Diversity, Don't Read the Comments

you know yes let's see if you feel about like that after we're done they found the topic in they gave it to me they said just whatever you're uncomfortable with give it to the Puerto Rican he'll take care of it that's my job I'm the Puerto Rican that just cleans up after everybody else so I do forensics I do governance I take care of bad behaviors so why are a lot of people uncomfortable with this topic the conversation starts really really nicely you know there is great post things there is great research being done and then the trolls come in so there is this really good things to be said there's real numbers there's all of these things out there

and then the conversation just very quickly degrades so whenever you get into these conversations don't read the comments don't listen to the comet just bypass this thing to focus on what is at hand so yeah questions oh okay good yeah feel free to agree and disagree too for that matter let's just not go too far into that so definition what are we going to talk about today we're not going to talk about equality or liberation or justice or anything any of those things we need to get into a position to staff some of the positions that we have open and that's actually where we're going to go another thing that we're not going to talk about today

is we're not going to talk about how this is so great and how having one of everything is it's a good thing and it do it this is not true it's not true there's just no way that you're going to put a whole bunch of personalities particularly infosec personalities in one room and they're going to get along so what is diversity so when you look at me a lot of people i have had Iranians Iraqis Venezuelan so let's let's come back to this continent Venezuelans every every nationality of brown person so to speak clean me right it's like II one of ours sec nom tiny little island a lot of people don't know that it's actually a

turret one of the last colonies if you actually want to get political and it's a mess it's a mess right now but putting that aside it's what we perceive with the five senses sometimes you know the person next to you is cooking really funky food they're not from here and you know what do they look like and that's how we tend to judge people okay fair enough but if you actually start looking underneath the surface and your presentation happens to just go away for some reason because you press the wrong button you'll see that it's way more than that right the conversation nowadays it's in the gender right where we're discussing a lot of gender issues

and bathroom conversations it's it's the big thing that is part of the conversation right but it's also where does the person come from their politics there the way they think their values their beliefs is way more than just what they look like or what they eat or anything like that this picture is floating around and it's we have everything that we can see as the tip of the iceberg and then the depth of the person is actually way underneath that there's a stereotype that I'm still trying to look for it there is a there is a little Mexican guy with a big sombrero taking a siesta I gotta tell you I've been to Mexico a few times have

friends that are Mexican I never seen a mexican take a siesta now they're fiestas though that their parties are wild but I never seen somebody take work so seriously down to religious status as I've seen a lot of immigrants they just they come here to work they work really hard and again it's like I'm still looking for that little sleepy town where I can actually take a rest and I haven't found it so where this conversation is going where I want to take it where the people that write these great postings want to take it it's in a little bit more complex of a direction this woman does anybody know where she's from okay for the weekend

race to New York Sonia Sotomayor even she's complaining about the fact that the words in our home state are a little bit too uniform all of the judges are familiar with white grant crime and they're not really well versed in the situations that they're going to be faced as judges and what she's looking to do is to bring a diverse perspective into the cases that the courts are seen by the way this conversation is going to be in stop doing that oh did they ok now the entertainment portion I'm going to teach you how to dance salsa in the meantime but so I talked kind of quickly is one of the traits that you don't

particularly see until you actually start talking to and engaging me in things that i really like like infosec and politics so long as you know bring them into the right we keep them at the right level and so anyway let's see so the issues whether we have security security right now it's kind of like diet and health we're spending a ton of money we're getting success as we move forward we improve a lot and then cake happens or insecurity we get breached so we get pulled in different directions I in the late 80s Early 90s it was all your hacker you you Sakura thing you break things can you prevent people from breaking in can you change my mortgage

for my grades it's like well yeah but I don't want to go to jail so in diets most a lot of the diets fail there's there's no commitment in diversity kind of the same thing happens there is yeah we're going to create a diversity program we have these great successes in infosec kind of the same thing we're actually going to secure all these things we're going to implement the million dollars worth of new hardware and then it fails we're back to the drawing board well how about we get a new risk management framework how about we get some new tools let's do some new scanning let's get a new perspective and it just is kind of like we keep going up

and down up and down and we don't get anywhere so let's just jump on a new fad let's see what happens then in the meantime we're going along with a whole bunch of positions that are still open so the conversation it scoops the conversation needs to be about people the life where later aight the the problem that exists between the keyboard and the chair it needs to be mu it needs to be moved towards why can the human do to actually secure the enterprise and where do we get more of these humans it's been about what the blue team needs to secure to secure the flag from the red team what can your employees do to

