Panel: Breaking Into Infosec

all right so what I'm going to do the Mexicans go left to right from the actual presentation screen in terms of who we have here now of course they are right to left based on the actual here in the panel so thank you guys for making this nice and confusing for everyone so first of inform us I want to introduce Ming Chu he is a senior lecturer at Tufts University department of computer science his areas of work are in web and mobile security and of course web mobile engineering Ming has spoken in numerous organizations and conferences including the HTC I a a wasp InfoSec world design automation conference or DAC Def Con Intel source and besides a little bit of

an additive as well he is also one of the chief reviewers of CFPs for the wall of sheep at DEFCON thank you and welcome in that's the good one the wall of sheep we're still accepting we're still accepting a CFPs and the good news is is that a lot of first time speakers we take serious consideration from them and we take a lot of pride that a lot of first time speakers at the wall a sheep they had go on to bigger and better things thank you very much meaning of course I would also like to introduce Justin Pagano who is a leader he leaves the security and operations engineering team at rapid7 and he's a tall guy who loves

dogs clearly from his picture there he's also very passionate about InfoSec science and grammar and Oxford commas so full disclosure adjustment I also both worked either at rapid seven so thank you very much for joining us today Justin thanks for having me max room internal joke there of course but we'll continue on also I just wanted to finally introduce who is again going to be over the audio here in a moment let me just quickly put her over that audio so she can actually talk to all of you is this too loud Tracy can you actually say hi real quick hi everyone awesome thank you very much in 3d hey Tracy so Tracy may leaf left

behind a glamorous world of law firm leaf life librarianship sorry to seek out a white-hot spotlight of information security industry she started as an independent research business or she has started an independent security business in early 2016 called Sherpa intelligence many of you probably know her from her Twitter handle InfoSec Sherpa so she is providing competitive intelligence news monitoring and social media consulting services she earned a master of library information science degree at University of Pittsburgh she loves the Panthers by the way she'd like me to mention that Tracy was recognized by Wolters Kluwer law and business innovation in law librarianship award in 2016 and the Dow Jones innovative award of 2014 innovation is her jam to say the least

when she is not being able to guide a guide up a mountain of information she is studying hard and being a sponge to absorb everything in InfoSec related information she likes oesn't research and two-factor authentication dislikes bad passwords and sun-dried tomatoes so thank you very much for joining us today Tracy thank you so much for having me remotely as I'm quarantined in sick bay here thank you for also not bringing Conn flu so we appreciate that yes and of course lastly there's myself so I am key tablet I'm an engineer the customer success team at rapid7 I also recently co-founded the InfoSec mentors project from HTTP colon slash slash InfoSec mentors net with my co-founder and good friend Jim Evo I'm

passionate about helping people learn about security and information security in joining the industry and I've presented or created I should say a series of questions for the panel surrounding kind of three different viewpoints one from the educators viewpoint one from the viewpoint of someone who is moving laterally into the industry from a different role and of course one from the management viewpoint of the people that are actually doing the hire so with that we're going to go ahead and get started here so the first question is going to be forming ciao so from Ming question for you what have you found to be the biggest challenge in preparing students for the industry so I want to ask how many of you here are in

energy who still a student how many are okay so quite a few there's a good amount here I think the what I find a most difficult the most difficult thing I find right but are you going to be the biggest challenge so yes challenges I think the biggest challenge is I see a lot of schools they they wait too late to get students out of their comfort zone and one of the things and I'm sure Justin probably say a little bit more about this is you know it's the idea that you know when you get into Industrial you get your first internship a lot of students were walking with like deer in the headlights I I hear a lot of to see

a lot of juniors when they get their first internship and they write a write to me at the end of the summer saying I wish I got more instructions from I well I got more feedback and supervision and instruction from my supervisor and my response is always this my response is always welcome to reality because you'll be lucky enough I mean in some courses in an education you're given a specification you're given a documentation on how to work on a problem sometimes it's even like eleven pages long you also get you also get the number of points that you will get you know for checking off the boxes you're not going to get that at a workplace and

