Redefining the Hacker

I'd like to turn it over to my shoe thank you so much so thank you everyone for being so patient with all this scrambling on stage apparently it took like 11 goons to fix this so so thank you to all the goons my truck is called redefining the hacker and I just want to set expectations that it's actually more about inclusion and the way that we include people into the security job system and what we think of when we are interviewing people and interviewing candidates and what we think of when we think about expanding our teams a little bit about me I'm munjin I am a security director at oath formerly Yahoo I am a

woman and I'm a security leader I'm in a group called the paranoids a company called oath which is formerly Yahoo like I said there's oats recruiting booth right back there and the paranoids is a really large security team of almost over a hundred and eighty people that have been with Yahoo and now are with AOL and Huffington Post and TechCrunch and Engadget and all those brands all together and what are the security team that manages all those brands people don't always know what Otis I thought I explained up I'm also an amber meaning I need my downtime and I need my social time so it takes a little bit of energy for me to be up here but it also

recharges me to to be at conferences and hang around my friends and see you guys again and girls I'm also a night out most people know me as a severe night owl and most of this content was created at drea I want to talk a little bit about the definition of a hacker so we this really surprised me you know I see squared which is something that we are many of us are members of it had this definition in the cyber security lexicon and it said that it's a slang term meaning a hostile human so apparently we're all hostile and it is a threat to IT systems and IT security professional or vulnerability researcher or an amateur security person

so I saw a lot of trigger words in there I have saw amateurs I saw hostile like Scot threat and I don't think that really defines who we are as security professionals and so it's really really concerned that I se is setting that out as their cybersecurity left the conifer for newcomers so then I went to merriam-webster and I said okay well how do they define it so there's a couple different definitions and pretty much it's something around illegally gains access and tampers with information okay that's a little bit more accurate but I wouldn't necessarily say legal all the time everywhere it's it's also not an accurate definition problem solving I think I like that one that's the most

the most accurate one that I've seen and so moving on I also googled it and it says that a person who gains unauthorized access they're also references pirate key logger to cyber Punk activists which as we know for many of us who've been in security for a while our references to how some of the security research work and more driving and more dialing and phone phreaking and all of that stuff that the good old days with security that's how it began so I'm not satisfied with any of those definitions and I don't think it correctly represents who we are as security people and who we are as security professionals it also doesn't represent anything necessarily that all of these booths

back here recruiting for so let's talk about what it actually means before before we do that let's place security person or not security person we have challenged some of your biases here so okay this is a tinfoil dude and he I guess is a security person right well maybe not he may just have an excess of tinfoil so so then the next one is your your standard RSA graphic and this is what you see in every brochure this is what you see when you google any tech company that has any security services this is what you see on the front page does that really accurately reflect everything about who we are and what we do I don't think so

let me challenge your assumptions if it's a security person all right I don't know but uh okay what if I told you this person teaches Python security at the University of Bucharest is this a security person what if I told you that she has had 54 submissions on hacker 1 is this a scary person she is actually just sleeping at her desk and watching movies so that is not very well is this a security person she's actually helped a complex identity management system get working in her company and she's studying for her OS CP right now did you watch her is this a security person Oh somebody said HR Wow ok she is actually creating a Kanban board and remediating

vulnerabilities in her company so she is a security person I just challenged you a little bit there on what your definition of a security person is and what they're supposed to look like and what they're supposed to be doing because they're not all crouched over in hoodies hacking all the time I recently went to a security conference called day of security security and I had the honor of sharing the stage with these lovely women all of these women are security professionals and many of them are very well known in the industry tweet a lot longer bla and publish books some of them are actually represented here today and will be represented throughout the conference and throughout the week but

that's an example of all the diversity that exists in the security industry that actually does not go recognized when we're recruiting and when we're hiring and when we're staffing so a little bit about me I'm gonna tell you my personal story and just kind of throw it out there it's kind of personal so I am manju like I said my personal story is that I've been in security for about 20 years I started in security for the government and I started a couple years before 9/11 and as far as my background before that we go way back to my childhood I immigrated to this country so I wasn't immigrant and many of the privileges that someone

would would have on breaking the law or testing their boundaries we're not afforded to me when you're not a citizen and I just want you to think about that for a second because I had friends and colleagues and stuff like that who constantly brag about breaking stuff and hacking stuff and all that and while that is absolutely a skill that's absolutely necessary it's something that not everyone can do if they're actually worried about their very ability to stay in this country or any country I before I actually joined security had 11 jobs 11 different jobs nothing to do with computers nothing to do with security so that means that I had that many professions that many different things