defend themselves from attackers and again there is no matter how many tools you put out there no matter how much money you put out their tools money resources you throw this problem there's just not gonna be enough so not bad I'm having a lot of problems doing presentations nowadays because it's I want to hit the most people and when I present the a-team I said should be people think of Oh Liam Neeson no this is the 18 there is no other 18 there's no more there's no other so as you can't these the group does anybody recognize the top picture NASA specifically which team up Apollo 1 2 3 4 5 6 the moon 11

yes so one thing that these teams have in common is a door diverse there was a lot of issues in the 80s about objectification of women in the 18 but she was there to me there was a woman that was mostly part of the team but these are the guys that that were the face of that group then we get SNL saturday night live one of the most successful runs that they had was with this team of crazy people and there we have it again ladies and gentlemen so if this keeps going we're going to switch to salsa lessons okay which in the end may or may not be more productive but definitely will be more

fun so what was that go ahead so question your team at home at work whatever you work at does it do you have within your team all of these skills or somebody in your corporation that provides them Who am I missing here something that you have in your work team okay I was gonna ask you a chart but then you switch excellent who else who do you work with that it's missing here business okay yeah do like customer care or for technical response it's often like if something is broken customers will complain about it to like help people and making sure that intermission is tasked out to equal incident response is really important okay in very large companies this is

these are broken down and you know it's us versus them and all of those things but let me give you a lesson a very quick lesson everybody know what SSL is good everybody incident which any incident responders in the room present or past and now our salsa intervention I like it see diverse thinking right there so insulin responders in the room as present future excellent imagine this Oh Tracy una llamada le dicen que van a pagar Su Su corporación que hace no hablo exactly so with all of these people in the room not a single one speak Spanish okay that for today my friends is not your swinging salsa lesson it's your Spanish as a second

language lesson okay so no matter how the verse you think you are there's always the attackers are going to throw something at you that you may not be ready for and what you think with that and what you think you need it before the attack it just gets thrown out of the window somebody had a source this week said everybody has a plan until they actually get punched in the face Mike Tyson yes somebody used that I at source and what ends up happening is sure you actually have all of these plans you have all of these people you have this awesome team and then you get a curve that my friends was a phone call

from a hacktivist in South America that called the corporation and all he cares about is the politics of the corporation and he just said I'm going to attack your corporation this is what I'm gonna do go out defend against it good luck so if you actually had somebody that spoke Spanish and that actually looked this good then you could actually couldn't say that with a straight face you would actually be in a better position to defend your corporation and again it may or may not happen that easily but by the time you get the phone call who knows what's going to happen so what we have right now is we actually have a lot of external factors

controlling what we do as incident responders even as product managers we have a lot of people that are getting packed because of social engineering the counts of fishing that it's that is coming in for CEOs it's just it is incredibly high as to how successful they are last night we were sitting at a table discussing InfoSec in politics and what then this election happens one of the people at the table got an alert that somebody was trying to hack into his account relatively high level individual inner product corporation and of course he doesn't respond very well to Authority he doesn't respond very well to getting you know click this to actually change your you know it just

doesn't go then on the other side you actually have a lot of people that are very angry as to what corporations and and particularly in this country are doing so you get an activism and then the worst thing seven thousand dollars for example to just to pick a number it's a lot of money in in other countries it's what somewhat some families make together in a year so for a relatively amount for a relatively small amount of money you have somebody that is going to dedicate their life to trying to get into your corporation to get your secret's out or just to cause mayhem if they shorted your stock so HR I eat how do you know 022 yeah they just

click yeah its first of all right if you actually if you're hacktivists right if you're actually trying to break into a corporation and you can get through what are you gonna do if you fall short technically you go recruit someone that is already angry and there we have it ladies and gentlemen non-malicious accidental you know I opened up the zip file and I got a shipping notification I got a bill and then you go ask him were you expecting a bill no I never gotten one in my life so why do you open that they're just you know sometimes curious well-meaning they just want to do well by your corporation and they just they do silly things I'm the one giving this

dog by the way my partner that is Romanian he will tell you they're stupid and then you'll leave it at that so now you know why I'm here instead of him IRA week work is brought this up but a lot of people do not want to security awareness we talk about individuals who either intentionally or unintentionally

