HG - Find your north star

so welcome to Higher Ground and welcome to being back in person it is so amazing seeing everybody uh it is so amazing that besides Las Vegas actually did this virtually last year as well my name is Kathleen Smith I'm the lead for Higher Ground we've had Higher Ground for seven years because we know that people will talk about that there's this Workforce shortage but other than throwing a lot of job descriptions at it a lot of people are not changing the conversation so this is a safe place for you to be able to have those conversations what do I do with my resume what do I do with this how do I do interviewing what do I do mapping as

far as my career is concerned so today we will have three great presentations 10 30 11 30 and 2 and then at one o'clock we also have recruiters from the industry that I trust and career coaches that I trust coming in to meet with you and talk with you one-on-one about those sessions so I really wanted to kick off this present kickoff higher ground with a presentation about career mapping because when you talk about your career a lot of people move from position to position just looking for the new title or the new salary rather than how do you develop as a professional how do you develop to The Next Step that will fulfill you as a career professional

rather than just fitting in the next cubicle so with that I would like to introduce Steve winterfeld on his presentation on a career in cyber security thank you foreign

my background I started off in the military I built a a computer Emergency Response Center a sock for the Army then I went into the doretta defense Contracting so I stepped halfway out of the military for a while did a lot of certifications accreditation did the compliance stuff taught a course on being a cyber Warrior basically we're teaching admins how to break into systems so because the problem is good Builders build things to work and they don't want to break them they don't think about how to break them they don't think about how to abuse them and so they just built things to work not build things to be safe uh switched over uh went to Nordstrom's

uh my wife is still mad that I left that discount um ran their Bank Nordstrom had a bank for a while for a long time they were one of the last two retailers to have their own bank nurses and Cabela's were the last two and they both got rid of their Banks because the regulation was too burdensome uh then I went over to Charles Schwab and built out the threat intelligence and incident response the reason I'm so passionate about today is I got caught up in a riff and I was just kind of doing like most of us do my career was managed by what opportunity came in front of me and suddenly the company shrank the ctoi

and a bunch of others were looking for a job and and so I really had to sit down and think about what I wanted to do did I want to stay in defense contract and get out and all those kind of things so I want to share that kind of a journey and some of those experiences and so today we're going to do three things we're going to talk about people coming into the career how should you advise them what you should you think about when you're coming in how do you build a stronger you for your career and then how do you figure out where you want to go so the first thing is somebody's coming

to you and they're like I hear cyber security makes a lot of money I wanna I wanna get into cyber security so I generally kind of talk to the person about where would they fit where would they be successful um you know if I would have been put into compliance right away I don't know that I would have been successful I'm happier in a an analyst role uh and so I got lucky in the first job I was offered was an analyst role so again I don't know I didn't manage my career as much as take advantage of opportunities and so um do you like to build things do you like to design do you like to go

home having accomplished something there are a lot of us that spend days and go home and not necessarily have something we accomplished that week that month Builders love to get things done building has kind of changed lately devops has changed that to some degree and you know more and more of our Builders have to be coders used to be you would come in and you would build a server and put you know file Integrity Management on This Server you would put data loss prevention on This Server you have antivirus agents being managed by this server and I managed systems I manage different things like that that is changing um and I will tell you the one thing

that is true about cyber security what would you guess the half-life of a cyber security skill is six months I would say 18 months for most cyber security skills if you don't like to adapt learn and change this is not a fun career field so I'm talking to my Engineers now about are they going to become developers are they going to become Cloud Architects are they going to come coders what are they going to be to be relevant in two years the next thing is I don't really have technical skills I don't want to sit in a keyboard and look at code I don't want to look at incidents anybody that's watches incidents scroll across the

security operations center a sock screen knows what I'm talking about you know there's a role for you compliance is incredibly important and so one of the people on my team when I was doing major incident response was they had to design the program to respond to an incident if we had a data breach they designed that plant there was a person on my team whose sole responsibility was to tell me whether or not I was following the plan so as a CSO one of the things I worry about is after the breach I'm going to have two things show up in banking one is the regulators and the other is a class action lawsuit and in class action lawsuit I'm

literally thinking about what evidence do they have access to my forensic company reports to my lawyer so they have um confidentiality and there's that lawyer client in the forensic report may not be able to pull into the class action lawsuit my policy can be discovered and now they're going to say did I follow my policy I literally have a person on my team saying hey you're not following your own policy so I mean those people are incredibly important uh PCI audit how many people have been through a PCI audit that is so much fun 250 some checklist items to make sure that you're handling credit cards correctly I need the audit team the compliance team to make sure when the the PCI audit