that is a huge adjustment that a lot of students that need to make is that everyone has been so beaten so brainwashed so trained to here's the instructions I hear the instructions this is what you need to do these are all the things that you need to get in order to get an A it doesn't work like that in the in the real world and there's also a lack of opportunities I see in which student work on open-ended projects when you'll be lucky enough to get a sentence about what to do I think that's the biggest challenge of them all is it get them out of that mindset and say okay you know here's a pro here

here's a little cast for you here you hear a few books go and do it I think that's that's by far and away the biggest challenge I see yeah that's what was something that I thought of as you're talking about that is how looking back on my college education I regret not joining some of the other clubs like the information assurance Club and other like offensive security clubs that happen to be in school I was at and and for people who might be in schools right now that don't have those clubs and you're not comfortable trying to start something up like that leveraging the local meetup community is huge and again that's something to where I'm

not sure the school I went to Penn State had a meet up community because Penn State's kind of in the middle of nowhere but those two things to try to using those two things to try to get over that challenge is probably going to be hugely important for people who are either in academia and trying to get into the community or if you're not in the I'm sorry in the profession and if you're not in the profession and you're not in academia then those meetup communities are too huge and like InfoSec mentors that's an example of something is that just for the area everybody it's everywhere it's worldwide yeah sort of finding those groups of people who are

there to provide support for others to learn and join the profession is actually a good opportunity as well for a question for Tracy so Tracy being that you're a non-traditional move into the information security industry and you certainly made a splash on Twitter and a lot of other things that you've done speaking at other conferences what have you found to be the biggest challenge for entering into the industry laterally the biggest challenge I faced was talking to security pros and if I talked to two security pros I'd get five opinions so there's a lot of varying information and it's very confusing you get people who will say to you you know LS you know what what sort of should I

study you know in InfoSec and you'll get things like well you know we just get assist paid okay well you know when you say that to someone you're thinking what is that you know if they're new you'll get people who will say search for everything you'll get people to say search me nothing so there's just such a wide range of information that is being thrown at you or suggestions made at you that it's very confusing and very overwhelming and there were moments when I was when I first started poking around it was more just my quirky hobby I wasn't really looking at it immediately as a job change or an industry change but I you know you would finally find

another new person to talk to and you kind of swap stories and you know share the same things that like everybody keeps telling me this but then I keep hearing this and I I know that there's you know there's no way that we can herd this whole sheep security pros to get on one page but if you're dispensing information be mindful of you know of what you're saying and maybe even give the asterisk of ok you make sure people say this and that's why they'll tell you that starts me nothing but it's just kind of throwing things out there is really a big challenge to get past in it I finally kind of put it together in my

brain to get some background information about the person who is dispensing that information and that helped put that those suggestions into a framework that I could understand their motivation for saying it and then either you know accepted it or disregarded it based on you know what I wanted to do so that was really the biggest challenge was sifting the wheat from the chaff so to speak of you know understanding the information that people were telling you this is actually a good opportunity as well since Justin you are a hiring manager in security I'd be curious to know what you found to be the biggest challenge in actually hiring for the industry in terms of maybe looking for skill sets

looking for certifications education etc yeah for us right now we're kind of shifting our focus a little bit in terms of skill sets we're looking for and we're really looking for people who have strong software engineering backgrounds or development backgrounds especially within a broader context of working in some other security and it's hard enough as it is to find good security talent for both technical and non-technical roles but when you throw in basically another roles skillset into the mix fully or partially it becomes even more challenging but for people who are looking to break into InfoSec if you already have some security certifications you have some security knowledge and you really want to bolster your resume essentially I

think software development skills are going to become more and more important as trying to keep up with the latest threats and attacker trends requires the you know automation of different security processes and there is that huge skill shortage that people keep talking about you know they're going to be like one to one and a half million unfilled security positions around the world by 2020 and it's like okay well let's assume we're not going to find all those people like we definitely haven't found them today so what's an alternative that can either help us fill that gap temporarily or permanently and having those software development skills to automate a lot of the manual work that we would otherwise need more humans