that I was touching and let's see I was a dental assistant I was a secretary I was in food service I was in sales I was also working in a bank I was in doing many different things and I think that one of the one of the flaws in recruiting is that we want someone to be consistently in security and that's not always true and we don't really look for that opportunity of all the different things they would have been in and how that actually leads to them being in security so I've seen a lot of breaches in my industry and have seen a lot of I've worked on a lot of breaches I first

read I worked on in my career was actually 911 and did some investigations for that and throughout my career worked on things like TJX worked on others some on some other big brands I also worked helped investigate the gap of breach so breaches have been a consistent theme throughout my life but I gotta ask you know if we're being elitist about security people and what security people represent and what they're supposed to what skills are supposed to have why do we have somebody breaches right so if they're we're so elitist and we have such special skills that no one else didn't have and no one else could be included in why are we doing it well

little reflection for you there the other personal story I have is from a woman named Fatima I met her at a security conference much smaller security conference years ago and she told me her story that's not actually her just so you know because she's the one her photo used but we take computers for granted we see them every day and we touch them every day and we think everyone has access to them and we think everyone can learn to program and be a hacker and everyone's Maslow's hierarchy is completely taken care of and that's actually I would I would want to challenge that a little bit so we take computers for granted she was born in

Delhi in the slums she often didn't go to school she sold vegetables in the market to help her parents when she became a little bit older she got a job as a cafeteria worker at a university and she went on to try and study at night or whenever she was when she whenever she had free time she actually taught her selves herself systems and programming she also had the ability to try and read and all these same literature and things that she did was not afforded in the past so that was her first hurdle that she taught herself systems we don't realize that people are going through all those hurdles to get where they are but FEMA

did not have the support of her parents at all her parents wanted her to get married at age 16 and she challenged them and she went behind her back and kind of you know dark guarded them from her other life which was improving herself and getting into IT so let's evaluate you know a couple you've heard a couple stories now and let's see both of these people and many many more out there gained unauthorized access they were unsupported they solve problems they found a way to get in they wanted more they got more and they retained access that sounds pretty hackery to me so I just wanted to to challenge that and say sometimes people

have what it takes they may not have security on their resume but they have what it takes to start their career and security here's the problem we are facing a shortage right everywhere you go you hear this this stat that we're so understaffed we also hear that it's a thirty two percent of companies take six months for them to fill a role right so in 2016 they fit a hundred thousand jobs and now their weight up to way more than that they're predicting by 2022 this when you have 1.8 million I've even heard like 2.3 million and all those stats waiver of it what we can't agree on is that there's a telling gap and what we can agree on is

that 11 percent of the security under industry or less are women I didn't go into the other diversity stats in this but that that is something what you do know and we do know there's a massive shortage so what are we doing to increase it we need to let more people in and we need to stop checking boxes right now people I've said I've been on interviews where I've seen candidates get drilled I guess cissp books and that is not the way to get candidates in the door I've also seen candidates that are assumed to have years of security experience for junior role and there's a misalignment there for the hiring manager and it's up

to the people who are recruiting all that to set that expectation but what we're expecting of our workforce is way too much for what we need we need to fill these roles and we need to be more inclusive so what does it take what does it take to be a security person it takes attitude perseverance aptitude intelligence and passion there's lots of studies out there that say that attitude an aptitude and passion are actually the most important things perseverance also is extremely important in our industry because it's always changing and we're always challenged and intelligence intelligence ironically is the least of what we need but that's the first thing that we test for so we need

to change that Entrepreneur Magazine said that 80% of her success is based on our EQ and only 20% on our IQ but we're testing only for the IQ so what's holding us back why aren't we moving forward and filling all these positions and why aren't we moving forward with hiring people in the right role and why aren't we moving forward with giving people opportunity who've never before been in security it's because of unconscious bias so if you don't know what unconscious bias is it's a prejudice that is a favor against one thing person or a group compared to another usually no way that's considered unfair unconscious bias gives us mental shortcuts preconceptions and flawed logic I don't

want to go make this session about unconscious bias but I really want you to go and read on it yourselves it's a big part of how old change the hiring for the security industry many big companies are actually doing talks and training on unconscious bias if your company does not have that I would encourage you to ask your company to start having that so then this is developed over time and its subconscious and you don't know you're doing it so then how can you actually stop it because it's narrowing the pool that's getting higher and it's narrowing the pool that are getting promoted what you need to do is you need to slow down and