comes annually or biannually that we're going to pass and so these are people that are involved in strategy these are people that are involved in actual incidents they're not your audit team they're part of your security team and it's it's a very important job now the last is your analysts so what is an analyst your sock operator somebody that day in and day out is looking at indicators of compromise alerts and responding to them your um incident response team which is different than your sock operator your forensics team your um penetration testing team of all the tabs I've talked about who do you think works the longest hours incident response your analysts or some of the law are

probably working you know when law 4J comes out the sock is fully engaged the pen testers are testing uh your vulnerability team is running your com and so at three o'clock on Friday because that's when every zero day pops if you're in operations if you're in an analyst these are probably the longest hours so it's again it's kind of this balance of what do you want out of your career do you want to go do your job be done at five go home compliance is your best bet those people have fewer crises than you know we just got a patch so we need the engineers here this weekend to push the log 4J patch any thoughts anything any questions

before I kind of move off of how I talk to somebody about what they might want to do in cyber security

all right I've either bored everybody into Comas or I'm doing well I was a mortar platoon leader you're going to have to take off your mask

to get into compliance what skills or what do you need um actually the compliance people I'm the most happy with have writing backgrounds they can they can give me competent documents uh so I tend to look to that first uh I'll take people out of audit backgrounds um a lot of people come in and they're very solid from that um those are probably be the first two things I personally think about so the next thing you're in your your career and so again I have three things I have three sections with three things in each I did not do that by Design and this one is the first thing is if you're a compliance analyst

what do you need to be an expert in what you're doing so when I was at the bank I had compliance experts who had not read the ffiec the ffic is the governing document for banks and I'm like how are you on the compliance team and you haven't read the regulation that you're responsible for it it's just negligence you need to be an expert in whatever you're doing that means continuous learning it means constantly coming up with ways to think about thank you what you need to do and so being an expert um constant training constant development I'm going to drop down to the bottom here every six months I pick a new topic that

I want to be an expert in last year my entire year was devoted to artificial intelligence the first six months of this year was devoted to the industry of fintech and there's fintech and there's Insurance Tech and there is regtech but what is what does all this mean what is this doing how does it affect the market and how we're approaching the market at Akamai the next thing is you have to understand how to be a good partner so this next six months I'm actually studying marketing um it is it is hard for me to study something that I'm not excited about but if I want to be a good partner I already know what the CFO does because

I studied that early in my career I already know what you know a lot of my partners does so I I said what is the weakest stool what is the weakest leg in my stool and I said it's marketing so for six months I've got a mentor it's the head of marketing in Akamai who's now in another company but still my mentor um and I'm becoming a an expert with my partner um so you have to be good at what you do the next is you have to be able to lead now there are two things you can lead you can manage a project or a product or you can manage a team very few people are going to be able to

get through their entire career and not manage either if you're just pounding out code all the time you're probably still managing your projects uh right now you're you're going to go get certified as a scrum master and that's how you're going to manage that's the certificate and the leadership style that you're going to leverage in in some companies but you have to be able to lead and so what does that take um how many people would like to come up here and take my place and be in front of people speaking some some are comfortable there I had an analyst and I said listen if if you want to move forward you're going to have to be able to share your thoughts

you're going to have to be able to get in front of the group you're gonna have to stand in front of the CEO the CFO and the ciso and tell them why you think we had a data breach or I'm going to do that and you're going to sit there and not get credit for what you did I'm fine doing that for you but if you want to grow if you want the job I have you got to be able to stand up here and he went to um Toastmasters which I was surprised is still around and still doing well and Toastmasters got him to the point where he could go do that he developed the skill to be a

leader to stand in front to share his ideas to fight for what he thought um there are a number of books out there on how to be a leader there are a number of ways you can do it uh a common way I've encouraged my team is if you don't want to do it at work go volunteer um you can be on the b-sides here they need members of their committee there are so many places you can go volunteer to develop your skills project management there are just a ton of certifications how many people have heard of PMP how many have a PMP you know it's it's another we'll talk about certifications and how useful or

useless they are later but again it's another way to go get certified to develop your skill set for me sometimes I need an artificial deadline like when I said I was going to study artificial intelligence after two months do you know how much time I spent studying artificial intelligence yeah I saw a couple zeros it was pretty close to zero it was pretty close to zero so I went out and I I signed up for a course to give myself an artificial deadline because I know I need that yeah

