Thank you. Thank you. I Thank you. Thank you.

- That's pretty good. Oh, great. I told you I was like, wow.

Thank you. Thank you. Yeah.

- I'm sorry. -

Thank you. And then

Thank you.

There's no reason to come here. Easy. Good idea. Good idea. Thank you.

Are you ready?

Thank you.

I -

I um All right.

We'll be here.

Yeah, yeah, yeah.

How long are you going to stay here?

Thank you. I really know how to do it. Thank you.

Thank you. Yeah. Yeah. Now that's fine. I'm a little... We've had one battle. It was. And I still struggle today. I hear from people. I don't know. What stage did I fall in? Oh, what stage? Yeah. That was our greatest moment. That was our greatest moment. That was our greatest moment. That was our greatest moment.

I - Should speak Billy. Thank you. - Whoa.

Thank you.

- All right.

Thank you.

Thank you.

All right.

Thank you.

Thank you.

Thank you.

Thank you.

Thank you.

Thank you. Check, check, check. Check, check, one, two, two, two. Thank you.

Thank you.

Thank you. Thank you. Thank you. Thank you.

Thank you. Thank you.

Thank you.

Thank you. Thank you.

Thank you.

Thank you.

Thank you. All right. Yeah.

Thank you. This one? Yeah, no problem. Thank you. What was your name again? There, Roy. Good to see you again. Yeah, that's right. Oh, yeah. Yeah, that's right. Thank you.

Ascend right. Ascend right.

I thought I saw you in the street. Thank you. so

Test test test test test. Yep. Test test test. Should I move it up? Oh, yep. Oh, well. Like this? Oh, damn. Okay, cool. Yeah, that way. Great, thank you. Test, test. Hello. So thank you everyone for coming in from the happy hour. I know it's hard to pull you away from the comedy hour and free drinks and such, but we have some really great talks for the last hour of Higher Ground. What's really great is we have so many active people in the community who give back. And if you don't know Roy Watanason, he's just phenomenal and I probably just Butchered your name there. I'm sorry. I actually got it. Okay. This is my last name is Smith and

people don't mess it. So I just want to remind people that while we have content sessions going on, our conversations need to be held at a lower volume, please, out of respect for our people who are presenting here. So one thing that we're never really told when we're part of career development is that we should be learning how to fail. we're always told how to succeed or that we're going to be evaluated on succeeding. But one of the things that we have learned through all of the entrepreneurs that we've seen out there is that it's really great that they fail and they fail really well. So I was really excited to see Roy's presentation on how to fail because I think sometimes we do fail And then we

just sort of internalize it and we let it block us rather than taking what information out of that failure and moving on. So I hope I haven't given away all of your presentation, but Roy, take it away. Tell us how to fail. Great. Thank you. First off, everyone, thank you for coming, especially during this time. Can everyone hear me well? All right. Great. Excellent. Okay, so yes, first off, I'd like to thank all the people that are here too, and also all the people, especially Catherine and actually the whole team that set up the Security B-Sides Las Vegas, especially this year being in its 10th year. Clap of hands, 10th year. Pretty much today I'm going to kind of

talk about my experiences and also over a long, long, long period career. I won't mention how long. And then also talk about some things that each of us can use right away. And then really I wanted to kind of give enough time for questions as well. And of course if you have any other questions let me know too. What I always like to do is I always put this disclaimer up. I'm not going to read it, but it basically says that I'm not, if I have any issues or if I have any things that are wrong, I'm not liable for it. And also, this presentation doesn't endorse any of the companies that I've worked at

or am am working with as well. And also, of course, if I mention any tools you'll use in a legal, ethical manner as well. And again, there's no specific one way fits all for everyone. Results may vary as well. So first off, who am I? Obviously that's not my picture. If you actually take a look at, there's this site, remember like two, maybe about like a month ago, two months ago, there was that face app that everyone was using that mentioned that They wanted to see how old they would be in about 25 years and then they had all those privacy concerns. There's actually a website here called This Person Does Not Exist. It uses AI to actually design different, it uses different machine learning and algorithms to

create different pictures of people who actually do not exist actually. Take a look at it. All of the slides, you don't have to take notes. They will also be made available too. But yeah, pretty much that's my Twitter, my Gmail as well. I've been in healthcare now for a long time. I also enjoy Internet of Things, IoT as well, and I love privacy and building local communities. Also at the same time, over 10 plus years, I co-created with my brother and I and other people too, the Healthcare Informatics Program at Brandeis University in Waltham, Massachusetts. It's a great experience and I urge you if you are teaching as well, especially teaching high school students or middle school students or vice versa, it's the best experience because

you learn from them as well and you can basically keep adding onto that, making your courses much better too as well. And also I've worked in multiple industries too and also for the last two years, actually maybe three years, I also had a great opportunity to relocate it from Massachusetts actually to Hong Kong and also working in Beijing, China as well and actually to learn the language and still learning Mandarin as well but it's a great experience. This is the agenda today. I already mentioned about experiences. I'm going to make it very simple, talk about my experiences, how I failed, what I did wrong, and hopefully you can see some of the lessons learned too.