it it's ugly there was a talk this week at source about insiders and the nation states that love them if you can actually watch the recording it was great it's scary the amount of money that it takes to recruit someone that is disgruntled most of the successful attacks exfiltration data that happen in corporations it's the range of money that they get is between a thousand and ten thousand dollars which in this country is pocket change in other places is a lot of money but these are people in corporations with white collar jobs that are just getting paid peanuts to to just do damage genuinely not only am I not being wounded are they not malicious but they

don't realize what to do it for doing this problem a former employer might had a ton of fraud situation where attackers collect socially engineered collected pieces of information from different employees of the organization and once they had enough pieces were able to submit fraudulent orders to our vendors and then made mom make off with more dollar amounts what hardware and you know print paper printer Schneider and that's like none of the targets inside our organization malicious none of them knew they were helping owners that were paid off and then we're bad people ah but things people can do wrong type of the causing problems without because they believe that you called ask questions or call them what help they

should help people oh yeah I do physical pen tests i did a phishing attack not too long ago a paid don't let the color of my head fool you paid and at a tech company where i submitted 900 request to for password tests 90 ten percent of the people sent it back within the day I'd ended a test of a financial of their financial department I asked for a million-dollar million dollars and I didn't get it but I did ask for 25,000 and before I came back from lunch the money was transferred so it's just it's amazing yes people want to help that's our nature but there's control in place yeah there's control and it was email it

wasn't a lot of work and I made the email ugly everything was well spell but it was it we try to make it silly on purpose and it just it worked it worked you were okay so then we have HR and recruiters and they make our teams look like this very capable very energetic energetic they had their is experience I saw anybody not caught up with this is it right um but she said it yeah so there's former dead people here to make it even more diverse so it's it's you know great team great team but you know they actually have really predictable tactics right this is what we're gonna do we're going to move together as a unit we're gonna

go left we're gonna go right everybody's going to be honorable and let's fight in line and let's get this done and then the attackers come in and they throw everything they can at you right old ladies frozen dead people Giants red-haired people actually that was one of the one of the memes that was going around at redheads heart no soul but I'm glad that one this over I happen to like redheads a lot and so they throw anything they can they want and then then you're left with you know the Spanish phone code that you don't know what to do with so the worst thing that happens is you get a phone call saying I

have a great opportunity for you right and it happens to be a resume that you posted about 10 years ago that somebody sucked out of a database and you're getting cold to do tech support and you haven't done tech support in the last 15 years or your career so yes I am a senior recruiter my name is John I have a very thick accent from nowhere in this country and I'm here to offer you something and it's for your corporation and there we have it so you get this phone call and then you get this if you're actually the the hiring manager you get this great eat resumes from people that don't really want to talk to you I was just

talking to someone at source Mike Taylor that said he got a resume from an individual that I wanted to do metasploit as part of their job and metasploit is a great product and if you use that for pen testing or just to cover the bases you know that is pretty much a wizard you just you can put in a wizard mode and you walk through it so this individual asked for a hundred and eighty thousand dollar salary to click through a security tool and there was nothing else he knew how to do by the way so if you happen to be in this room I want to hire you but I'm gonna put your my sales team okay because if you

got that kind of money for that level of job I mean hats off yeah yeah I mean 180 kick to run a wizard it's like the clippy that Microsoft used to have in the corner hey do you need help yeah called their metasploit guy he's clipping so we actually have regardless how many bad resumes we get what we have right now is we have a huge gap in resources particularly impede on the people side we have great tools awesome budgets city that got hacked last year was in the tens of millions just insecurities I don't know about any of you but if I had a 10 million dollar budget for security I wouldn't be here

giving this talk I'll be in Mexico sitting down looking for that mystical village will the Mexican sit down and just take siestas the rest of the day but depending on who you ask right now there's an awesome black screen that I was just going to point that there is a million jobs out there just in infosec and that are open that are unfilled there's a million jobs open out there I'm going to this guy by 2020 there's going to be a million and a half right however the good old US government says there are in 2014 there was 80 2900 security professionals out there and to make 90,000 you need a bachelor's degree in less than five years of experience okay

these are the numbers that are a lot of corporations use to pick your salaries right good luck getting somebody with that level of experience here in Cambridge for example where they're just people just go across the street and they get a 30-percent salary increase so by the way there's two categories that if you actually do the search for information security that come up you're either an information security analyst any of those in the room ha one yeah so you are the person that they're counting here none of these are the good people and then database administrators their response they're responsible for setting permissions on databases and keep any user is limited to the data I think