yep I like that you know if you put your money up you're more likely to follow through uh even if it's a company's money the company's gonna hold you accountable so yeah um that and that's what it was for me it was that artificial deadline now um marketing I'm doing fine because again I have a mentor and I have a meeting with my mentor and they're going to say did you do what you said you were going to do and because I picked a mentor I have respect for I'm really not going to show up to that meeting and be like no I blew off everything we agreed to um but how to become a great leader

um the other thing is how to get rid of bad habits so my first leadership job was in a very specific industry I was an Airborne Ranger a lieutenant in the Infantry and it comes with a very specific leadership style I am now pleasantly surprised when people are surprised I was in the military it took a while to get rid of bad leadership styles and you can learn as much from a bad leader as a good leader things you don't want to do but again what's your goal and the last is if you don't understand how your company makes money can you tell me what the risk is to any incident that happens no so

how many people subscribe to CFO magazine I mean why not why aren't you learning what your company cares about if you want it by the way if you want to get money out of the CFO for your next project you should speak the same language he speaks you know so again understanding how your company makes Revenue reading your 10K understanding if there's a cyber statement in your 10K if you're a public Trading Company is important now again how important is that to a sock analyst day in and day out probably not important but if you want to grow into the Future these are the skills I want you to think about developing now is all three of

these should be well-rounded and for me I prefer a structured forward now learning styles is another thing that I found interesting so I read I'm an Avid Reader I probably go through um three to five books a month and one of those will be personal development one of those right now I'm reading Atomic habits great book I recommend it uh one of those will be professional development um This Is How They tell me the world will end I got through it um and so uh when I was teaching a class somebody was talking to me about something they had learned and I'm like where did you read that and they said I watched the History

Channel and I'm like I need to get over my prejudiced I'm a dinosaur I believe in reading books uh there's a group I belong to for a long time called the Cyber uh Canon uh that's out there that that does book reviews and recommends books to read I've actually listened to audiobooks now uh I do you know training on YouTube uh there's so many ways to train so again I if you ever thought about this think about how you learn most effectively some people have to go physically do it some people need a lab that's fine other people can read other people I'm a little ADD so my wife is lying I'm not super add

I'm just a little and so um You Know audio books are harder for me because I'll I'll realize I haven't heard anything for the last 20 minutes so it's not a I won't do something that's important to me on an audiobook so think about how you learn invest in that and follow up on that in a programmatic way uh anybody want to share ways they learn that may not be that common or ways that they really love or you know some Channel they love you

um

fighting at the most importation but it's pretty terrible and I think

so really immersive totally immersive

learning leadership skills and management skills by overseeing a volunteer team learning how to communicate with different people that are not paying to communicate because age then also you know judges versus Pros over here definitely a great way to learn your skills one thing that I always tell people is if you're here on your work time or not on your work done you a ground up at the end of doing this year what did you learn what did you see new and then when you go into your next apartment review you say my main report that I learned something new by going to these apartments you may not want me to have done it but I learned something new

and then you can present because you learn yeah I was in training two weeks ago and I have to take notes when I'm in training and I don't know if it's just because I'm institutionalized from so much school but it's important for me to take notes because when I write it down it really makes it go from short-term memory to long-term memory for me I rarely go look at those notes but but for me it's it's a meta retention mechanism other thoughts or or techniques

so you say you you do it real time you're on the job learning are you reading are you talking to peers how are you getting smart

so yeah

yeah and that's that's an interesting statement if you really want to learn something teach it uh it's a Quantum shift in and what you have to synthesize understand to be able to teach is is huge

whatever [Music]

and doing the Hands-On I saw also think is much higher retention so I studied for my cissp I took the exam I went to a bar I had a beer how much of my retention washed away with that beer

and so um yeah I think when you when you do it in a way that makes a difference or you teach it or depending on how you studied you know if you took an exam cram and took the test yeah 95 with that first beer um so how would you go learn about how your company makes Revenue are you comfortable going asking your controller or your CFO and a lot of them will take on that mentorship role um tons of video out there and this is almost where you get to overload so most if you start to try to understand Finance are going to be how to work the stock market or you know how

the treasury Department works and that's why I like CFO Magazine and there are some others like that that are focused on how companies do it um but yeah you should be able to understand and if you're in a public Trading Company it should be fairly easy because the documentation's out there what your corporate strategy is again ciso's love to say oh well my security is mapped to my corporate strategy oh great what's your corporate strategy I it's classified so you know it's worth learning all these all right so we talked about coming in some ways to think about what what makes sense to pursue when you start now you're in and you're building your career