you need to examine your own biases potentially go through that training you need to make uniform decisions in your process is every candidate being tested against the same thing if it's a junior position is the part too high is it more important for you to get a flow of candidates in and potentially increase your hiring pipeline and your organizational growth than it is for you to have the ideal candidate another thing you can do is you can challenge yourself and others you can challenge yourself by reflecting on your unconscious bias and that exists in many forms that exist in not just the people you interact with but the way that you experience situations and we're in the

workplace there's actually four kinds of unconscious bias there's affinity bias which leads to favor people who are just like us that's not gonna want us any points on increasing staff this confirmation bias that leads us to search for an interpret for people and remember associations and perceptions so-and-so reminded me of something that I experienced in the past or so-and-so reminded me of a situation that was positive or negative there was a halo effect that's a third one which is someone having done something great so what happens in the halo effect is that one person that organization says this person's great or someone in your peer group or affiliation say this person's great and you just believe them

but great through association not judging on your own in the fourth way is something called cloven hoof effect which is generalized the negative aspects in other words someone tells you someone's awesome or horrible and you generalize the horrible you generalize negative more and you remember that that person with a negative association instead of a positive association those are all things that actually lead to unconscious bias and conscious bias in organizations and team growth the thing that I would ask everyone to do is practice empathy and get to know people get to know their stories and get to know the deeper selves of the candidates they're interviewing I want to bring something up called a bravery deficit

deficit I don't know who's heard this was for this room okay a couple couple people have heard this so race mr. Johnnie she's the founder of girls who code and just wanted to throw a tidbit out there while you're managing the unconscious bias she did a study on girls and boys and the way they've learned and the way they speak up and the way they volunteer for things and it turns out it's not a question of ability it's a question of the difference of how boys and girls approach challenges so we're raising our girls to be perfect and girls are driven to be perfect or have all the answers before they actually apply for a job or actually

finish a task or actually finish a project in the third grade class she asked girls to code and she found that women or girls in this case were more likely to have a completely empty page and when she looked a little deeper the boys had lots of things on their page and then many of the girls had nothing and she looked a little deeper it turns out if you backspace or undo a few times the girls had written a bunch of stuff and undid it and they didn't keep it on the screen because it wasn't perfect and they didn't have the answers so what do you do you need to socialize your women and your girls to the

opposite for need for perfection we're socialized from the beginning to think about perfection and often they're afraid to raise their hand and ask for help when they could actually be on the path to achieving their task it's it's not out of the scope of my interest but probably I'll get to that personally with you I think it's a combination of all three of them it's a combination of societal pressures and how we're raising them some would say it's also biology but what you can do if you're raising young women and girls is to teach them that showing a little bit of effort or a little bit of work is better than showing perfect and that perfection is

the enemy so you can teach them that at this age they're also the last bit on my point is that they're also very afraid to raise their hand often women and girls who tend not to volunteer for things and tend not to speak up in class because they're afraid to raise their hand and because why because they don't have all the answers and they're taught that if they don't have all the answers they don't need to raise their hand but we often see little boys raise their hands without all the answers so last bit here's a resume I want you to look at that doesn't struggle with bravery here's one person that doesn't struggle with perseverance or bravery she has no

no humility actually she seems to have she seems to be having zero humility about her brilliance and I wanted you to look at this resume somewhat comedic ly but somewhat challenge your own perceptions your unconscious bias because if that person walked in and sat across from you for a candidate as a candidate or a role you would have their unconscious bias before actually knowing her resume and with that I want to close out with a very inspirational quote from a really awesome security contributor Tara wheeler on the topic of bravely bravery and perseverance if you aren't being rejected more than you're being accepted you're not asking for enough you're not reaching high enough and valuing yourself enough try new things

ask people who scare you to help you and begin to believe failing really is learning if you're winning constantly you're in a rut so here's to failing and winning and enjoying the rest of the conference I want to apologize that we started late for your presentation do you have a few moments to answer any questions so any questions for measure Chris [Music]

maybe it's more to lose more to lose if they've built a career they've built a salary and if they're shown to not know what their should know they might lose their job yeah it could just be that you're tired obviouly but no I actually think that actually brings up a very good point there's different contributors in the workforce at different stages and genders and identities to through the security workforce and I think that besides talk on ageism in tech or ageism insecurity or aging insecurity would be a great top for next year I'm saying find the right people to do the talk hi I'm from Brazil and I run I come from a hacking conference there which is the

