Separating Fact from Fiction: The Realities of Working in Government

hey everybody thank you we'll get started there right on time 11:30 uh thank you all for being here really appreciate it my name is Steve lazinski uh I in my day job work as a consultant critical infrastructure cyber security that gives me the opportunity to come out here and what I really enjoy is the Aerospace Village so if you're over at Defcon please come by and visit what I also enjoy is having spent time in and out of government military time which I kind of count as Government because I got to see all the the government offers in that respect uh but also in my other job since retiring looking at what's going on out

there what really is or isn't happening when it comes to working in the government so then because I have friends who know other friends that are now my friends uh aan and I damn it I knew it aan and I were talking about this last night if you caught us in the uh Cavalry track but being able to bring to this audience folks folks who are new to the industry who may have been in government and you're questioning do I want to go back or you've never been in government and you're thinking about it here's your experts and so again I appreciate you all coming here today and listening to us so uh I'll start with a

quick brief introduction go through some questions for them uh to be able to talk and have a conversation um we're going to open it up to questions and answers at the end so definitely think about if you want to ask something we may or may not have bribes up here for really good questions and things of that nature that we can offer uh but we want to be able to make sure that you can get your questions answered of what you want to know about folks who are working in government and what that is really like compared to what you may hear on a you know we'll call the stereotypes that are out there so let me start over here on

my right uh aan Islam she works in the office of the national cyber director uh on Workforce issues formerly at siza I have known her for several years uh this is not her first time at bsides or in a talk and again we got to I had the privilege last night getting a talk with her um but very familiar with these issues from a Workforce what the government's dealing with and from having worked in in government for several years um next to her is Chris Paris from the Department of Veterans Affairs again uh working his uh title as acting director of cyber workforce management at the VA again as a veteran I especially appreciate that work so thank

you uh first time joining here at bsides and on stage and another firsttimer over here on my left Arun viswanathan he is at the jet propulsion Laboratory um and he leads their cyber defense engineering and research uh and also a number of efforts that again I know from the Aerospace Village uh that getting to work with arunan and be a part of and again welcoming him as a firsttime attendee and then finally but not last but not least Tim Weston uh he is with TSA uh he's the director for strategy and risk also cyber security policy cordinator he's got law degrees he knows a lot of things and a lot of experience in government and absolutely not a

stranger to this community active in again the things in support with the village and other Villages you'll see him at a number of talks at De conife there also so again I really appreciate you all being here thank you for the time and uh been you know everything we've done to get ready for this so so let me start off with the this one I actually I I meant to tell you this one I'm going to ask all of you to go through so how did you get into your role how what made you want to go into government and and get started there so Ian please start us off no thank you for having me

here um so my pathway into uh first and foremost the cyber security field and then into government uh was being brave enough to leave my good old government job in DC government and I'm actually mid-career changer and taking the time off which I recognize not everybody has like the opportunity and um the time to do so to like go get uh a master's uh in in law uh cuz I was thinking originally I was just going to be a regular government attorney and come to find out I just saw a lot of really interesting problems um from multiple data breaches and incidents and really interesting hacks and seeing how it was impacting communities and regular citizens like

you and I who are presuming that our data is protected and um that we can just go about living our our lives but recognizing that there are number of organizations that we trust with our personal identifiable information so part of me wanted to explore that a bit more and um I was fortunate enough that first and foremost being a grad student and learning learning about cyber security policy hackathons uh through the Atlantic Council and engaging there to then finding out that there was also an summer internship uh working very closely with a lot of members within I'm the Cavalry Community who are also um were leading the Cyber statecraft initiative at the time and uh from there on building the

resume in portfolio to Showcase that my pre-existing policy and government Affairs skills were transferable I needed a layer on the cyber security knowledge getting firsthand knowledge also learning from the community as well how to serve as a translator to then go into DHS uh and this is sz's uh original name which was National programs and protection directorate so uh participating in a job fair and meeting with a hiring manager so that was actually like my foray into federal government getting into the cyber security policy career and making a lot of connections um not only within the federal space but realizing that I still needed to stay attuned and tie to different communities and going to the

various cons whether it was like bsize Las Vegas or even bsize DC Nova charm Delaware elsewhere to like stay plugged into what are the current issues because my portfolio actually started off as a cyber security strategist like serving multitude of portfolios to then Aviation cyber um and uh dealing with Workforce and training issues as well so there was a lot of different projects which I thought was very interesting and helpful and so that was my entryway into government excellent yeah hey good morning good morning everyone um can you hear me excellent can't fix this um so I think it's worth me starting off that I have a very liberal arts background uh I study theology uh philosophy German English I