and sooner or later somebody to say hey you're kicking butt I want you to be a manager I want you to take over product development I want you to do this next job and you're going to say great and take it and then your career is going to be managed by opportunities you're not going to manage your career and so now what I want to talk about is thinking about what you want for your last job the job before you finally retire so again I've picked three examples I you know and again this is it was interesting we'll talk about a fourth option here in a minute don't let me forget and so there are obviously other

examples but I I came up with three that I think are fairly representative the first is you're an entrepreneur you eventually want to run your own company so your skill set is talking to investors and getting them to invest in you hiring people paying taxes you know running a company it is not about being technically competent now it's much easier to have a successful company if you have a good product or something that's in high demand But ultimately that's not a guarantee of having a successful company so if you're an entrepreneur then the skill sets are suddenly very different um there's a book out Angel Investing I went and watched a couple videos to decide if I wanted to read the book

because that's one of my litmus tests now uh and he's got a couple great ways that he thinks about who he invests in and I don't have an entrepreneurial bone in my body um and so it was fascinating to me but not motivating um but go you know the step one is stepping out there doing it because on day one you are probably the CEO the CFO Chief marketer bottle washer if you're starting your own business um second option you don't want to run a company you want to be technical you don't want to turn into winterfeld who hasn't touched a computer to do anything technical in a while and when my daughter said could you really hack into my computer I

said well I'll be honest I would probably need at least 30 days to rebuild the box and validate that the tools that I used are still there and still the right tools I need two or three months to get competent on the tools again I need at least a month to make sure I've built enough you know of an infrastructure with proxies and cutouts and tour to cover myself so I could probably hack your box in six months but to be honest I'll just go on the dark net and hire somebody to do it for a few thousand dollars and I'll be in tomorrow if I went in and she's like okay I believe you

but but I don't have technical skills anymore I can have architectural discussions but I can't sit down on a box and do anything useful so I surrendered that now there are other cisos that have not so some are trying to keep that balance and you can do it they are successful but for me you know do you want how far away are you going to step from being technically competent and if if that's where you're excited to come to work then think about being a CTO and there are variations of this you know different titles but then I'll come back to the guy that knows how to make things work and they make good money

and it's a respectable position so this again is a career I and I'm going to come and I'm going to say hey I want you to manage a sock team and your answer should be I don't know if that's going to make me a CTO can I manage the architectural team can I become the principal architect does being a sock manager get me to being a principal architect

actually do stock operations advantage and stock a little bit better I'm not saying that you're only going to be getting worse in you know you're almost

out together all of that because as a CTO your profession is available customers me okay

so going back to the previous slide you need to be technically competent you need to have leadership skills and revenue skills so a CTO needs to have leadership skills if the CTO is in a mssp then I would agree with you if the CTO is you know securing uh let's say the product is data loss prevention in the cloud then then the example is I don't know that they would need as much management skills and an mssp definitely would I'm not saying so much correct

and I could say that he could come in and build out the infrastructure and then take over the Architects team and still be the CTO and the guy that ran out and so so I don't want to go too down far down the rabbit hole but you're right um none of these mean you never manage people being a CTO um how many people know if their CTO manages people raise your hand if your CTO does manage people and you're if they do not so more ctOS in than not our running teams today um and then the last is being a ciso and here I would say you're probably having more business skills uh more leadership skills than

anything else you've got to be able to lead in a crisis you've got to be able to convince people that your strategy is correct and they should fund your strategy you have to be able to talk to a board um talking to board is a unique experience uh it and boards are becoming more and more technically competent because more and more companies have a portion of their right up in the res tied directly to their technology capabilities and because of that you're seeing that more and more have you seen the recent SEC requirement to have a somebody with computer security requirements on a board so it's also becoming a regulatory requirement um so as a ciso

one of the skills you should be developing is to become a board member because you're going to go talk to the board so there are courses in how to be a director so we're seeing more and more people and I don't know that you need to go be certified in this uh this is one I've heard mixed reviews on whether or not you can go volunteer and be on a board of a non-profit and get credit for the same skills needed to be on a you know for-profit board uh I tend to think that the skills should be somewhat transferable but a lot of that is uh I've seen a lot of debates on how

transferable that uh is today so again

eight to ten years in the career field building out some secure architecture bringing things to Market that I've shown success so

uh like what's the youngest

chapter in the field virtual so the question is um when do you see someone being ready to be a CSO and what do you think of the virtual CEO CSO and what do you think of the virtual CSO um you know if you're a startup um the the qualifications are a lot lower and everybody there is accepting higher levels of risk um typically once a company makes it around 10 to 50 million in Revenue they start going away from the startup culture to a process driven culture because you have to when you start getting not everybody knows Sally runs travel you know you need a process to run travel not a person and then when you get up towards the