to do is going to be hugely important it's actually a really great segue for my next question which is for me what skills are you encouraging students to focus on learning so what I've been encouraging students should do are a couple of things plastic like a bottle I encourage them did learn well I get a lot of criticism for doing this and first and foremost I the most important point in a lot of my courses the way I structure them is learning how to learn learning how to learn and the reason why that's an important skill is look there's going to be new stuff all the time there's going to be a lot of new

technologies that are that are going to be coming out you know every day and it's going to be very and one of the things about technology is that move very fast it moved very very fast so yeah a lot of students criticize the fact that I have to you know a lot of my assignments are kind of loosely vague and I let them you know in order to you know get to what they need to accomplish they got to look at things like Google and Stack Overflow well yes and the reason for that is look when I was a student way back in the day 15 years ago now I didn't take a course in web I

didn't take a course in mobile I didn't take a course in cybersecurity hack it didn't even exist so what did I have to do I learned from people I learned from different resources on typical odd of different resources even as anyone a fan of cooking here anyone a fan of cooking I mean how you learn how to cook you learn how to cook by you learn how to cook by watching YouTube videos the you to add sometimes cookbooks from other people same analogy same thing applies in in technology same thing in this field the other two things I stress you know and I feel that we moved away from this over the last few years I think we forgotten

the basics I think we've forgotten how to read and write properly in communication skills and I'm sure Justin you must have I mean I'm sure you and I can't wrinkle with this and we can complain a lot about this about how that skill is give basically lacking if I had my way I mean the other thing I wish I would tell people which I don't do you know an area I could ask you to tell students to do yeah I take a course on public speaking again basic communication skills so just to summarize learning how to learn taking responsibility for your own learning and the real basic skills are reading and writing things in the last forever

at that point about learning how to learn is huge but it's hard because it's easy to say well you just need to learn how to learn more but that's such an abstract thing like how you do that and I don't know all the ways you could possibly teach yourself how to learn better but I remember an important part of my college education was taking classes you know we had electives but I focused on some different categories of left electives like philosophy classes and this helped me but I remember it completely changed the way I just thought in general you know some intro to philosophy classes in philosophy and logic and whatnot but on top of that learning how to learn

bolstering that abstract skill I think can be done by just experimenting and tinkering and just not tinkering blindly but pick something small that you want to learn about and just run through it step by step and then break it down and build it back up or build things from scratch whether it's hardware software or something like that and it's just going to change how you approach solving new problems and it's something that takes a lot of time to develop and I don't think there that many people out there who have like fantastic learning how to learn skill sets but it's just something you have to develop over time so that you're you're better suited to

not just break into InfoSec but move within that field because you might break into a position where it wasn't what you expected security to be you're going to be like I want out okay I still want to try this other area of security but like that has almost a completely different skill set I'm curious what Tracy thinks coming from was a law background yeah and actually that was kind of my next question as well as for Tracy because you have more of that public speaking that kind of communications background I'm curious to know what skills you're currently working on to get more of a technical knowledge as well because you have that that mindset of knowing how to consume

information and you've built kind of that other side of what Justin and Ming are suggesting when you when you build those skills you have those skills what are some of the technical things that you think would be worth covering or things that you found valuable in learning more about yeah that's that's a great question yeah I am an unique position of already coming into this with the soft skills with the research skills with the information organization skills so I'm focusing on the side-eye in attending workshops and classes and I'm working on that net plus I have you know in my mind you know I've accepted the fact that certifications are going to be a point you know the way

to get past the gatekeepers of you know into places so I'm working on that Plus first and just the technical side of you know I want to be able to basically read the tweets in my timeline when people make mention to to technical things and I so I do that yeah through structured learning but I also do it on my own there was a tweet that I sent out today and some earlier that we're going around of you know don't make someone feel bad if they don't know something or you know mocks them for asking questions I asked questions all the time if I see a technical term that I don't understand I go to someone whom I know is

approachable and you know what does this mean what you know what's a rat what is you know what is this what you know what what do these things mean so for me I'm I'm focusing on the technical side and if you used to stress me out because I kept thanked saying to myself I have all these many years of lost time to make up for and it was just seeing it was overwhelming and finally someone said to me well the technology changes dramatically basically every three years so he said to me I actually envy you he's like I have all this useless information and it's stored in my brain he's like but you get to look at this