actually wanted I thought I wanted to be a teacher so um I put out like a dozen applications didn't hear back luckily I had a internship at a a healthcare it startup at the time um I I quickly invested myself more in that career got into uh more sock 2 type two audits with the security and privacy teams uh got a mentor who was the chief operating officer who encouraged me uh to actually go back to school for cyber security so I at night I took cyber security policy classes um found out that the Social Security Administration was looking for infosec personnel on a whim through my application in there and uh it took a

while but after a year I got a federal position I worked under their their sizo and I was doing training policy education uh and I also ran their social engineering program which I found uh coming from a a less technical background probably least uh you know technical of many in the room there was a great fit between the the psychology aspect uh of what I was doing the the liberal arts the the communication and then needing that cyber security uh technical piece as well um from there I supported our ciso in looking at our Workforce where we needed to grow what capacity we needed to be at what types of Sears training experiences our folks

needed to have um and that brought me to where I'm at now which is VA uh I I came over under the prospect of being able to engage more externally so not just being confined to my department but engaging with folks like Ian and being able to affect change at a federal level um and so yeah that's that's where I'm at now absolutely yeah Mar he thanks Steve um so JPL is a little bit different than government JPL is uh what's called an ffrdc a federally funded research and development center so it's it's not government but it is sort of semi- government it's funded by NASA but we are managed by Caltech so it has a more

campy feel to how JPL Works uh so my U so I have a I had uh I got my PhD in computer science with the focus on Cyber from USC and while doing that I got to intern at JPL for a couple of uh times really loved the culture loved the work that they were doing and then around that time space cyber was really becoming very critical and not many people were really thinking about space cyber now if you look at for example Aviation Village and so on there's so much talk about space cyber that wasn't the case in 2015 2014 um so uh for me that was a very interesting opportunity because I didn't

want to go into a field in cber which was already saturated uh for example network security was very saturated by then there's so much work on knacks and firewalls and all that stuff that um it was hard to sort of make an impact and of course I loved space so this was a perfect opportunity to combine my uh interest in cyber and space together um and so I I was recruited around the time when they were setting up the Cyber uh the the Cyber defense uh for our missions um so we always had JPL always had the it security and it infrastructure and all that stuff but they never had a mission cyber security team uh so we were sort of the first

hires uh to build that capability um so so my team so I at at at JPL my team works on all aspects of a mission from the ground systems to the communication to the spacecraft and sort of doing an endtoend security uh of that uh and it involves many different things like uh things like compliance uh risk management risk analysis threat analysis threat intelligence uh and to many Advanced research topics because such a new field there is a lot of scope for uh research on uh new ways of doing things so a lot of my time uh I mean I started out as a researcher in the group now I manage the group and we have a broad spectrum of

activities like all the way from doing engineering like day-to-day engineering to also doing Advanced research um so I think thank you Steve and good morning um as Steve said I'm a I'm actually a recovering attorney now I discovered I have a heart and a soul it's kind of shocking um I got into government early on and I think it was mainly I come from a long line of teachers and civil servants um so going in a government out of law school was just kind of what made sense to me uh I initially started at the uh City of Oklahoma City doing litigation and working with them on a multitude of issues uh issues related to like water

treatment um excessive use of force cases uh fire department related matters um ultimately got recruited into a program out in DC uh because I because of that litigation background they were looking for attorneys uh who had some you know kind of unique experiences to help with some programs that DHS was standing up uh through that would to uh George Washington University got my Master's of law degree much like I am um in National Security and US foreign relations and it was there that I really unlocked you know that interest in cyber security policy and I had always dabbled in cyber security Electronics I worked at creative labs when I was in college and you know that was just something fun

to do uh and then I was like wait a minute I can actually do something with this um from there though I started asking questions I got to TSA was like hey well great we have this counterterrorism Mission this protection Mission there's this line in our authorizing statute that says the TSA administrator shall review cyber security threats Aviation what are we doing about that and started to kind of pull on that and out of that started kind of building a a legal practice within our chief council's office uh as Steve said I've been coming out here for summer camp for years and I had actually about six years ago I got back from def and there was a knock on my door and it