And also, I will mention some of the keys to being successful and really address any questions or answers too. So first off, I just wanted to kind of outline. So basically during my first year of college, it was the first time being away, and I always loved computers. And I always like to tell the story that when I actually was-- before I actually knew that my love for computers, I actually wanted to become a dentist. And what happened was that when I was away, Overseas, I had like a Swiss Army knife and I cut myself and I fainted for like five minutes. So I said, obviously blood or medicine was not for me or dentistry was not for me. So I tried to pursue

computers. But pretty much my undergrad year since I was away from the family, for example, I kind of partied too much and did other things that I won't mention as well. But pretty much the first college I failed, I flunked out. But that was my undergrad year. And after that, it was like... I just changed my life all around. I worked so hard. Basically, it took me about just an additional year to graduate college. I went to another college, and I worked my way up while people were having relationships, having other things. I basically just kept taking classes every year. every semester, even including the summer months as well. Anyway, so after the second try,

of course I was successful as well, and I did really well, and then after that I actually started working in different companies, and I'll talk more about that in the next few slides, but what I also want to mention is that it wasn't until probably about five years of working in the different industries that I basically pursued my graduate degree. There I did really well and then after that I became an adjunct faculty and created different courses too. But I just wanted to mention that. And again, I always want to mention for those, how many, show of hands, how many people are teachers and educators as well? How many people are going to be or

thinking about it as well? I really recommend it because we need more people, especially from the industry, that know that not only the theory but the the typical books as well. We need to have the real value practitioners as well, teaching as well. But anyway, I just wanted to mention that. So this is some of the titles that I've had over the past few years. Obviously titles don't really mean anything. I think for me, my perspective is that it really depends on what you can do for the company and how you can make it better. So for example, letter A is that I actually started out in IT help desk, supporting different IT infrastructures. And then after that I went through, became like a Windows system

administrator doing different Windows system admin stuff, right? And then after that I became kind of like a really telecommunications IT consultants working for different companies and over that time I actually learned many different infrastructures, environments too. It's a great time because you're still young and also you're probably traveling like 50% plus over the time and then after that I learned many different companies, architectures as well. It was a great experience. Of course, after that, it was not until I came into Massachusetts where I actually had my first security analyst, official information security job. Before that, it was more like telecommunications, firewall, networking, Cisco, basically, all the Cisco stuff, all the Cisco certifications. But if you go down the line, you can see the gradual stuff.

And then a couple years ago, maybe like six years ago, I was lucky. I started working in Massachusetts for another institute, a very large educational academia institution, three-letter acronym called MIT. And then I was doing at medical departments. I was leading their information security program. A lot of great, great, great a lot of challenges as well but anyway and then of course after that I also went to work in Asia Pacific it was probably one of the great great best experiences too and then of course now I've been working back in healthcare and pharmaceutical as well as a security manager as well but just want to mention that these are some of the industries that I've been in consulting when I say

consulting is that the reason I mentioned consulting is that It could be right for you, it could not be, but you get a large exposure of different industries in a small amount of time. You're kind of a consultant, so you're not a full-time employee, but you kind of get to get like a glimpse of the different environments too, and you can try to see what is good, what is bad about every industry too. And then also at the same time was in the finance, kind of like more procedure-based finance industry too. And then was in healthcare and then academia. And then back to healthcare as well. Any questions so far? So far, any questions so

far? Okay, great. So next I want to kind of talk about these are some of the keys to being successful. Again, these are keys from my experience and again, there's no one size fits all. But for example, I think everyone that's here, especially at this time today, The first thing that you can do is, we've actually been today, I've actually had about over five to six people during the coaching sessions. It's a great experience and I urge you, if you haven't taken advantage of that, feel free to either do also attend, talk to the coaches. They have different perspectives as well, depending where they've been, experiences as well and what they've had, things that work for them. things that have not worked for them. And also, take

a look at the resume review sessions as well. It's a great experience. It kind of, you know, letting you know what works, what does not work as well. And if you do have a great opportunity, how many people here have presented at B-Sides or actually any security conference or any IT? Okay, great, great, excellent. So at B-Sides Las Vegas, there's a great mentoring program as well. If you're either new to the industry or you want to get in the industry or you just basically want to have a mentor to basically look at your work, what you present, there's a great proving ground it's awesome it's been a great experience i was a part of that

many years ago it's an awesome experience as a mentor so these are some ingredients some ingredients the first thing that i always look when i am looking for any new hires or or intern or as well is the passion so there's there's there's basically you can have all the experiences you can come from the best university It doesn't matter. I always look for someone that's a team player that has the passion. Someone that looks out of the box, for example. So for example, the desire fueled by passion will bring about the greatest results in life. That's what I believe. You can have, you know, a lot of times people may ask about the certifications. It's

great to have the certifications, but experience is also great too. But also having the additional skills, which I will also talk about more in the next few slides, is very important rather than that. So I just want to mention. Any questions so far about that? Passion? So of course, obviously, this was a thing that we did in 2014. But regarding passion, keep trying new things. It doesn't matter if you fail. It doesn't matter. You can keep trying. As many times as I mentioned, when I was in my first year, first time in college, I didn't really know how to do things, but I failed. And it's kind of like a vulnerable thing of sharing it,

but I wanted to share with you to let you know that you're not going to be successful the first time that you do something. It's easier to do it, fail the first time rather than doing it when you're in a higher position as well. But keep trying for new things. What I mean for that is that if things don't work out, or let's say things may not work out in terms of, let's say, an interview or something like that, but it's a great experience to interview with different companies, for example. And also at the same time, push yourself, don't settle for anything less. What I always like to say is that learn to fail in

order to succeed. So you fail, don't keep failing, but of course after you fail, you know what lessons learned and then be successful at it. And also what I like to try to say is that There's so many different, in the industry, you hear about that there's a huge gap with security, information security, et cetera. But there's so many people looking, especially looking for new jobs, or for example, there's a lot of opportunities in information security. I believe that, especially anyone who's technical, doesn't matter if they had an official information security job you've dealt with some security challenges. Security is so huge, there's so many different avenues with it. So what I urge you to do is don't think like other

security professionals, think outside the box. When you're faced with a problem or issue, think like, what a red teamer would do, what a blue teamer would do, what a purple teamer would do, but think outside there too. That's why I try to inspire you about that. And also at the same time, when you do something, what I've learned is that doing the job completely. Don't just do it just for it to be complete, do it fully as well. So I can talk more about that as well. So any questions on that? Next thing has to do with networking. Obviously, you want to network really well with others. What I mean by that is, this was probably a couple of months old slide, but there's about 7.7