all new and just build on all the new things going forward so that really changed my point of view and lowered my stress level so I'm just I'm looking at a tech right now and along the way I also want to help others so I know just enough to be dangerous to talk to less technical audiences than my skillset and just starting mean even with vocabulary words I'll cease the librarian groups and just kind of introduce you know the terms of ddos to them and what it means and what it means in context to them doing research and things like that so it's definitely very technical focus at this point and I do long for the days when I could read a

novel again but until then I'm quick on just focus on reading a technical book awesome so this is actually a good segue into a question for Justin which is what are some of the resources that your team is leveraging to develop some of these skills you say research resources so like are there any particular websites or particular books that you guys have consumed or enjoyed or tools that you like to work with and play with to develop your skill sets there are those different what are they MOOCs like massively online okay like online courses yep yeah yeah that every now and then will run a deal so of course that's usually 150 bucks it was like 10 bucks

and it's you know eight hours 20 hours 40 hours of training about like everything you need to know to get started built to get started building web apps and Python or something like that those are awesome because you get to do it at your own pace and it's not just read this book and maybe pop this what you used to put a CD into your computer but now I don't know what they do for those certification books anymore oh you go to like a website download the content or something and watch like a slideshow but those those online training platforms like udemy and you know code Academy is kind of a lite version of that or at least last time I

checked you're getting your hands dirty and you're actually building things and doing things actively along with the instruction those are those are pretty invaluable because they don't just cover security topics they'll cover you know other topics within technology and outside of technology trying to think other resources I'm thinking I'll let Ming chime in and I actually do have a planner question for me it's also contingent on that so what so what are some of the resources mean that you're actually suggesting students go through are there any specific books or websites that you've really enjoyed or even like programs or anything that you think that has been really valuable to your students to start getting involved in

purchasing like learning oh you mean in terms of resources and terms of website I say well I one resource I mentioned all the time to people hacker news here's a reason why we had it's a good smorgasbord of like not only just tech but also societal context of check of technology and it really has a good collection of you know current events and resources like range from how to build something exactly what Justin was saying like how do you actually build a mobile app with react native and you can even get into discussions such as well what happened yesterday with a shadow brokers releasing the next ad dump of virus and I say you know the NSA tools it's a real

good smorgasbord of okay what's going on right now but that's what security is I mean security is what the field is is not just a technical field it's also a non-technical field and that's one of the beautiful things I think we one of the beautiful things about the field is that you know anyone can get into it the barrier of entry is pretty low if you're interested in the legal piece of cyber security and then you can focus on the legal side if you're interested in the privacy piece and go onto property we're interested in the educational piece of it and you go into a educational piece of cybersecurity but it's a broad broad field I would also like to add I am I

feel very grateful that I also have some other resources as well too and wait were you ready yeah it's a nick Davis there it is and also Sarah Gibson that is right over there and Nick is a former student of mine who's rattling out rapid7 Sarah that pure code and yet another resource I can add is like me Tracy Keith Justin and one of the things I have that is very important I tell students is that you know the other the most important resource I think is also people as a networking piece I think people kind of forget how small this field is somehow in some way everyone knows each other and you know it's and I

wish I I knew there's a lot earlier by certainly brain watch a lot a lot of like students that it's it's not what you know who you know and that I'm sure for those of you who've been in this field that's resonate who every day absolutely just an anything to add for the resources side before we move on to the next set of questions well I I was thinking about how people can be successful after they have just broken into InfoSec because I think a lot of people here if you're trying to break into InfoSec and you're actually you have a strong desire to do it I think you'll be able to do it but once you get

in Jack mentioned in his keynote before that counterintuitive point of doing more work like look for more new things to do with insecurity and this is something that you know from my personal experience I feel like then it's benefiting Benton benefited words benefited oh there it is benefited me a lot when I first broke into InfoSec I started out well before that I was doing some software engineering work unstructured at a large bank in Pittsburgh and then I ended up working at Freddie Mac and I had worked with the recruiters there telling them like I really want to do security work I don't have any security experience I got the security plus certification a few months