was from our chief of staff and said hey we need to develop a cyber security strategy and we hear you're the one to help us with that so just just make that happen yeah let's can you can you can you solve that overnight um but that I took that left what I was doing in the chief council's office moved into the policy side um helped draft our cyber security road map which was a 5-year strategy and then from that have helped then build out the various cyber security Poli policy related issues and measures that TSA is kind of leading on today so it was a kind of a Wandering path to get there but it's uh it's been

an interesting one yeah absolutely so hopefully as you're seeing and what was exciting for me to bring this group together is so many different backgrounds cyber security kind of not cyber all aspects of cyber because I'm not super technical either so I appreciate being able to have the smart technicians who can answer those questions and and things from there so uh one of the things I mentioned up front stereotypes right this whole title of separating fact from fiction there are stereotypes out there I know uh one of the things that I always heard sitting here when I was in the military call myself a at the time looking to get a job as I'm getting out thinking

about staying in the cyber security field what can I contribute things like that where do I go private sector mission was always thrown out well the government's got a mission okay I get that and I appreciate it with my background uh but Tim let me start with you not only did you get into it as we've all talked about it but you're you're certainly still there and we've all been in in different areas but what keeps you in that job it is cliche but it is that mission oriented Focus um you know transportation is one of those critical infrastructure sectors that affects everyone everyone utilizes it every single day you may not utilize the health sector every day you may not go

to the hospital every day I at least I hope you don't unless you're a doctor or a nurse in which case please continue to go to the hospital um you know not everyone uses dams every day but you know maybe you drink water that comes from a a reservoir or you use electricity that comes from it but transportation is something that is used by everyone it's Global um and helping to secure that system and make that system more resilient is kind of what keeps me going you know it's it's that CH it's a it's an unattainable challenge I think but that's what I like about it it's it there's something more we can keep doing to make it better yeah if you

don't mind him I I'll pick you back off that so uh I joined government because I was starting a family and I wanted stability and my dad was 30 years prior military worked for the government after that as a civilian and uh that's all I heard right secure a job get it once you're in you're in um some of that is true absolutely but what I think the better question is why why have I stayed for the last 12 years um and for that that answer um for me is that I get to work for an organization that is not profit driven at the end of the day I can if I need to and there are times when I need to I hit

that wall I think about other careers I think about what what I've done where I've where I've gone where I want to go I can draw a connection between what I'm doing yes it's three wayers down fourway down from the veteran that I'm serving but I can draw that connection I can say that I'm building the best freaking Workforce for our veterans who are going to give them the best care the best technology the best Solutions and honestly that's what keeps me moving um that and I found that once you're in there are so many possibilities um I won't go into all of them but as a as a policy and strategy planner Workforce developer I can take my skill set that

I've honed I can go work for a at at oncd I can go help them develop the National cyber Workforce education strategy I can go to ostp work on federal AI policy I can work for OPM it's just once you're in there's a a multitude of ways that you can apply that skill set without needing to leave the federal government and we can address all those acronyms afterwards they're good and I'm like yeah I know what you're saying but I'm with you I'm with you so personnel management office of Science and Technology policy Office of the national director Abol so sorry I won't do that again no no that's yeah that's okay I was just going to quickly

interject to say that it it really helps also um from my vantage point where I'm working where having subject matter experts like Chris like Arun like Tim in their respective agencies where we can then go in and say what are you seeing in your space please give us you know best practices advice and also as we're developing the national cyber Workforce and education strategy which was launched last week um then we want to make sure that the work that we're looking to then move forward during implementation phase is not just coming straight out the White House it's going to be a whole of nation effort a whole society effort we recognize that there's so many owners of

different processes and and also literally like the the doors and the gates that will let you in to different places so what is it that we can do to remove the red tape to remove those barriers to make things more accessible and and you know increasing the knowledge and awareness to then have more awesome folks like us that's in the room out in this field too yeah awesome I appreciate that um so I mean again stereotypes that's the theme that's the thing I've learned to how do you get past those so what's the biggest stereotype you've seen that's true or that you've seen and you're like that's completely not true I am and I'm going

to keep going back to no no totally I think we were we were talking about this uh ear in earlier during prep was like bureaucracy um yeah it's that what are the what are the ways in oh what does government do actually what does your agency do actually how does my role translate into this 2210 IT specialist position that you're advertising on USA jobs.gov um I see the job announcement but I'm really interested and eager I'm trying to frame my resume a certain way to make sure that you know I can't get picked up through the system but I'm also not very clear as to what your day-to-day entails and what your mission set is so there's