billion people in the world. please network with people. Since you're already here at the higher ground, you're already networking with people, do more of that. I always like to say the three Ns, network, network, network, because that is actually where your opportunities, your projects, your actually other opportunities come out of as well for example let's say there is let's say you're new to your security and you're trying to get your security for the first time and you may not have some projects or some experience one of the things that you can do is kind of to help the community is of course volunteer at the B-Sides Las Vegas or any other conference too but also

kind of help with different open source projects especially on GitHub, anything else as well. It's a great experience with that. Because in addition to that, you actually will get more confidence and more confidence. And then after that, you might also meet other people that are interested in hiring you as well. So there's many opportunities for that. Next thing is really just, right, I always like to say hallway con, right? It's the kind of The purpose of all these conferences is pretty much hallway con. You can go to the different presentations as well, but it's all about hallway con. Be nice, have fun. Be nice how you would want to be treated by others too, and

also listen and ask questions. There's nothing wrong with asking questions. Don't worry about any questions or dumb or anything like that. There's no such thing as any weird or dumb questions as well. Because you'd rather make the failures or the mistakes now when you're new rather than later. But I can talk about that more too. And the next thing is about investing in yourself. So for example, only you will know what is the best investment in yourself. So for example, obviously you might be in a team, you might have either one manager or multiple managers, but it's in your best interest to basically invest in yourself. What I mean by that is actually, you know, trying to, every year for example, Any company, there's usually a, I think

like tax deduction purposes, $5,250 that you can use toward your professional development as well. It depends on the company, it ranges, right? I just wanted to give an example. You can actually use that to go to different conferences, different things, please use that, because if you don't use that, you lose it. And I think the companies are actually, I'm not a lawyer, it's weird, but they can deduct that much money as well. So ask, you have to ask to be able to invest in yourself because sometimes, of course, your manager or your managers, they will let you know, but it's in your best interest to let them know, kind of guide them of what things

you're interested in and what things you want to do for professional development. Professional development can be Technical, doesn't have to be technical, could be something else, as like teaching a class, or a class of younger students, or a class of older students, it all depends as well. Or a class of students that aren't technical, that's probably a great challenge as well. And also at the same time, show of hands, how many people have had mentors in your lives? Whether it be technical or non-technical. Okay, great, excellent. So mentor, you don't have to only have one mentor. It really depends on which mentor you want to have. So for example, let's say you want to pursue

something that... let's say you want to do like offensive security for example maybe you want to mentor a senior veteran or more of a senior professional that is uh you know that has been there and give you some kind of lessons learned about offensive security also at the same time you probably want another More mentors, the more mentors you have, the better. Maybe you probably want a mentor for presentation skills. Maybe you want a mentor for some communication skills, etc. as well. So it's okay to have many mentors. Most of the time, and most people ask, "How do you get a mentor?" Just ask. If they have time, take a look. You can take a look at it, read different blogs, participate. Of

course, if there are no funds, for example, for basic training as well, Just just do like webinars as well. It's a free free opportunity Take a look at many of the different things those of you are going to DEF CON There's DEF CON groups as well around around the world around the states teach present as well. Now. I'm gonna go really fast Okay, so these are some skills. These are some kind of critical Critical skills when I'm looking for especially when I'm hiring leadership skills, but Of course, the first one is communication skills. All of these things, I won't read everything, but I really feel that negotiation, organization, team player, and interpersonal communication skills are really important as well. And then I'm just going to keep

going really fast. Work-life balance. Obviously, information security technology in any industry, there's a lot of stress. mental health, please, please, please, please, you know, try to have a great exercise, eat the right foods, all of that. I'm just going to talk about that, right? Meditation as well, manage stress, and get enough sleep as well. So, And then pretty much putting it all together. I just wanted to mention that passion networking with others, investing yourself, having the work-life balance, and also the additional skills like I mentioned. Communication skills, negotiation skills, etc. is very important. So now I want to actually entertain questions as well. And any specific questions? Yes, yes sir. Do you have any advice for someone who's trying to bring hacking and information security

into academia? Yep. So the question was, do you have any advice for someone who's trying to bring information security or hacking into academia? So yeah, one of the first things that I would say is that there's actually a great Sam Bone. Sam Bone, he has a lot of, all of his courses are actually all online. He does kind of like a lot of malware, etc. I would say you can actually use some of that. There's been like a A lot of the professionals, the teachers, faculty, they've been trying to convene to find what is the right fit. And obviously it's different because every teaching environment or every college or university is different, but I would say you can use some of those too. And don't be afraid to go

to any faculty members who are especially security professional to actually ask him or her for the syllabus as well. Even if you're a new professional going to teach, you can actually learn from him or her and actually be kind of like a secondary instructor as well. So something like that I would recommend. So great question. Any other questions, concerns, or anything like that? Yes, yes, sir? To help a teenager sort of-- oh, sorry. a teenager who is really interested in video games all the time and that's kind of like all they do, right? Any suggestions that you might have to sort of bridge that gap from gaming to actually programming, whether it's programming games or getting into InfoSec or whatever it is.

Do you have any kind of suggestions that might be something that might kind of help that person kind of gain some interest? Yep, sure. Yeah, so we have, really quickly, so the question was someone who's into video games trying to get into Infrared Security. I would say try to tell them to break the video game. Yeah, as well, or you've seen all those issues with some of these video games, right? The security privacy issues, something goes down. There's a lot of, depending if it's male or female as well, or different. I would say there's a lot of these, I forget, Code for Classy, There's a lot of these different programs too that they're doing, especially I think yesterday, yep, thank you. Yesterday there was the Women in

Security Gala. All the top security professionals, the top, I think the top 30, I forgot. And I would say, yeah, just go to like, depending what their age are. what their ages are as well, bring them to these different conferences as well. I think there was another colleague, Jack Menino, who brought his, either his son or daughter the first time. He was really excited about that. More than, I think his son or daughter? I forgot, sorry Jack. But yeah, I would say something like that. If you hack kids as well, like the DEF CON has the bringing the even younger generation too. There's so many opportunities too. Great question. Any other questions? I have about, I think I have about two minutes

or maybe less than two minutes. Great, thank you very much. - First question or first question that you've always wanted to ask a recruiter is why did they not get vaccinated? What's the best process of doing it?