ago what do you think and the the first project they put me on was working on a software engineering team but consuming you know application security reports static code analysis reports coming from the security team and I had to go fix those bugs but eventually you know I was already within a rotational program there and that helps but after I had moved on to my next rotation which was non-technical security work on a governance team I started meeting other folks within the broader security department and asking questions and looking around and eventually one of the managers there he came up to me and asked me to help part-time do some of their security risk analyses and then eventually I started

to get exposed to doing web application penetration testing and I learned a whole bunch of stuff in a very short amount of time and it really just boils down to persistence and motivation and that comes naturally when you have you know an eighth in and innate interest words are hard today thank you very much words so one other question I had and this is more specifically for Tracy so Chrissie are there any specific resources that you found useful in terms of other websites or books that you feel is worth mentioning is something that people that are looking to break into the industry would find it beneficial so the library gets the book question absolutely well I actually was going to

talk about social media as being a key resource you know online resources are are great just to kind of tag along with what makes it about people you know don't forget that if someone you know if you start to follow some big names you know or well-known names or just people and InfoSec that whom you trust you know for their knowledge I take the point of view of you know if they're tweeting an article if they you know went through the effort to send out an article and post on social media I should read that because that is a a reading suggestion um as far as you know I need physical books off the top of my head I I can't

think of any there's there's a lot if you if you go to my my blog I have lots of books that I've received suggestions from people and I've just kind of posted them there I've been so buried in just actual manuals and things like that that I can't really recommend anything specific but I just I don't want to you know play down the social media aspect at all that's a really crucial tool for learning even just following conversations you know if I see words that I don't know I look some office know if people are tweeting articles or posting articles the LinkedIn that to me that's a sign that that's something that I should read

there's a tool called nuzzle which is a Twitter aggregator and you can follow people and see the things that they're they're posting and if you see that there's a security article that thirty people in your Twitter network have read or have interacted with then you might would make it a priority to read that then if so many people are looking at it so you know kind of look to social media as a tool as well awesome and one other thing is well I know specifically for books one of the places that I've gone is the Palo Alto Networks cyber security Canon it's CA and om they have a lot of novels technical books recommendations that they've kind of read through and

rated in itself or worth reading so if you're looking for just some place to start that's one place that I've enjoyed personally so we're going to kind of take a bit of a step ahead on some of the questions that I've written just given time and this next topic is going to be more specifically tied to certifications and I'm going to ask kind of each of their viewpoints on certifications from kind of different different perspectives so starting with with Ming I just want to ask man do you encourage students to pursue certifications and why or why not from your perspective okay so what I'm not going to do is how many people here have certifications how many people like in

some way a form okay so I'm going to echo something that Tracy said earlier on and because this is actually just what Tracy said earlier segues into this conversation and I'm sure I heard that Tracy heard I have very mixed opinions on certification was that right Tracy probably yes okay there's a lot of articles out there on the dubious value of certain certifications I think we all know what would I think we know what certification is in question here I think we know a few letters in it yeah a few letters in it and the worst thing that you want to do to answer this question is if you go completely bad-mouthing a certification or the idea of

certification I I do advocate on a cyano very related to that I dare to have a certification at GCI H through SANS Institute and I do advocate for them I advocate for the SANS Institute I know what they offer I'm an alumnus and it has served me well I'm no longer certified my certification has expired there are some good ones out there the best answer is and I've gotten this question a few times from students perhaps I will answer that question in a way that would pass down to me by a gentleman named Peter Sullivan I believe he's at CMU at Kent Carnegie Mellon he was on the HTC I a the high-tech crime investigation in 2007 I was like many of

he make like many people I would kind of figure out what to do with my next step in my career in my life I mean I was out a loss I would literally like at a standstill and I was questioning that I would I've been seriously expand during getting the CISSP and I asked Peter at a htc I a meeting a BAE Peter you know I am trying to figure out what to do with my next step in my in my life and I'm seriously considering the CISSP because it seemed like the way to get into the door of a lot of information and a lot of security was a security positions Peter just stood there for 30 seconds