there there are those levers those levers and issues but we also recognize that uh some of us do a better job of branding and going out and explaining who we are and what we do um and some of us need a lot of a lot more work and support in that area and pass it yeah I mean I I'll picky back off that so bureaucracy that's that's like the easy target here it's it's everywhere um looking at the federal hiring right like we don't talk language that would be recognizable to everyone here we we we say that that we want an IT specialist in our announcements and we're actually looking for a defense analyst or an

incident responder um so why don't we do that right like why don't we change the titling why don't we uh very clearly in the job description tell you what we're actually going to assess you against and then follow through with an assessment to make sure you got the skills that uh you say you do those are things that we are working on which is exciting but something that you know a stereotype that I've had to come to to grips with is we move slow we move a lot slower than I would like um I've had to temper my expectations without being jaded and saying all right well that's just what it is um so yeah I think that's that's

the biggest stereotype that I would agree with the one that I disagree with um is that the government is is as a whole very inefficient or you could even say lazy that workers are lazy um I don't know if I've just had a very fortunate experience or I intentionally choose to surround myself with people who are not lazy but that is the biggest or or furthest thing that has been for my experience I work with amazing people um now granted are there are there inefficiencies at VA and the government absolutely are there inefficiencies in your private sector companies absolutely um for me it's been surrounding myself picking those people who are going to encourage me uh and having them surround

me to be a better person yeah and and I'll add in just my own perspective of both government time uh back at sisa in the middle of a crisis and there was still uncertainty about making the changes and like hey this is a crisis we should act fast certain things work really well certain things didn't and then and my current job it's a very large company there's tons of the paperwork and bureaucracy so uh even in the private sector trying to build a security team hey let's get this job description out took time and that was a small company example and a big one too so did I miss any yeah so I can so

another a stereotype that I do not agree with is that cyber security is all technical I mean there are so many aspects of cyber that um are often overlooked like legal for example policy um human uh interfacing uh those are all like so many uh just a few of the important aspects of cyber so you don't need to have a cyber path to get into cyber security there are so many different ways to get into cyber security um and I mean an example would be uh in my own work um I mean I lead tasks where we uh work with uh people across different domains it's not everybody in my team is not just a

cyber security engineer they are people who understand same missions they are people who understand uh human machine interfacing how do uh how should you build interfaces that work for humans uh how do you do how do you design processes that a human being can use or how do you integrate cyber security into a mission environment so there are so many um Dimensions to cyber security that often it comes I mean just because everybody equates cyber security to hacking that's sort of the first uh obvious thing but there's so much beyond that uh that often gets overlooked so there's so many opportunities yeah yeah um I I mentioned time at SC that was a very specific

focused on coid but very rewarding as that was a favorite thing I did as hard as it was uh but getting in to come in and focus on that and what are the projects what are the things that you've done Aron you you mentioned your favorite thing that you did you're like that's why I'm here and I like doing this okay so yeah so I mean at J so one of the first things that uh is really the impact that you're making because it's a problem that uh nobody really bothered with before our team was set up right so U the first thing that we started doing was really getting people aware uh there are many things that

we've done over the last 8 years of my uh you know eight years that I've been at JPL uh one of the things was we really uh tried to make the management aware of the problems by actually doing a live fishing demo we live fished a section of the management and showed them the results as to how easy it is for somebody to get to Fish you and how easy it is for somebody to just using information available outside on Google on your LinkedIn profiles on your published papers all that information to craft a fishing email to make you click a link and you know get malware installed on of course we didn't install malware but the

message was was was conveyed uh because the the the the thinking often is that we're all behind firewalls why should we bother why would anybody bother with us so that old that mentality had to go so that was one thing the other thing is we've also done a lot of work in uh really pushing the boundaries on like using Technologies like Ai and um other new technologies to build solutions that are now actually helping our missions do their work well um so I mean all in all I think it's been a it's been very rewarding because when when I joined there was really uh sort of an uh there were it was just too hard to

sell cyber to people it was always the question came back what is my return on investment which is a very hard question to answer for cyber but now with these demonstrations and of course the situation has changed there's a lot of federal laws now that NASA has to follow there's also a lot of threats out there which are uh much more severe and people read there's often there's more press coverage for threats um like the last year's incident with yat right before the uh you know the the invasion of Ukraine uh that was a big event so that really opened up people to okay so this is now possible so this is something like hitting close to home um so yeah so