So we're going to play a fun game for just half a second called check the mics. So what I'm going to have each person do if you're coming up here as part of the panel. When the folks come up and you're sitting here, I'm going to have them check one at a time to make sure. So pick a spot and I'll have you hang out for a second and then I'll just have you start saying, basically telling us what time it is over and we'll just check, check, check. You don't mean it like saying. Tell me when. Tell me when. Hi. Hello, hello. Hello. Hi, I'm Erica. Megan. Nice to meet you, Megan. Silence. Blackberry

silence. Say hi to everybody before you do this. Hello. Oh, hi. Nice to meet you. Nice to meet you. Hi, Matt. I'm Matt. Nice to meet you. Hi. Hi. I think Steve's working on it. So Steve, do you need everyone to test their mic? Matt, test your mic. Test. Erica. Testing. Oh, that's much better. Richard. Check. Check. One. Intonation. There you go. And Megan. Check, check. Hello. Check, check. okay thank you so I have to sort of call out one of my volunteers because I could not have done the higher ground today without Jen Haberman over there

So Jen has been coming to Higher Ground for four years. She takes vacation time to be here. And she does all of the career coaching, all of the resume reviewing, all the mock interviews, fills in when someone doesn't show up. And she's been in this community for a very, very long time. How long have you been going to DEF CON, Jennifer? 21 years going to DEF CON. So if you want to know anything about this industry, who to network with, career paths, working for commercial or possibly government, Jennifer is the person to talk to and she is more than willing to give you all the time in the world. And I am taking her away from vacation time at

the pool. So I'm going to ask Trish and her group to lower down a little bit. So this is our final panel for the day. It's our only panel for the day. I was trying to cheat and it's going to get me in trouble. Hang on. So the wonderful gentleman who's running around is also involved with Circle City Con. He's involved with B-Side San Antonio. He is the organizer for B-Side San Antonio. And he also is now on the speaking circuit because he has developed his career by volunteering at various different cons. And so it is definitely a role model to follow. So is this me? You're quite welcome. So are we done? Check, check. Yeah. Awesome. You guys can hear me? Okay, we're

great. So I always have fun with this panel because it is a really great way for people to see that recruiters are real people. They actually do exist. And one of the things when I came into this industry is that everyone was bad-mouthing recruiters. And there's actually several YouTube channels about it. There's also several Twitter handles about it. There is so much bad mouthing going on about recruiters that it was hindering job search for many job seekers because they didn't want to talk to a recruiter because they thought the recruiter was stupid, that the recruiter was unethical, that the recruiter was not doing their job. Well, I hate to tell you, yeah, there are going to be people like that in any industry. Unfortunately, you're closing yourself

off to opportunities if you don't network with recruiters. So I'm going to have each one of the recruiters up here introduce themselves, briefly tell us what kind of positions you're hiring for, and one thing people do not know about you. And I'm going to end with you last because I know exactly what you're going to say. I'm going to start with Megan down here from Silance. I can't wait to hear what I'm going to tell no one else about you. I have to pick something that's politically correct, I suppose. My name is Megan Caledona. I work with BlackBerry Silence. I'm not sure if everybody's familiar, but BlackBerry just bought Silence out in February. It's been

an amazing merger. We're super excited about it. We're hiring for pretty much everything across Red Team, Blue Team, 24/7 SOC analysts, threat hunting operations, all of that, as well as DevSecOps at SDLC, something nobody knows about me. I don't know, I'm not a strong swimmer. I can't swim. I cannot swim. Boo. Wait, does she get a boo out of that? That's okay. That's okay. My name is Richard Cho. I'm the head of recruiting at Robin Hood. For the last... 10 years of my 22 year career, I've been at hyper growth startups. So these are startups like Facebook, where I got to saw, I saw them grow from 500 over 6000 Dropbox. And now here I am again, doing it all over again. So I

love the pain, it turns out, we're hiring across the board, every every company, every startup gets into this inflection point where you're going from hiring the one unicorn that could do everything, like can you do everything under the sun, under security, to now we're actually building out our organization. And so security engineers, program managers, anything you can think of, we're building the team. So what is someone not-- Oh, yeah. In high school I sang in a Garth Brooks country cover band. Can you give us a laugh? Well, give me a tune and I'll do it. Oh, Lord. I did it. Karthik will confirm. I sang a country song during my orientation in front of the

entire company, which is super interesting. I don't know if you're going to follow up on that. Okay, so Erica. Not nearly as exciting. Hi, my name's Erica Schneider. I work for a company called Val-a-Mail. We're an email security company hiring for both San Francisco and Denver. The roles that we're hiring for software engineers across the board using a lot of Golang on our platform. Ruby as our full stack, React on the front end as well. Program managers, product managers alike. So I've got a lot of great roles, even sales. I had up all of technical recruiting, so I don't want to shortchange our non-technical departments within Val-O-Mail, but we're also hanging for a lot of sales, customer success, and so forth. So Erica Schneider, Val-O-Mail, connect with me on

LinkedIn. Happy to connect with anybody here. Now, something that nobody knows, well, I'm moving to Denver because we're opening an office in Denver in two months. So the office is already open, but I'm spearheading that. So that was a really exciting project. And so now we're hiring in San Francisco and in Denver. Matt? Hey, everyone. I'm Matt Duren. I'm senior manager of talent acquisition and talent attraction. If you want to know what that is, let me know because I'm still trying to figure that out myself. But at Tenable, I've been there for almost seven years now. Prior to that, I was at Geico for about ten years doing both Technical and college recruiting. I still do college recruiting today with Mark back there. Mark's our college recruiter. And

