Information Security Careers & Education Panel Security BSides Boston 2014

so hi everybody my name is Lee I'm one of the organizers um full disclosure I take no responsibility for what they say and I have no skin in the game as I don't work in it security so I'm going to have the panelists go and introduce themselves you guys got 3060 seconds you go too long Mark nton I am a senior Technic recruiter at aamai been in the space about 18 years and uh Focus primarily on software engineering but you know security obviously is a part of that and my specialty is actually doing fairly granular technical interviews so um when I come around a conversation with any folks here I actually can follow along so I'm not just nodding my head I a mute

so hi I'm Roy wat Tenison I'm the organizer of security besides Boston I also lead the information security program for a healthcare and Ed educational organization and uh I also also on many boards and also at the same time uh teach parttime uh Healthcare information security used to be at brandise and uh now pending at another College location I am Ming Chia and I'm an instructor at TS University Paul Ori netw work secur to security Weekley what I can't do that I can't do faster uh my name is Rob Sheen um I am the CEO of big brain security we do strategy security strategy Solutions um I have been a builder and a breaker and for the

last 10 years I've done an awful lot of security training so I think that's how I ended up sitting up here looks good enough I also run source source Boston come to Source Boston all right here's your first question panelists studies show that people with a VA make at a minimum 700k more over career than people without a ba a ba at MIT cost less than half that doesn't it make sense to go to college to get a degree is that why you go to college thought it was for drinking and [Applause] partying well take a St that um so one side of the argument is that you say for a computer science background if you

want to be a developer there are certain um basic fundamentals you learn or you know operating system databases data structure all that stuff um so there are a lot of companies that won't look at somebody who doesn't have uh that degree but having said that there's no substitute for real life experience so let's say know this a person who for whatever reason didn't get a degree the surrogate for that would be real practical experience and if somebody wants to you know just like suck it up being intern not get paid um but but learn on the job and plus there's so much available content with edx I mean all the mit's curriculums online I think

Harvard and one other school so there's ways you can acquire the same knowledge without having to necessarily go and get get that degree at the uh the brick institution I mean let's be honest a lot of jobs are going to require that you have a degree and so you're going to need that if you want the job just be mindful how much you spend on it you know um there are degrees and varying uh costs so um you know yeah you're going to get that money back like Lee said you know if you get a job and you have a degree at MIT that's great but you know I don't want to give someone you know

half my salary just because um want that money for me and my family so um you know what I tell a lot of the people that intern with me and that work for me is getting your degree is great but don't you don't have to go get the highest level degree depending on what you want to do you know if you want to be a developer uh I always tell them the story that one of the developers that I I know really well one of the brightest Wireless engineers uh probably that I've ever known in my entire life and I've talked to a lot of them um he he never went to college and had a really good paying job for a long

time I think he did go back and get his degree uh later on but um never had a degree and certainly one of the brainest engineers I've ever met in my life so um it's not a requirement yeah I don't we know and and really just to say right education is is always good but I think it really depends on right your motivation to learn new things so right it's all about having your own lab doing your own things really researching and and really being motivated in what you want to do so I would say in both worlds education is good but also experience comes a long way right um we've seen many people with different

certifications but has no idea what the the whole tcpip stack is or knows how to do or use wire shark for example so um it depends but I would say that if you have the motivation you can you are always motivated to learn new things so it doesn't matter what certifications um and what what other education you have um I think it both education and both the certifications help but being motivated to learn always uh will play an important role yeah I think having the four-year degree shows that you had the focus to sit through four years of something anything doesn't matter what the four things four years were the things were necessarily um I

know lots of people that are doing things now that have nothing to do with the degree that they were in so I don't think what you have the degree in matters so much as you know having done something for that period of time now do you absolutely need that absolutely not there's lots of examples in the world of people to bypass that entire requirement um it's kind of like I will never get a cissp you know kind of a thing um some people just I remember sitting a I was in a taxi line at in out in Vegas at Defcon one year and there was a kid is about you know 17 years old talking