all the work that we've done all the all that we've been saying is sort of now starting to really pay off and that's very rewarding so yeah absolutely so Tim I'm going throw this question to you what's the one thing about government service people don't know it's not even a stereotype it's a hidden secret of getting the opportunity to work where you have well it's hidden why would I no um not that the the opportunity to work with so many amazing people and and I know that that you know you get that with a lot of different organizations but kind of like like Ian and Chris were saying down there like the collaboration I see across especially the cyber

security Community within the federal government really is encouraging because it's one of those unifying uh threat streams and and you have a lot of people who are really dedicated to working together to solve that problem um you know and I didn't I didn't respond to the stereotype that I disagree with and it would you know I think Chris kind of touched on it you know the lazy government worker um out there there might be in or inefficiencies yes you're going to have those in any and every organization but my experience has been the exact opposite it's a lot of very dedicated people who work long hours sometimes you know when needed uh to respond to a crisis or to

avert a crisis or be proactive in preventing that crisis and and I actually see a lot more of that work on that prevention side I mean we're we're working together coming up with Creative Solutions learning how to leverage the bureaucracy to help us uh you know the old attorney and me is you know processes your friend and and it's needed in some cases you want to make sure that what you're doing you know you don't have government overreach in certain areas especially I work for a regulator so working you know within that regulatory sphere you don't want to have overreach on cybercity based regulations but you have to balance that with all right well there is a real need

though to affect some kind of change here because sometimes that voluntary model just doesn't work so what what's the creative solution to fix that um so to me that the hidden gym is you know working with some really good creative and dedicated people who really want to dig in and solve those problems that connects back to the mission good hey St can I want to go back to actually to the project question because um Arun you said something I wanted to touch on which is the diversity of skill sets within the Cyber Workforce the cyber security Workforce um and it also ties into this project that uh I'm really proud of so in 2019 we had uh m some of

you may know the nice Workforce framework it says hey there's 52 different types of cyber worker but who reads special Publications and 50 pages of PDF we yeah a and does actually I'm guilty too uh but we said look no one is actually going to interact with a a static PDF document so we worked with siza we worked with DOD and we built this tool called the Cyber career Pathways tool um just Google it if you haven't seen it check it out cuz I I feel like there might be someone like me in the room who's like you know what I'm not really technical but I want to get into this this field it shows all the

different types of roles you can play I mean there's there's the legal piece there's the Workforce Development there's the training there's the project management and then all of your traditional technology roles in there um so it's a really cool tool that helps helps me and it helps uh others engage on the types of ways that you can get involved you can be uh in the cyber security Workforce without being hands on the keyboard you know 24/7 and then I do want to touch on for 18 months I led this effort to try to get our technologist and our cybercity practitioners better PID cuz for years it's been you know it's a 20e problem of government does not pay

anything close to what industry can um but no one was really willing to take up the mantle and say all right well let's do something about it we had special rates and they were aging from you know 2003 onward uh so I'm really happy to say that we built this justification we submitted it it got approved um as of last month VA is paying 177% more across the board um that's not a plug for hiring but you know if you want to work for us sure but just in case just in case come talk to me after um but we were genuinely hopeful that every other agency is going to look to us they're going to either congratulate us or

they're going to say that's not fair and then they're going to go talk to Congress they're going to talk to you know their their appropriators and say how do we follow suit um and hopefully that that's government-wide change and then meanwhile where I'm at we're uh working closely with our colleagues within the Executive Office of the President um uh you know uh office of management and budget also as well as uh as uh Chris also mentioned earlier office of science technology policy National Security Council domestic policy Council list goes on because we're trying to ensure that the skill sets both Technical and non-technical are adequately represented for example there's a lot of talk and you'll see

this um coming up later in the week at Defcon that there's a lot of talk also around Ai and how do we also get ready for that next set of Workforce and the thing is regardless of to technology we need to have a Workforce that is ready to go at any given point in time regardless of what the tool may be and it's just uh not essentially like a plug andplay but almost an ability to like okay how can we ramp up and afford people the opportunities to onramp and off-ramp wherever they want so similar to what Chris mentioned with the Cyber career pathway tools and also looking at government resources such as the national uh Initiative for cyber