I'll shout out to my folks. One of my senior recruiters, Tim. Mark's on my team. John is not on my team, but she's cool anyway. And then Jeanette here as well. But, yeah, things we're hiring for, actually a lot of remote research. So if you know anything about, you know, a little bit of pen testing skill set. It's not pen testing. Your goal is to build plug-ins for Nessus. So you do get to hack things and do all that fun stuff, but you're writing scripts at the end of the day for Nessus plugins. Also on the pre-sale side, sales engineering, we actually have something here in Las Vegas where you could actually be a sales

engineer for Tenable in Vegas. The manager for that team is wandering around. If you're interested, I will connect you personally for that person. And then ProServe, a lot of things globally for that kind of stuff. So anything to do with Nessus installs? Oh. Oh, and sales. I already said sales. I said sales engineering. Customer success, things like that. That's all in Maryland. I want to know what you want to say about me that nobody knows. Costumes. Oh, well, yeah. I've run around in an inflatable T-Rex costume before. I almost brought it here, and I almost ran in with it. That was my plan, but it wouldn't fit in my luggage, so... So Matt and I

have worked together a good 10, 12 years, and I retired from an organization, and all I really wanted was someone to come out in a T-Rex outfit, and at my retirement speech, he came running out. So it was pretty awesome. It's kind of hard to run on those things. So my first question, Richard, give me one thing that a job seeker has done that really impressed you. And what is the biggest mistake that people make when they're applying for a job? - I'll try to keep this security related and can I make it not impress me? So this is actually documented. So there's a number of folks that fit into this category. But very early

on, a 17 year old programmer decided to hack into Facebook and make like weird things, make it look like MySpace, do some other things. And so both Mark and Dustin Moskowitz, the co-founders of Facebook, decided to call him in. And Chris was like, he told his dad, he's like, "Dad, I'm gonna take my phone with me. "I'm pretty sure I'm gonna go to jail, "but if I do go to jail, please bail me out." And the dad's like, "What did you do?" And he's like, "Don't worry about it, "I'll talk to you later." He gets into the media with Mark and Dustin and gets a job offer. So Chris was one of our early engineers

in security at Facebook. So it wasn't my story because I wasn't there yet, but it's Facebook's story. So what is one thing that people do all the time that just flubs up the process for them? I think just assuming that application means that you're going to have visibility. You got to put a little bit of the work into it. By the numbers, the number of applicants to any opening is in the tens of thousands. And so as a result, you want to differentiate yourself. And so that's why. So why don't you pick that up? What are some of the things that people can do to differentiate themselves in the process? Yeah, that's great. I think

follow-up is super important. Finding who it is that might be the recruiting manager or the hiring manager and reaching out to them on LinkedIn. You know, you're looking for a red team role. You really want to work at X, Y, and Z company. Just reach out to someone in that organization. A lot of times that sets you aside from it. And one thing that I think is the biggest thing that we see a lot of times is Just if you don't know something just just don't know it. It's fine and just look it up and be open and honest about that I think that that's probably the biggest thing that we see is people When

they do have shortcomings is when they just try to make things up on the calls or on the interviews So Erica same two questions that I gave Richard so something that people have impressed you with and what are a mistake that people have done One of my favorite things are when candidates come with a leave behind. Like I get super impressed. Like they'll be really creative and it depends on the role. UX, UI designer, not always, sometimes a product manager will come in and they'll have one of them had a candy bar with their business card and their face on it and their contact information. They're like, hey, to sweeten the deal, to hire me,

here's my leave behind. And that just really made them stand out. I didn't end up hiring the person because I had a much stronger candidate, but that really impressed me and connected with them. I still stay in contact with them today. If there's anything I can hire them for, I will. Sorry, what was the second question? Something you see that people flub up all the time? Applying for roles that they're not at all, I'll get scrum masters applying for a director of product management, just throwing spaghetti at the wall to see it sticks. I like to see at least a 65 to 70% fit. It doesn't happen, no one's ever 100% fit, hardly ever, but

65, 70% is definitely needed. So Matt, let's get this a little bit more granule in a technical interview. So what are things that people really mess up in a technical interview, either face to face or over the phone? I mean, the number one thing is always having examples. I mean, so a lot of people put things on their resume and, you know, let's pick on college students a little bit here. They go into an interview, they're going for an internship, they did a class in something and they put it on their resume. And then they can't talk to it. If you're gonna put something on the resume, have an example of almost every single skill

or every bullet point that you have on there, be able to tell more stories about that particular bullet. It should be just a quick tidbit on what it was, and there should be a lot more underneath that. If you can't talk or give an example for something that could go on for a couple of minutes and several follow-up questions, It's probably best to leave it off or at least put it in a related interests category or something like that. So I would say be able to talk about the things that you put as a highlight on your resume. So one thing that I've talked about a lot is getting experience in the community when you

don't have work experience. So what are some of the other ways that you want people to show that they have work experience? Matt and then Erica and then we'll go down the line. Yeah, I think coming up something like this, I mean, I think we've learned by the 194 countries, one community aspect of B-Sides is that there's one in every city in the U.S., at least in those that are international. There's something big nearby. And they're really just driven by volunteerism. I mean, everybody does it for their own. Nobody's getting paid for that. Even if it's just... you know, people running the doors out front. It has nothing to do with security, but you're around

it. You take that time to do the volunteerism, and then you take advantage of the rest of the day. I don't know what the shifts are for that stuff, but maybe two hours of volunteering, doing something completely unrelated to InfoSec, just checking badges, just checking people in at registration. But then you get that ability to go and see the rest of the day's talks and learn so much and do the the hallway con like we talked about before there's a lot of things you can do just in your local community if you don't have one in your local community start one up there's a lot of places that that are kind of really want this