these are the guys that are skipping their jobs signal injection and all those tanks anyway no hating on the database admins so however they're saying that we're gonna experience an 18-percent a full eighteen percent growth and yes so you start with the left and then yes and then you step back yes and then you step back with the right and then you bring it to the middle that salsa okay so if you want to look really really good in a in a cruise anybody going on vacation on a cruise this this summer so this is see I can move my hips too and that's it that's your lesson for this information we're going to go back to our schedule

presentation in three so there's going to be a full eighteen percent increase if you actually if you if you do numbers you know that if twenty percent of positions and your company are open or in your department anybody have 10 people in their Department security in 10 don't be shy 20 more than 50 people Wow one you're the sole security person yes okay you got a person on a hell yeah so you know that if you actually have eighteen percent vacancies in your in your in your department you're in trouble so the good ol bureau of labor statistics is saying that we're actually going to have 14,000 positions open in the next eight years so i decided to figure out where

were the security people and I just pick one of the amine regardless of how you feel about certifications this is not the cissp is not easy to get it's a hassle you need five years of experience you need a boring test and really thick books unless you have the experience but you can pass it it within a year you'll be ready to pass it from zero to certified and there are 77,000 again 82,000 jobs open or filled with 14,000 positions that are going to be open by 20 22 24 coming praying for there's 77,000 cissp s that's not counting the rest of the ISC square certifications let alone g act or anything else the biggest wrong and i was for coming to

try to do this what boy and what we were trying to do is actually have real time yeah really distinguish Princeton I at least eight times at the edge off doesn't change you call information security office you could call a lead principal security engineer he could be call the principal security analyst and it's very hard to compare these no cause it's very very different how do you try to do that I took four offices what certifications what experience how do you move people of the land large people jobs posted they're all using job descriptions as I must be is the speed of VSM please no idea is I'm experience Isis Joe wants one to two years

experience NSE is fit the debt they are out but it's almost like people copy and it is for every single job now realize it was great diversity oh yeah and and all of the jobs that you mentioned happen to have some sort of security responsibility which you would think will make it easy to search but again I try to account for that looking for the all the security jobs there's two descriptions that actually include that I'm there we have it right now engineering type but also involve a security risk management correct and GF which are the hardcore you know Cee age and whether you like certification or not I just used it as the guideline just

to figure out who self-identifies versus what our government thinks and it just it was ridiculous in 32 you've had it almost end excellent so facts regardless how you feel about certifications as to what your team composition is we're not expecting a problem we have a problem right it's we're lacking the human resources that we need to move some of their programs forward and to keep the corporation secure even at eighteen percent that the government says we're actually going to have these vacancies we're heading towards a chaos we're going to have to start hiring people and bringing them along and ask good security professionals we all know we can't solve the problem but we can mitigate it we can make things a

little bit better I'm about to switch into Puerto Rican mode because this dance with with the computer has made us lose a lot of time so let's take women for example in IT not security specific that that became very hard to find 51 percent of the population it's it's female fifty-nine percent is actually make up the general labor force however once you start getting down into IT you start seeing thirty percent thirty-five percent and lower once they actually you know good good for the women once they get hired a lot of them gravitates towards management depending on how you feel about this it's a fact women communicate better if not better more but the reality is they're they're

better communicators in general that's not so I thought to some of the research endeavors on so the women's that women including the problem is missing to determine communicate better Pablo is starting in about fourth grade and continuing all the way through c-level executives in women ditch technology and ditch computing faster than that whoo from middle school to high school more women say yeah I'm going in liberal arts to hell with this than men from high school to college for women stay on top of this and it's not because when they are better communicators or women are nurturers the women are dumb a lot of the evidence suggests you ask them and why do you need why did you bail it has

to do with hostility and culture yep women don't leave because they want to communicate women leave because people are jerks and they're done with it yeah so yeah so I'm gonna be around all day let's let's start getting start getting closer to to the end because this is this is the facts right these are the numbers that we need to bring back and present this study came out this week from how the Massachusetts tech ecosystem is creating new growth opportunities from mass TLC go check it out they their main claim is that we have now surpassed Silicon Valley as the place to work in technology again arguable but hey let's go let's go with that what it does show is that women are

definitely underrepresented they have a claim of thirty five thirty five percent in tech in Massachusetts yeah check the study whoever wants this presentation I'll give it to them nothing here that is secret so diversity to me if I was looking for a candidate today I'm looking for an open mind somebody that is curious self driven and that brings that and manifest that into innovation give me a new solution to an old problem you know sim by itself and aggregating logs is not solving our issue we need to figure out how we're going to embrace this that this future that that where we going to be underpowered and then outgun in defending our enterprises so the new