security of Education under nest uh the National Institutes for standards and technology is that you you want to afford folks also a chance who are technical because you might be interested one day in becoming the boss right you're going to then have to become a supervisor you're then also going to have to have that leadership training and budget training to understand what does that really mean to you know manage and oversee a team and the project where your technical expertise now is now training and providing that professional development and learning to then mentor and and groom and build you know your your organization and your portfolio too so there there it is a two-way uh streak

and the other piece also a hidden part that may not be commonly known is there are a lot of folks who work in government who used to work used to work in private sector and Academia and in community- based organizations and in hospitals and just decided you know I'm I'm really ready for a change and this is a time and I'm I'm I'm really eager to you know Pro uh provide you know this public service so and there is that transition like I personally um stepped out for a little bit and went into the think tank world after siza um to AR Street Institute and uh that was like an interesting opportunity where the visibility I had I had a chance to learn

more hear more provide constructive criticism and then take that skill set now and bring it back to where I'm currently at um with oncd office of national cyber director so just want to also share that you know those pathways are Ever Changing just as our lives are also Dynamic and Ever Changing I think that's one I I'm a big fan watching what US digital service has done the idea that you can come in and stay for an entire career you can come in and out you can do it there's all these options the government has realized and you're seeing it the government's on stage the government's present spot the FED is boring these days days defc con's the

same way that's good they are coming in to engage where you the subject matter experts are where you want to learn more about what they do in the same way so getting to see that over time has been uh great in that change so I failed at the very beginning I meant to ask and I apologize to my panel here uh for our audience who has never worked in government okay who has worked in government at least once at some Point Steve saw you sneak in awesome yeah so we got a good diverse in the sense of experiences to talk and share and things of that nature again what we want to do and really what I hope that you're

seeing and it was mentioned before is the diverse backgrounds it can be a full-time one career you know different jobs and all the things Tim's gotten to do it can be in and out of government the three of us have had private sector Ian has had private sector experience it's things you can choose because that flexibility is what people are looking for and then especially the very technical background the very not technical backgrounds and the things that are still cyber security and so the beauty of being able to understand where you can fit in no matter what you're looking at and then the other examples we talked about was people who are technical that don't want to be they

want to move over into the risk management side or they want to get in just those opportunities that government offers there too so um so panel I'll give you the last question and again I'll open it up for for all of you if somebody wants to do this they want to follow your path what do you recommend either like definitely do this or definitely don't you know mistakes you've made things they can learn from uh but what could you offer the audience who may be interested in these types of things I you want to start off yeah so um I'm going to kick off with a plug um as I mentioned earlier in the talk uh

White House released a national cyber Workforce and education strategy please go to White house.gov cyberwork force uh we created it's not just a strategy we because we understand again there's some folks who will love to dig dig into the details so if you have time to read a 60-page document please do sozy if you don't there are fact sheets and Sheet sheets and action sheets so we have um a set of action sheets that are catered to the workers the Ed Educators government and employers have a chance to see there's a it's a one pager it's even shorter than one pager when you have the the the banner and and the and the templ uh

stuff that there will be resources there available that will point to a number of government resources nice siza VA uh if you're also interested in the uh um intelligence side of the house there's multiple Avenues and also so for the Educators how can we support our K through 12 systems um uh community colleges higher educations we're looking at this as a whole of nation society and an ecosystem approach recognizing that we're all uh a part of this uh beautiful space so if you're very interested not only for yourself but also sharing those resources to your friends your families and colleagues I would recommend that um you start there and pick which one you feel be suitable for your needs thank

you Chris excellent yeah so aan talked about the the resources so um I won't cover that uh I in the beginning I told you I had a very liberal arts background theology philosophy English German um for me something like if you I guess if you want to follow in my footsteps be curious be deeply curious about the world around you why why are we doing what we're doing how are we doing it does it need to change and what's the role that you're going to play in that change um the other thing is my when I started my government career my dad told me it's easy to stand out I said all right well how Embrace challenges you

you will stand out very quickly if you're the one raising your hand there's an extra assignment I got it no problem I'll I don't know it I'll figure it out that's that's worked wonders for me in my career and then lastly um my recommendation but it's also one of my biggest regrets is not finding a mentor sooner um you have a a career trajectory that you want to go down find someone on it ask to talk with them ask if they'll take you under their wing because in finding that person they're going to know best you know you should pursue this experience you should talk to this person you should take this this class or get this certification I can't tell