about college and he was going to one of the conf is he's like yeah I'm going to I'm going to drop out of school or I'm like dude don't do that he's like but Bill Gates did it I'm like yeah but you're basically you know you know unless you know for sure you're going to be on that path you're kind of you're increasing the odds that you're going to have a lot of more adversity in your path so and and not to forget that some people really have like Bill H the lottery or the mark Lucker of the world now I actually uh the cost of college is a serious uh B bur point for me because

you know I'm in this business but you know one thing I think the two things that college offers uh something you know Mark certainly mentioned is uh the fundamentals uh if you want a good metaphor is a lot of people uh when they watch professional basketball they say there's actually a huge difference uh between the players who actually played a year or two in college and those they just went from high school to college because the people who want some a lot of the players who just just went from high school to college they can say ooh uh there's something missing in his game that could have been you know could have been improved uh when uh if you played a

year or two in in in college so it offers some fundamentals but the other thing uh certainly what college will and which a lot of students don't realize and don't take advantage of is something called connections that's a good Segway so the majority of people in the it field don't actually have a degree in computer science if it wasn't required to get into the field why should someone spend 100K to get that

degree if you're going to spend the money to get the degree in computer science you better really like computer science because otherwise you're just enduring four years of pain you know you don't need that particular degree so you better actually enjoy it that's my cons sens Life's too short to do anything for four years that sucks for you everybody else well when I'm looking at candidates for particular position when I read a resume I'm looking at the things that they've actually accomplished what deliverables have you produced and none of that's derivative of having gone to a certain College in fact um I consulted some places where they had this mindset where they only wanted degrees in

certain colleges and I thought that was the worst kind of myopia because like that dismisses anyone who has the ability to just be real creative think the solver which can't be measured by a piece of paper right so I've always stressed that you know there's no substitute for someone who actually can show you a delivered product with a tangible artifact that was a result of their hard work research and effort and creativity um so as good as a college education might be um I I think actual accomplishment in the world is something it can't be taken away or or dismissed and so I will always be somebody who can apply themselves learn what they need to

learn um but make that a constant process right I I didn't become you know Propel ahead of geek that I am from a recruiting perspective by just reading a white paper it's started in the late 90s and it's evolved over time but I've incrementally increased my knowledge base over time and it's nothing my resume that just I could talk about generational coverage collection right but it's something that I've tried over time and so learning and is just something it's a journey it's not something that's an EV of TI through piece paper so I out of curiosity for your panelists what are you guys majoring journalism I was a sports writer and editor for the first half of

my career it networking I was actually computer science in high school I said I want to do computer science college did computer science I you know I never regret it computer information security was more like degree in Business which I think I used pretty much probably more than the computer information part as I interned throughout college so I did computer information systems but uh I actually wanted to it wasn't because I you know knew I was going to get some great paying job afterwards it was because I actually was into it and it was like yours it was mostly a business degree I I had a technical job doing development stuff that I was really into

but business side for the record I was an economics major so that really had nothing to do with it um so if someone insists on going to college because they want to break into it St what should they study what should they major in is a two-year degree good enough you know it's it's an interesting question actually someone that works for me now uh is completing her associates degree and she said you know a lot of people want that fouryear degree and you I don't know what to do maybe I'll get some certifications to supplement so again I think there's going to be a certain amount of jobs that they're just going to require four-year degree um if

not not the jobs you're going after then an associates degree there nothing wrong with that um you know and now she's interning with us or working for us and learning security and we're also going to help her get some certifications as well so there's nothing wrong with that path either it's not only not only there's nothing wrong with that in fact at toughs there's so many people now that are that were like polyi economics uh IR International relation Majors that are doing a post back uh in computer science because you know not only did have they started to enjoy it a lot but they know that there will be something at the end of the tunnel but I

have to say if someone trying to if you're asking if someone trying to break into security Now like what would it take I can tell you right now that man right there Rob epitomizes exactly what is necessary in this field I mean it's passion I mean I mean that that is the number one thing I look for anyone and you mentioned two things Rob when you introduced yourself that nail like what you know is so necessary in this field you're a builder and you're a breaker okay and it add those that epitomizes passion exactly um I agree with all of you guys and then you know and and GS as well but uh yeah I mean p fashion is is