dead silent he asked me these he said these words to me do you need it bang that just woke me up then I that that really really like hit me like a truck I had to ask myself did I need it and I answered the short answer was no I didn't need it in some places if you're going to like the Department of Defense or in some job yeah you actually do need a certification it's a case-by-case basis and it's a very the one but if you're going I'm not gonna you know say yes or no but the best answer is ask yourself do you need that certification and this is also a good one for Justin I think as well as when

you're reviewing resumes is it that you find you you're more likely to interview someone because they have a certification or is it more of like and it depends it's like a maybe icing on the cake situation or is it you know this person has a certification therefore I'm considering that I should probably interview them yet so the roles that I interview for involve more technical security work around building tooling and performing different security operations like Incident Response and vulnerability management and things like that so we're keeping an eye out for practical demonstrable experience in those areas and a certification is it a disqualification for those roles but it's not something that as a requirement either if someone

has a certification and puts it on their resume I'll be like oh so I think I understand what they went through to get that like I I went through the CISSP whatever the most popular book was at the time and the exam and my previous employer paid for it so it was you know worth doing in my mind but I think what Ming was saying is spot-on it depends like whether or not you get a certain certification do you need it to get into a certain role you're trying to get into you you definitely get some valuable knowledge out of studying for those exams some of that knowledge is definitely outdated but now you're getting some historical knowledge that

adds context to you know future problems you go out and solve I think I think Jack made a good point during his keynote about how in the security space there are definitely some personalities who cross that boundary between skepticism and cynicism and they become too cynical about things there is a lot of bashing about certifications there are lots isms of the value of them but I don't think they have no value at all I just don't think that they they're a hurdle that everyone's going to have to get over to prove their worth within the InfoSec space or when they go to break into the InfoSec space i think i think you'll find more employers these

days will be more impressed by a project that a small project that you have in your github repo look I wrote this Python script or web app that does XYZ security thing oh and you know I'm status with or I participate in these security groups in the area and they're all these other ways other than certifications where you can prove to employers out there that yes I am qualified for this role but certainly if a job posting says minimum requirements CISSP or security plus like yeah get it and it's not going to be a complete waste of time like some of that knowledge you get might not be useful but other parts of it will will be it's

kind of absurd to say it's a complete waste of time and money especially if it does help you get that job that you're trying to get thank you so moving away from the talk of certifications Tracy I'm interested in getting your thoughts on what transferable skills outside of information security have you found to be an asset as you've been moving into the industry being able to top good has been a big skill yes being able to speak to people on different levels within an organization with different skill sets you know I'm come from a background where I'm used to having to enforce copyright within an organization and in some ways it's not that much different

than security because if you do either one wrong you get into trouble so I'm used to be enabled you know to speak to different levels of people and the organization of information of being able to you know sync through things and with the user in mind of thinking of library policies or even research you know handing over research to someone you know yes this person and is a well-educated lawyer that I was doing research for but their office still a human with all kinds of information surrounding them that they have to work on for different cases so being able to be proactive and sort information in such a way that can be absorbed more easily so those are a lot

of the the non-security skills that I have that I see are lacking and sometimes it's very frustrating for me coming from such an organized environment to look around in security world and sometimes I just like let me organize that for you like let me help you let me let me organize some things and yeah so some of the chaos of security world is just very is very foreign to me awesome thank you do either of you I mean because we're coming to the top of the hour I want to make sure you grab a couple other questions did you guys have anything you wanted to quickly add in on top of that in terms of like skills outside of the

technology or maybe the understanding of security that are beneficial to the job yeah the risky business podcast is a great podcast they like a lot of podcasts they type up their show notes that have you know 20 or so links in them about very relevant articles about what's happening in the security space and they have some interesting interviews as well also if you're trying to have more relevant or well-rounded skills or experience when breaking into empathic or building out your job opportunities after you break into InfoSec learning about like DevOps DevOps practices and tooling like chef and getting exposure like go to a DevOps Meetup and a security meetup like get exposure to that community as well