you how beneficial finally when I did find a mentor those conversations have been to my career so find someone that will help you and stick with that person nice yeah I think everything that uh both Chris and ay said and then um if you're really looking for I think the U first thing that would be really choose your domain where you want to focus on like are you interested in space I interested in iot because cyber security is affects every single thing so um I mean I would recommend becoming sort of not becoming uh a generalist but sort of focusing on a domain because there's then there's more scope and you can grow better if you are a generalist um it's

also good but it then you need a a much more C A much uh more rigorous cyber security background to become a generalist but let's say if you pick like iot or Healthcare and so on there's so many problems in those areas that it's easy to start off with and every area is looking for people to uh come and contribute um I don't know somebody said the there's like 700,000 jobs in the cyber security sector uh that that remain to be filled I think that's true even across like private and there's just so many jobs out there um so pick your domain and then uh in terms of the resources I think the nist nice framework if nothing it'll at least

provide you a list of those jobs that you can look at the list and say okay this is what I think I'm interested in do Pathways tool sorry cyber career Pathways tool yes yes cyber career Pathways tool so you can look at the job descriptions and see what really appeals to you do you want to be a stock analyst do you want to be a vulnerabil researcher do you want to do risk management do you want to comply there's like so many of them and every and there's hiding in almost every every area so yeah that would be my the joy of being last you get to say yes I agree with everything um and I and I do actually uh I I Chris

what Chris said you know have a curiosity and I think that's something that's you know you see that across the hacker Community the researcher Community we all have that kind of innate curiosity how do things work why do they work the way they do and how can I make them better um you know I would rather hire someone with that level of curiosity who may not necessarily have the technical skills behind it I can't teach you desire I can't teach you a want to do something you have to have that in yourself I can teach you the technical aspects I can send you to a boot camp I can send you out here to listen to talks and engage with others

in that Technical Community to at least get you a level of understanding to help do the job that we want you to do but if you don't want to do that job I can't take that so for me the way and my approach to hiring in and bringing people in um and I think you'll see this as you kind of engage with and please if you're coming to Defcon uh come see us we have a booth at Defcon this year and we're hiring um you know don't poke too much fun at us we do work for the government and there may or may not be cookies um no seriously I have cookies here if anyone

wants cookies after this well that's um yeah I got you I got you um but what I can't like I said I really can't you know stress enough have a desire have that Curiosity to learn and want to do more um and I also agree get a mentor um they're very useful and regardless I think of what career you choose or where your path is have a mentor ideally have a mentor both in the career you want and outside of the career you want uh some of the best advice I ever got was the best job you're going to get is the job you didn't apply for and I found that to be very true

within just my own experience I never thought I would be in the position I'm in today when I started law school you know when I started even my undergraduate degree which was in accounting you know talk about being boring I wanted to work for the FBI that was my that was kind of like my ultimate goal like hey I'm going to do accounting I'm going to go to law school it took Russian I had it all set I don't use any of that right now well a little bit uh but you never know where you're going to end up and and you don't know where you're going to end up if you don't take the opportunity to ask people for that

advice and look for those opportunities that may not be apparent at first sight awesome so before I we right at the tail end we got time just for a couple of questions I want to make sure I told the panelists I would make sure because I want the opportunities if you're interested there's tons of resources QR codes that are up there for both TSA and VA other links you have these experts again I'm a big fan having done the back and forth and seen the value so if you're interested absolutely and of course they're up here uh but let me thank the panel first of all for your time the preparation and the the great

words that you said before I open it up so thank you all thanks thank you appreciate that someone come get cookies yes so in the question session to help you get motivated I we have microphones so wait for the microphone to come to you but right here sir in the Hat and Drake you tell me when to when to stop can I ask a multi-part question all right 26 Parts like six parts or two maybe two maybe three two sounds good um the first part of the question is you mentioned training and and learning and things like that how is the government's Budget on getting the training and the learning do they are they good at that

is that fact or fiction or where does that lie so historically I think it's varied the approach we're taking at TSA and that I'm kind of I'm really trying to build out is when we put together our our uh fy2 24 and fy2 federal budgets and I put in there look we need 200 positions in addition to that when I went forward and I met with our appropriators and we were and working with uh the staff to build out that budget I said I also need money for training and development and I actually and it's it's put in there now what you know we'll see what we get because we're dependent upon whatever the Congress