type of experience and go out there and if you can't find it for yourself create it Erica I would say, especially on the engineering side, if it's engineering, GitHub repositories. I look at those aside from any engineering assessment that I ever send out. I always look at a GitHub repo. If it's not engineer related, like Matt said piggyback off of that a little bit, meetups are a great way. And if you don't have one, start one in your community. You can learn a lot from that community. I've gone to many different language specific meetups or career specific meetups and I pick up something new every single time. And there's a myriad from junior you know,

novice to very senior people in those groups and you can always learn from each other. And if I could add on to that, ask your company for help. Yeah. Ask them, say, hey, I want to do this and maybe they'll offer space. Maybe they'll offer a couple of bucks for pizza to pay for things. Yeah. So, one thing building on what both Erica and Matt said was, you know, when you come back from Hacker Summer Camp, write yourself a trip report. What did you do on your summer vacation? It sounds really bogus, but there are going to be several aha moments that you're going to get. And if your company provided you to come here,

give them a trip report. What did you learn? What were some of the new trends you saw? Did you help out? Did you volunteer? Did you work on your soft skills while you were volunteering? We just did a study that said community volunteering, people were learning planning, communication, budgeting, leadership, all of the soft skills that we're looking for in this community. Also looking at CTFs. Because there are a lot of times when you're going to go through that interview process and people are going to say, well, what did you fail at? Well, no one's going to really want to say what you failed at at your last job or your current job. But you certainly

had failed opportunities in a CTF. You were there for a short term. You had limited resources. You had limited time. You were meeting with people and you were going against an adversary you had never known before. Gee, what does that sound like? That's work experience. So if you're not tallying up the CTFs that you're part of and incorporating them in sort of your story that you tell in an interview about your work experience, you're leaving a lot off the table. So to this side of the panel, can you explain to the audience sort of the interview process at your companies? Because a lot of times people think it's one week and I'll get the job.

I have a colleague that spent 18 months from the beginning of the application to the final job offer. She actually took another job in the interim. So Richard, can you sort of like explain the process? Because a lot of people aren't prepared for the long haul. And then Megan. Let me also copy out this by saying there are certain companies that take a while because they could afford to take a while because they already have a brand. We're not in that boat. We're new to a highly competitive market and we're hiring a ton by volume. So what we try to do is try to stay within a two to maximum three week time period. There's a engagement call with

the recruiter. just to make sure that you are aligned to the role that you're applying to or the role that we obviously reached out to you. And believe it or not, we get it wrong sometimes. So we might reach out to you and you're like, I don't do any of that. We're like, oops, OK, sorry. And we try to learn from that. Then you go to a screen, which is more technical in nature, just to validate that those skills that you have are valid. And that's usually done over the phone. If there's coding involved, you There's a shared way to actually show your code while you're talking to someone on the phone. And then it's

the on-site and then from the on-site. By that time period, I'm already within two weeks, depending on your schedule and depending on our schedule, and an offer within the third week or so is what we're aiming to do. Megan? Yeah, our process, can you guys hear me on this? Our process is usually actually a little bit longer, sometimes shorter though. So it depends. If we're working on our consulting practice and our consulting roles, sometimes we need people in seats that week. And so it can be really, really quick. And those can be actually more challenging sometimes than the longer roles because it takes a little bit longer to get to know that person. Our recruiting

process always starts off with an intake call and that's usually led by me or one of our other recruiters and it's actually technical questions. We have a hard time of... getting resumes that aren't 100% true, you know, and so it's actually led by some technical questions that we kind of go through and we're able to weed out some folks through there. We don't do many on-site interviews though. A lot of our people work remotely or they work at client sites and so you don't get an opportunity to actually go on-site and meet the team. So my biggest thing is just trying to get them to meet with at least two or three hiring managers and

just focusing on you're interviewing us just as much as we're interviewing you as well. Can I add to my -- Sure. So you triggered something. So one of the things that's important to note is like there's going to be things that actually -- there's going to be things that actually add to the time. Part of that is if you're the first that we reached out to, you can imagine we need to take some time to evaluate as many candidates as we can. Even if you're perfect the first time, we want to at least evaluate a good cohort of candidates. And that might take a week or two to get a full cohort before we invite

you on site. The other could be maybe we didn't get enough signal during the interview process and we want to invite you back. That could take another week or so. So, you know, there's sort of the goal of trying to get through from beginning to end and a whole interview process within three weeks. It could be extended based on those circumstances. So it's all right in the process to ask what is the interview and hiring process. That actually should be one of your questions. What are the steps that I'm going to go through? Who am I going to meet with? When am I going to meet with them? And how long should this process take? Because we all have sort of an assumption in

our mind that it's going to take maybe two weeks and it ends up taking six to eight weeks. And a lot of that isn't because they're not interested. They're trying to line up other people's schedule. I mean, we all know what it's like to try to get together for drinks with some friends. You know imagine trying to put eight or nine people scheduled together. So how many of you guys get thank you notes? Not enough Honestly every single time you should follow up with the person not just the recruiter but every person that you spoke to ask the recruiter for their in for their for their email and Send it to every single person you

spoke to every time anyone else want to add to that and I agree It's not that hard to find people's emails. It's usually first dot last name at company comm and Is it a way you differentiate? I mean, is it how you differentiate your candidates? Yeah, my managers differentiate that way as well. Yeah, I take stock in that. And also customize your thank you to each different person because my engineering team does talk to each other. And if you spoke to the hiring manager and then one of the engineering leads and one of your fellow engineers or whomever it might be in the team, they're going to know that it was just copied and pasted

and, you know, Put some effort into it. State maybe what you really found interesting about your conversation with that person. But the most you can possibly do is at least customize that note, please. I also have another thing to add to that one, too, is also if they asked you a question that stumped you, write it down and answer that question in that email. And that speaks volumes to our team. So what happens, you know, what's interesting is that when people don't get accepted for the job, they then sort of wipe that company off their list. So Matt and whoever else wants to jump in on this, if you don't get accepted for one particular