because when you break into and foe sec you're going to be working with those people a lot and those skill sets are going to help you do a better job at security awesome so I'm going to echo both what Justin Tracy said I mean they nailed it spot-on and I actually would like to add them both together anyone hear from anyone here from UMass Amherst anyone anyone has you met from UMass Amherst so Brian Levine who was a professor in the computer science department said last year at the sicán new england security day he said he had a slide that should resonate pretty well is educate yourself loudly because sometimes the best answer is not

technical I don't know if a lot of people know but I work here at Harvard for 10 years so for me I left in 2010 I it was a very good 10 years but it was time for me to go and I left on my own terms so it's interesting to be back here at Harvard I worked in environmental health and safety and I was the only tech guy in environmental health and safety and one of the things that really served me well working with a lot of non-technical people was I had to communicate a lot of ideas and that that served me well for a number of reasons but three things in particular number one I had to communicate with a

lot of non-technical people so it wasn't about the programming language the framework the database problem no it had to be in simple simple language that business people are the business owners and the stakeholders had to know well that's number one number two is it was environmental health and safety and you know as now when I think a lot about the past I'm very grateful for the opportunity to hear that I had at Harvard working in environmental health and safety and the reason is is because you know it was health and safety and that what it means is health and safety first if you go to a civil environmental engineering program you can't get a civil environmental and engineering

degree without running about health and safety but you can walk away with a computer science to computer engineering degree without knowing a damn thing about health safety and security and I feel ultimately that's the probably we have a lot of problems that we are facing right now but having that mindset of environmental health and safety first I really didn't put together the pieces until recently and so I'm very grateful for that and that's the mindset that I developed over there but number three what was also important is understanding the business Pro the business context you know learn about the subject matter in this case was like things like Occupational Safety industrial hygiene lab safety try to learn the basics of

though it wasn't learning about the next programming language or you or whatever cooler framework at that time was thank you very much so since we're coming here toward the end of the talk I just wanted to give each of the speakers an opportunity to answer the following question we're going to start with Tracy and ago Ming and then Justin to close what parting wisdom do you want to share for the for those that want to break into InfoSec starting with Tracy I would say that your people skills honing your people skills networking being able to explain things to people any sort of people feels is really going to be paramount to not only your own success

but just the success of the industry is how I see it so if you don't already have those soft skills work on them and if you need help ask there's you know whole community but I would say of people skills so those sort of soft skills are really a key to success so aiming again just to repeat the question what parting wisdom do you want to share for those that want to break into InfoSec InfoSec is a lifestyle there it is Thank You Ming Justin um I want to emphasize maybe in a different way what Tracy was saying about people skills in my experience and from what I understand about a lot of security roles

out there in the world security teams are omniscient and they are engineering and IT counterparts tend to be omnipotent and so you will know a a lot of stuff that's wrong with your organization that needs to get fixed how to fix it and you won't be able to do a thing about it and it's going to drive you crazy unless you have those people skills and I don't think I need to reiterate a lot of the other stuff we talked about in terms of how to develop technical skill sets and other security skill sets people skills are important when you think about it this way when you're doing work with a computer it can be frustrating sometimes you have to

translate some desire you have into something the computer understands but once you do that translation computer will do it for you when you're working with sentient biological neurological computers you still have to do that same process taking a desire you have translating it into something they understand but then you have to convince that computer that they want to do that too and if you can't do that it's not going to last in the long run like even even if in the short term they're not convinced that they want to do what you want them to do but they'll do it anyway because security team told them and they will go get in trouble if they don't do

it or something like that that's going to last for a few months maybe a year or something like that you need to hone those people skills one because the right thing to do you don't want to like have awful relationships with people at work and you want to work well with other people but you'll be more successful and the security of your organization will go up because of it because those people will do what you need them to do from a security perspective end of sentence awesome thank you very much so again I just want to thank the panel for joining us today Tracy for doing this remote again please reach out to all of us on Twitter we're all I'm

sure very happy to interact with all of you to give you more suggestions on a one on one basis I know that the gentlemen here will be here for the remainder of the day as well as I will so again thank you very much for the panel for joining us today thanks for coming [Applause]