passes for a federal budget but we're trying to be very proactive uh you again back to my you know kind of the theme I'd much rather send my employees out to learn Le and engage and you have to have money to do it you can't just eat that out of your operating budget because you're not going to grow and you're not going to get the knowledge transfer that you need so we're working very hard like we have some money within each of our spe our cyber security uh programs that allow for that um and again that's one of the reasons like this year I think we've got about 30 different people from TSA who are out here at you know doing

trainings at black hat uh attending Defcon you know using that opportunity to learn and engage uh you have to build it in though and you have to be proactive so for the sake of time I think that's a fairly consistent across all your agencies would you agree I would say it's also how we P how we allocate the training right so up until a couple years ago it was just oh what search do you want to take what's the new shiny thing with the nice framework and these work roles that are Beyond just your IT specialist we're able to say hey you you know you are a vulnerability assessment analyst here is training certifications courseware that

actually maps to your job so I think we're able to allocate The Limited training budget we do have to courseware and experiences that actually align to someone uh and what they do yeah and the thing is real quick is that um also when you're applying and you have the conversations with uh departments and agencies make sure that's an ask so because a lot of times that's actually the biggest incentive that government can give it's um it's the it's the training it's the retention bonus there's like a few things that it's not commonly known and uh training is one of them um that is a a highly negotiated negotiable piece but it's also standard depending on which agency you're you're

going to um and they'll give you the flexibility to to use the training um how you see fit as it matches You Know Your Role Perfect all right one more and then second question real quick sorry um the the one thing I've always heard about the government is that they're more open to uh diversity inclusions and stuff like that than you would get um in other sectors mainly around nerd Divergent uh individuals right um is that fact or is that fiction and can you speak to that it's a it's a fact because I so my the team that I run uh JPL I can speak for JL very heavily um supportive of deia we have our own deia office that

was set up a couple of years ago and my own team has neurode diverent people uh and honestly in my opinion uh that diversity is very important for cyber security even neurod diversity is very important for cyber security because you get very different perspectives and I mean my and my half of my team is actually here at blackhead and Defcon this uh uh this year and yeah we have all kinds of people yes awesome thank you uh was there another I think you had your hand up first and then we'll get to you in the back a real quick question actually um I've seen all the job postings and so on available well what is a gs13 or gs14

what does that mean in a commerci in a in a you know in our world well public world I mean so that's just the scaling so GS is General Services uh scaling so it's uh different job series have different classifications so you can look it up in the the office of personnel management they have the different sorry breakouts of like you know a gs12 I think is like uh anywhere from like $70,000 to $111,000 whatever you know um and it covers like what they get paid and the general set of responsibilities they get right yeah so again this is the kind of one of the problems from government we use classification systems that are unique

to government they don't translate well to private sector um you know we're work that's one of the things we're all collectively I mean as we were at dinner last night I mean we're all working to fix that and kind of break that model but at the end of the day again back to the ocracy you're kind of bound to some of that yeah and okay let's let's grab real quick while we're moving the microphone we got one last question and then I'm getting the hook point to that we have an inter agency working group where we're having these conversations because we're also recognizing that there are disparities as well so that's one of the things that we're hoping to

work on uh moving forward okay I promised I we will get you afterwards go ahead last question hi I usually don't need microphone I have to use my teachers voice so I have many students who graduating with cyber security degrees and also we have government agency that contacting us and asking for people to apply and you know what the biggest issue now government is not cannabis friendly when it's kind of going to overcome this problem like I have students denied because they use cannabis that is a that's a good one uh I know I have it so so let me help you all out I know in our company right that's a consideration let me use an

examp I won't even get into that let me use an example being in the military 10 not even 10 years ago 2007 looking at cyber security issues how do we do things better in the military and the answer was you can have a bunch of dudes that look like me there's only so many of them and they only have so many talents or you can open it up for example you come to an event like this and she has purple hair and that dude has a mohawk and they look different and they look weird to you all and they may have done those things but if you don't find a way to engage them because

they're smart and they got the talent you're not going to benefit so trying to open that aperture there is no set answer both on the government side and the private side but it is it is an issue and I know folks are trying to look at it and figure it out so this is awesome thank you again I'm getting the big hook and I want to make make sure we'll be available the panelists will be available so thank you again for your time we really appreciate it