job, do you just sort of write that company off your list, Matt? No, I mean, there's always going to be something different. Next year, next week, people might leave that company and open up another job and that person might be a good fit for it. There's somebody I've been talking to for like three years. I think the person's awesome. I would love to see this person work for us. We just haven't had the right opportunity for them. And if they had just written me off the first time I said no, we wouldn't be talking next week about another opportunity that's come up. Keep at it, build a relationship. That's really what, it's a game, I

understand that. There's things that you have to do, there's things that we have to do as companies to keep you engaged, but it's your career. If you think it's a great company to work for and you would like to see yourself there, it may not be today, it may be next year, but I'd say keep the doors open always, unless they screwed you over some way. And, you know, Richard is a really great example. I mean, you heard all the various different companies that he has been part of. If you are not including Richard in your networking, you are missing out on so many opportunities. They're all going to be lining up for you. But

realize that recruiters also talk to each other. And they'll say, hey, I mean, I can't tell you how many groups that Matt and I are part of that we say, hey, we just met this really great candidate. It just wasn't the right fit. Is there anyone else out there? that can take this person. I can vouch for them. I've done the interviewing. I've done everything. I think they would be great. We just don't have the right position. So, I mean, do you guys network with job seekers and keep them sort of, you know, in your pipeline? Absolutely. Absolutely. If I can't hire them, I always say if it's not right now, I hope it's in

the future. And if it's not at Val-O-Mail, then who knows? Maybe it's at the company that I'll be at in the future. You never know. Matt said, it's all about building that relationship and connecting. And I've stayed in contact with people for years. Same person with the candy bar. I still talk to them. I just can't hire them just because I don't have anything open for them right now. But I've referred them to, you know, my recruiting background includes agencies, K-Force and Robert Half. And I will send them to all of the recruiters that I know there. Please help find this person a job. Can I just add? Yeah. Look, that's definitely aspirational on both

sides. I actually think a lot of recruiting organizations don't do a good job following up from folks that have failed the interview process, just to be frank. And then to the point of this panel, you should make sure you try to make that connection. But it's awkward. We know. It's like a breakup. I'm like, sorry, you didn't get the job. And you're like, you know, and there's a little bit of emotions, human, the whole thing. The most important thing is that knowing that talent's not static. Like you're gonna develop some new skills that's probably gonna be really important. I know of two examples in my mind in my 22 year career where we said no

to somebody only for that person to actually be one of the most important contributors to a technology or something. And then now we're like, can you please come work for us? So the moral of the story is recruiting organizations should do a good job Staying in contact with folks that were rejected and and and candidates should do a good job trying to stay in contact with the company as well. So how many in the audience can say that you have five to seven recruiters that are in your network that you network with? Not the people that are spamming you. Okay, all the recruiters in the back of the room. Thank you. So we have people

that were go-to for restaurant recommendations, movie recommendations, or vacation recommendations. Your career is somewhat important. Why are you not adding recruiters to your network? and keeping in touch with them and saying, "Hey, I just passed my CISSP. "That was something that was required for this job." I mean, I know recruiters who check in on a regular basis. You can check in with them. We have a few minutes left. I wanna take questions from the audience. We have a lovely woman back there with the microphone. So do we have any questions? - What do you feel that college students are missing or fresh out of college, they're lacking in? Is that to anybody in particular? Or you were looking right at me.

Yeah, so I think a lot of-- I love the energy. I love the aspiration. You're not going to be CEO next month, all right? I think the willingness to do some of the work that is at the entry level. It's there for a reason. There are things that you need to pick up that later on in life you're going to need for your career. Having a CASSP as a 21-year-old, that's cool, but that's a management and strategy-based certification. Are you going to build on that? And then speaking of certifications, I have a kind of a love-hate relationship. I love hating on certifications. Because I think they're just great for being able to say I passed the test, I knew the information

for the time it took me to study and close the book and then open the test book and submit on the answers, but I don't retain the information. I see a lot of entry-level people in our tech support interviews that We go through the OSI model, all networking based, all this stuff, all the layers of networking, and they say, "Oh, I remember that from my studying." It's like, "Well, then it didn't really work, did it?" So I say, have some humility in saying, "I need to do some of this grunt work." And I know it sounds bad, but it is grunt work. But there's a reason behind it. And then make sure that that studying

sticks. There's a lot of, I mean, Googling an answer, I hear it all the time. It's not that impressive, but I understand that's the way it works. But know enough of the basics to know that I need to go to the basic level, and then if it's advanced, then I've got to go look it up. Anyone else have anything for college students? I think, so... Look, getting a job is really -- it's not easy, especially if you're just graduating. And so you graduate with these, like, credentials, and you think it's like an inventory of things that you need to know in order to get in and do your job well. And I haven't seen that

really bear out really well, both in the interview process and also long term. What most college students don't end up taking the time doing is like, why should I know this? Why do I like this? Why am I passionate about this? And it's important to know that alignment. Like you chose this particular profession and curricula intentionally. And understand the why behind that. Because by the way, when you're asked questions and you're passionate about it, not only does it show up emotionally, but your knowledge is right there as well, right? So understand the why behind it. Any other questions? Come on. We have one over here.