biggest hacking conference in Latin America but we still fight a lot with fewer women it's very rare to find women that can go into a stage and give a speak with confidence in what they're saying because it's not that we don't have good tech girls it's just we do they are rare because it's mostly men but even the good ones they are right because hacking is kind of a new thing in Brazil it doesn't have even 50 50 years there so it's still a very toxic very very toxic community like full of haters and trolls so it's death threats are very common even for me that doesn't show up a lot because I'm an organizer I don't go up

in the stage but we are trying to do the conference this year 1/2 1/2 I have women speakers have women workshops have everything and it's being really really really hard I'm learning to give lectures so little girls can look at me in in this age and have the courage to do so as well so I would really like to ask you some advice since you are a woman in a staging of international conference what should I do to inspire those little girls I don't know security in Brazil the culture there but I think we an overall need to start holding sessions for kind of like Toastmasters for women help them want to be present and help them want to be outward facing

help them want to be in that limelight and not be afraid again it goes back to that perfection or bust they feel like they have to be perfect in order to be up here it's also that presenting is a process it is not a lot of people think that presenting is a hand-picked situation rather than understanding that there is researching the conference there is understanding what you need to do about the submission process and that is not something that's taught anywhere there are more and more conferences that are actually providing workshops do that I'm actually presenting on that at Diana on Thursday so because we realized that meant [Music]

the good news is we're making space we're making space now over the last few years for people who didn't traditionally grow up in a computer science or tech background to be a part of the security community because we're realizing the security is much more than just tech Josh I just want to say that uh the conference she's talking about is called a Rhodes SEC and I've been to that conference and it is an amazing conference and I think that perhaps among the people in the room we have maybe a stronger network than just her to reach out to the women that we know in the industry and encourage them to submit to that conference I think that

is a problem that we can help with in this very room in this very day by helping the publicize that that is a goal that they have and that the conference is really great and the the security community and culture in Brazil if you have not been is amazing everyone there is so passionate about it and you should go and see that for yourself and we should encourage the women in security that we know to submit so that's all I wanted that Thanks great we had one more question

um is it on I want to thank you so much oh I'm getting emotional and I don't usually I want to thank you so much for what you had to share and I want to thank you so much for being here mm-hmm I have something I really want to say and I hope it comes out okay um let me get a handle here I've been around a long time and

I'm angry no I'm just I'm angry that I'm emotional yeah it's I'm trying I mean I'm going there I'm going there so I'm really impressed with I'm really impressed with these two young people that just spoke I've avoided these for a long time and

one of the things that I want to say about security and our gender differences is that and I I'm not good with words and it's so hard for me behind the mic but I really want to say this they're one of the things that brought me here it's my first be sides really glad to be here thank you so much sure took me quite a bit to I'd gave a lot of free hugs to get my badge today and I'm grateful for that one of the things that I do want to say as far as some the wonderful stories that you shared and a lot of the women that are up there is this world can be

violent and our hacker community is no different and I think one of the struggles that we as women face when we go up and I'm not emotionally because I'm weak I'm emotional because I'm so passionate right now but what I'm about to say when women speak up and we're afraid to 1 being perfect as one but I think there's another underlying thing that we forget is that when we speak up and someone disagrees with us or if we make someone angry in many cultures around the world not not just America but many cultures around the world what we face is not just dissociation or someone being not hiring us what we face is violence we face death threats we

face harassment we faced so many juvenile things that I don't see my male counterparts in the past years hit I mean they they some but they they handle it a little bit differently and they're able to to bring it down but I think there's a fear-based thing that we also face other than just not being perfect and I think what it takes and what I have seen in just the last few years so grateful for this I'm not emotional I said weak just emotional because I'm so passionate it is all these women that are coming here and doing this especially women like this you say I'm doing this it's really hard I can't and I guess I wanted

to ask is eleven percent still is that really the correct statistic for women and security right now so um that really bothers me and I think if there's especially young people one of the things that I'm so grateful who are you bringing up there was a young man that spoke over here this new generation is amazing the new male generation these young guys I have seen some of the most amazing ways that they will speak up they will support they will say things and I think it's really there and I just want to thank you for being part of the beginning I really think this is the beginning of something really wonderful and I'm glad to see it I'm glad to be

here and and I face a lot of death threats I faced a lot of things and I'm grateful for for you to I'm just grateful you're being here and I just want to say if you're young and you're getting these kind of things you are not alone there are so many of us out there facing so many horrible things that some of this hacker culture can do just you're not alone and please keep coming back please people keep presenting and and I hate the mic and I hate talking but I force myself to do it because it's good for me and um thank you thank you for being here please give them back [Applause]