fortune 5000 Fortune 500 um then there's real uh financial responsibility and experience and it goes along with it so you know I don't have a problem with people coming out of college and taking a role as a startup because everybody there kind of knows how much risk is being does that is that a fair answer

it takes longer to become a CSO

well

I don't think CTO and ciso are the Catch-22 positions it's hard to get it until you've had one um and and yeah that's why you see uh people have taken a step back in their career to get a title to move forward in the long run and all those rules are in constant flux I have no advice on whether or not that's a smart move the second question was around the virtual ciso um so I feel really bad about this uh I don't know if any of you listened to cyber wire uh but Rick Howard on cyberwire and I were talking to RSA and I was talking about the virtual CSO and he goes yeah

we should talk about that on one of my shows and we both kind of agreed on our stance and before I got on the show I did some research in um there are virtual CFOs there are virtual CEOs and the thought process is I am going to I have a startup company I don't want to be my own CEO because Winterfell said all those things that I don't want to do I don't want to do marketing I don't want to do hiring people I want to be like the chief technical officer that's also the CEO so I get a virtual one I was shocked to see that there was a virtual CFO because how many times have you seen people say

what skill does the ciso need do they need an MBA or a technical degree that's been a big debate lately you've never heard anybody say should a CFO have a financial background and that's always kind of irritated me and the reason is so many cisos go up to the board as technical advisors not business advisors they go up and talk about technology and risk not about the business and because of that the board wants people that are interested in making the business better and they want cisos that will talk about business how to be a better partner how to move the company forward

very awesome Powerball through our industry that I think requirements actually be technical security experience

so if you didn't hear the end that was a statement that said CFOs being financially competent is a recent development in 2004 the regulations started driving that and we may see something similar in cyber security where it's going to drive back to competence in the field rather than just good leadership skills and the ability to be uh a business partner um so again the virtual ciso question um because so I think there is a role for the virtual cisl but I think there's an incredible amount of danger because if I have a virtual ciso for my startup at what point do I need to hire a full-time ciso does a 50 million dollar company need a

full-time ciso if they're in manufacturing and have low intellectual property do they need a full-time cisf and so um I think there's a slippery slope here um I don't think it's necessarily A Bad Thing I just don't know where that slippery slope uh starts to gain traction certifications um say again thank you oh um the fourth one thank you good catch uh I was mentoring somebody and I was going through my stick and he says well what if my final job is to be a husband and a father well that was an excellent question and so it goes back to the balance a lot of these jobs up here aren't designed for balance um and so uh

I would just encourage you to think about that as you decide what you want to do and you know I've got a nephew who truly right now works to pay for his free time so you know that's that's a great life and I don't have any objections to that uh

hahaha I mean you'll have great vacations right but it's absolutely

and the statement was balance and timing uh and so you may want to think about when you hit where I am which is an empty nester which is awesome um then you know maybe you can put more time into work uh I've had so many High Travel jobs it was interesting you know my wife and I used to joke that when I retired she was gonna have to come up ways for me to to stay out of the house enough to keep our relationship sane and fortunately after the lockdown we discovered we still like each other so retirement's going to work out but yeah that that life balance is incredibly important certifications um so basically

they'll get you through the HR gate that's all certifications are for in my opinion if Auditors love them I have my sock go through an internal certification program because Auditors now say oh well they're certified they're good so yeah certifications are an HR gate um if you're interested in a job spend some time on LinkedIn and see what certifications are required for the field you want to go into and then you know um so if you're going to go look for a job here's my list if you're looking for a job and you're not looking 20 to 40 hours a week you're not looking for a job looking for your next job is a full-time

job and so if you're not giving me 20 hours a week I'm not going to help you find another job um have a plan executed things like you know activate your network who are the 20 people that can help you find a next job and do they know you're looking um LinkedIn and your resume should look the same and they should only talk about the impacts you've had that's what I'm looking for what did you accomplish what did you do I don't care about your job titles or your duties what did you accomplish um go in decide on your budget decide on whether or not you're willing to move decide how important a title is

before you start those are discussions to have with your family um practice interviewing uh nobody here would go try to run a marathon tomorrow you gotta train practice negotiation practice interviewing I've been interviewing a lot of people I forgot when I went to go interview they're different muscles so I had to go get back in shape to actually do an interview and the last and most important thing have an emotional support system you will be told no 20 times before you get your job make sure you have a buddy or somebody your wife whoever it is a support system to help you get through this thanks for your time

yeah most of you will find a job through somebody you know not a cold call