What attributes do you like way heavier than others in terms of hiring an applicant? Like the ability to be a team player or high technical ability or what do you, I guess, cherish the most? So Megan and then Erica. I would say passion. Like you just said, it shows through for sure. And if you're passionate about it, you come to things like this. You do research on your own. It shows through your entire career. Yeah, sorry. Yeah, yeah. You know, it's 50-50 with us. I hire equally for skill set as I do for, you know, that god-awful word, culture fit. But what that really means is that, just to piggyback off of everybody, what we've

said is all passion, but also passion about the company that you're interviewing for. You know, not just the subject matter or the things that you studied or the certifications that you've received and worked really hard on. It's more about, it's also about the company saying why you want to work at this firm, why you're passionate about their product or what they've done. Bringing up recent social media posts or news articles, good, bad, or otherwise. But bringing that up and saying, hey, I read this about you guys. I really like this about this company. Here's why I am here. And that will... that passion will exude out of you, seriously. - So I'm gonna give each one of you just a closing statement you can make, something you wanted

to say or something new. So Megan, and we'll go all the way down. - Join Blackberry Silence. We're so great. She took the words on my own. I also was going to say join Blackberry Science. No, I didn't say that. Robin. Look, so two things. You guys are going to not only be applicants and candidates, but you'll also be hiring managers as well. Don't fall into this trap of assuming that experience is a good proxy for good. Experience is not a good proxy for good. It doesn't matter what school you went to. It doesn't matter what companies you worked for. It really matters about the core skill sets and that you're aligned to the work and the mission of the company and you have that passion. So don't fall

into that trap because it's out there. Connect with me on LinkedIn. Erica Schneider, Val-O-Mail. I might not be able to hire you personally at Val-O-Mail, but I will be able to help you in some endeavor one way or another make an introduction to my network. I've got over 10,000 of them. So please, I invite you to connect with me. Thank you. Matt? Recruiters are known for throwing out a lot of messages on LinkedIn to connect or I have this hot opportunity or hot job or whatever it is. I encourage all of you to really look at some of those messages because one day you're going to be kind of that person that's getting all those in-mails and, you know, set in your job and I'm not really going

to look. Pay attention to who's sending them. I think there's a lot to be said about the quality of messages you'll receive over your career from recruiters looking for you to connect. Tables turn when that happens. You guys are sending us applications at some point in your career, and then we're out there sending you invitations to apply for jobs. Have a very critical eye about who you're engaging with. You can do a quick review of somebody's LinkedIn profile, recruiter. They've been doing it for about three months and before that they were like a server or a bartender or something like that. I'm not saying they're not good. I'm just saying that there's probably somebody out

there that you should be paying more attention to. If they've been doing it for 10 years, for 15 years, or whatever, that means they have a lot of connections, their quality. So be on the lookout for who's sending those messages. If it's not the right job today, and he's like, I don't want to do that, at least say, hey, I'm not interested. You look like you know what you're doing. You've been in this for a while. Or they have something fun on their profile. just connect with them and say, "Hey, you look like you know what you're doing. I'd like to just stay in touch. Maybe there's something else down the line." So when you've

made that change in your career to where you're the sought after person, keep an eye out who's sending you messages because it may be one of us up here and be gentle on us, please. So in summary, here at Hacker Summer Camp, before you go home, before you get on the plane, write a trip report. What did you learn? Who did you connect with? to make sure that you're connecting with all of the recruiters that are in the room and anyone else, yes dear, anyone else that is someone that just you had a really passionate click with because there's also this thing called the employee referral program. So if you met someone who really loved

where they worked and you understood what they were doing and you were really passionate about that, be sure you're including that in the networking. Be sure to ask at the beginning of an interview, what is the overall interview process? So that you know from A to Z what are the different steps. And when you go through all of these different steps, please write a thank you note to everyone that you have time to talk with. Realize that technical versus passion is going to be sort of a seesaw. You know, make sure that you're talking about the technical skills that you really know, not just those that you Googled about. Those that you really can bring

value to the company and also being able to show the passion that you have for that kind of work you're doing and the company that you're going to go work for. Let's have a round of applause for our recruiters. So this concludes the first day of Higher Ground. It's been a great experience with the recruiters and participants and career coaches and resume reviewers. We'll be closing up in about 20, 25 minutes, so take an opportunity meeting with the career counselors. We open up again tomorrow at 10 o'clock, and resume review and career coaching starts at noon tomorrow. Thank you. Cool.

Thank you. So yeah, so I love doing community panels and sort of integrating what people talk about. And this was probably the best one. Yeah, there was one year. So yeah, there was two years ago, I think there was three people and there was four performers. And so we just sort of did like a stand-up circle. Thanks, Kar, thanks. Yeah. No, no. I have a husband that's awesome. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship

with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship

with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship

with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a relationship with him. I've never been in a Steven? Come on. Sweet, have everything. Thank you. Thank you. So you can talk. Yeah, mine was up here before, and I was like, pfft. Thank you. No, I appreciate that. Just so you know where it was. I have no idea where it was. So this is, well, that just got on the carpet. So continue, continue, continue. Unless she uncoged it and maybe

she wanted me to. No, that stays in the room, that's theirs, and most people put it back in the center. So is there a reason you didn't use the hat? Because that was this man's name. This is what this is, and this is what it is. - And they didn't have the eyes to see. - So that's probably supposed to be me. - Okay. - So, there's normally a dog set up that would be, and they'll be recording this. Was this just in my, because when you first came in, what this did first, now, I love this. You walked up and ignored that stuff and went to this. - Yeah. - Which is what caused all of the feedback issues. -

Oh, and then this was down here. - Disconnected, which means there's a cable. - No, no, it was connected. - Yeah. Yes, you would take this back to to Cuba Yeah, that's Chianti Room. If you'd go straight across from the exit here, turn right a little bit. Should be folks there. Otherwise, is that what your instructions are, is to return the box? Yeah, at the end of the day. Yes, thank you. Appreciate it, Anna. So, for whatever reason, this shows the absolute worst things that could happen to me. But some facilities, like this, are fine. So, that's why the design was made. So anyway, so

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
How to Start a Cyber War: Lessons from Brussels – EU Cyber Warfare Exercises
BSides Las Vegas · 2018
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
From Email Address to Phone Number: A New OSINT Approach
BSides Las Vegas · 2019
20:51
One OSINT Tool to Rule Them All
BSides Las Vegas · 2017