tyler ward looks something like this i wanted to actually interact a little bit more but even holy wood had this right Angelina Jolie does he bring anybody know where that her grandparents are from their slow backs so Hollywood had diversity right right mr. robot yeah well hey hey hacker teams these are hacker teams okay this two guys mr. robot pretty cool show where you believe it or not it's it's fun he was at RSA this year uh if you guys don't know where who he is hes from egypt right and the guy that got crushed in the elevator and mission impossible mr. Stevens does anybody know where he's from Irish in Spanish so again there in

the pursuit of beauty they have come up with these individuals that happened to be relatively diverse the two women on the top are not from Hollywood there are actually real hackers and I wish I could tell you more about it but we're running out of time so look around this room you know we're relatively diverse but who's missing right we need all guys for one I don't know people I'm sorry people with experience now you guys look too young way too young Oh older make this air we got a relative mix so to me age this experience I know that once in technology pretty much once you hit 30 your unhireable once you hit your 40s

it's they want you out if you're there by 55 and you know and you don't get laid off more power to you just an interesting and disturbing factor in Silicon Valley at a lot of plastic surgeons are seeing more and more young men who are going to get are getting surgery so there we go also gave the derrick with that so also maybe two yeah is she better government over hey so to me H is its I came to experience racing different cultures they bring a different perspective I was doing this presentation and I dare say that women communicate better so I just leave in the blanks my wife that she definitely only when we

I was doing this presentation I decided to leave my perspective of what women bring to the job out of this I like to fill in the blank and different backgrounds in education mean different solutions so I wanted to bring an exercise if you were building the perfect security person what are the skills and what are the qualities that you would bring that you will want them to have to me certification is less important but curiosity and passion are definitely critical I don't advocate that you go out to the to the HR supermarket and you get yourself one of everything get yourself capable people that exhibit these straits and if you can try to bring in different

perspectives when two candidates are equal and one of them can actually bring a different perspective think about that when you're building your team when does the next presenter start okay so I'm gonna steal a steal you for a couple more minutes because I'm gonna ask you for your help very potent MI osita a survey of members their experiences security and one of the things that stood out to me was a turn to the things that work for them and their security leaders okay one is technical acumen to is business acumen free was communication so there we have it so what can you do mentor people sponsor more people go out and recruit if you actually look at your company's HR

materials and you wouldn't go to work there today just have a talk with them show them the cool projects that you're working on every time I start speaking security to somebody that is an outsider normal as somebody called them this week they get really really excited what we do is pretty cool and there's so many things that we can do here code debugging the gender gap I'm trying to put together a screening of this movie to keep the conversation going this was the one change that I made to my presentation today this showdown check it out code documentary calm if we if we can actually if you have some extra energy and want to contribute to

this let's let's say we can bring this to Boston well I want to see if because I don't I can't do it by myself I have a day job too I don't know yet but see this is what I need other other offers other ideas so um what's happening out there ah let's see these two guys they're doing security and promoting the curriculum in the in bars for free so this happened last year talk to these people about talking about bringing better curriculums to the schools Nick ciao Roy thank you oh no that's that's what's happening that's what's happening corporations for example NASA sit-in in the University of Puerto Rico magic ways and they just take all the engineers out

of Puerto Rico and then they do the same thing with pharmacy not NASA but CVS Walgreens and all of that they go to Puerto Rico recruit them these people are bilingual they'd like diversity and things I will comment on my volunteer at a collegiate cyber security competition every year and we have to go before the college level and start educating yes even in grade school and middle school or high school because even to today I was at competition in March and the students are still there education and college at bachelor's and master's level is still focusing on network and perimeter stop they're not hearing about applications yeah you're about to get these two starting so women in cybersecurity nicks there's

a free environment where word veterans can actually test their cybersecurity skills there's grants there's a whole bunch of things out there get the people you know together Demi I really wanna get some people out of here in Boston this is what the population looked like this is what your security team will look like and remember 51-percent female if you don't have this this is an idea but let's see what does again what does it mean what should it mean to you be aware of your gaps look for passion not certifications and look for aptitude not necessarily technical skills and that's on purpose so whoever wants to stay and talk let me know excellent pun intended

that's nice there's also a relatively new organization called the international consortium of minority Secretary of Nationals they have the reverse side kick on conference months ago ICM CP excellent um can you email me yeah please thank you enjoy