is the one thing that I think from again from my opinion I've seen some of the most best security people are from they majored in in different other other uh subjects right chemistry biology they make some of the the the world's greatest uh Security Professionals so yeah one of our new Rockstar infos people was an anthropologist I you know I want to kind of add on to that line of uh so we recently just hired at scw we hire someone named Ashley and uh she had two things really I was looking for uh great or organizational skills with a a background in that she was actually in the Navy um which I mean we talk about

college but certainly military service ranks really high with me as well um and then uh she had passion piece of it we actually had no open positions we created a position for it's working out really well so so let's say someone has a VA I'll just start with that assumption or something equivalent and uh they've been doing something other than it security and their mid career uh how do they break into this field don't start by getting the list of letters after your name just for the record like when I interview people the more letters you have the less likely it is that I'm going to actually call you back um a couple's okay um but what does it tell

about you it tells that you know how to take a test right so what's actually more interesting is go take on an open source project or something where the tangible manifest like you were saying before Mark um where you actually show that you did something you know uh go help run a conference volunteer somewhere at like a bsides or a source or something where you're doing something in the community like there's a lot of different ways you can get involved and show that you're interested and passionate about what you're what about being in the field um without just going and getting the certifications I mean one I said one or two is probably fine just to kind of

get some your feet wet but don't fall into the mistake of having 15 letters after your name I don't see any value in that yeah I think there's a really high value put on certifications and I I I tend to agree with Rob although I I would disagree with you slightly there are some certifications that require you do a lot of real world work right um but you know what I always encourage people to do is write write a blog I mean that's I give a presentation on this topic on how to get into the field one of the recommendations to write a blog I mean that's one of the first things we looked at um I am not so involved with

the hiring process at tenable now but I I was a few years ago this the first thing we look at for every technical hire is did you have a Blog and what did you write about how are your writing skills how are your communication skills how's your technical skills tells me all those things if I can go read your blog so and that's something that anyone can create anyone can take on a project I give it to the people who are interning and working with us at security weekly I say go to the packet storm security go to the tool speed pick a random tool go learn how it works write it up and do a

taex segment on the show and you know once you can start doing that I mean that's that's a great experience I think you know to certainly add on to Paul if you take a look at at the important point is do you have something to show for it okay the certification I mean that's going to be a question later on but do you have something to show for you know you know in terms of your passion and your tangible skills yeah blog is go a Blog is good certainly uh having a project on GitHub uh we have uh actually we have a friend who actually wrote a tool no SQL map and uh being used quite

a bit uh that stuff tell a big story about you why you want to do that like why you in you know why you want to be in security uh it tells you know that you're Builder you're a breaker but I think it go back to something else I've said uh also in terms of breaking into the field uh your connections really matter uh I yes I did study computer science at tough but just to let you know the only ounce of security I actually got was in a course and uh I took crypto everything that was like we security exploitation uh all that stuff I uh I would like to say that I would like you

know learned on my own but I also have to give a lot of credit to uh Gary McGrath uh a friend of mine I took uh I took a course on software security with them and that actually started it all for me and and really just to say right it's not only security people dealing with security so it's all of our technologist techn technology it people as well right we need more everyone's involvement with security we all know security is part of the whole process small companies right you have multiple people multiple hats doing different things so um I also agree with the blogs working on open source projects finding vulnerabilities contributing to cve for

example um volunteering at different conferences networking um you know having like a solid foundation and then after that you can kind of uh specialize and do what you want to do but um contributing to the community um overall well to expound on the original question because obviously this audience is in a bunch of brand new you know grads but this is applied to if you want to apply to a position that that doesn't appear to be like your resume doesn't look like we used to write the job description a lot of times people are a little bit passive they just send the resume to jobs at whereas like if you go on LinkedIn find a job that looks

interesting what LinkedIn actually does it's on the right panel it's going to show you a bunch of people to whom you are connected that has a connection to someone of that company most companies have employee referral programs get an introduction of that person that person is going to be an advocate for you so if because how many times have you ever said if I could just talk to the hiring manager I know that they would see the glint you know the glint of my eye and that I have a passion for it okay your resume is a static document I would encourage anyone who's considering taking a shot of the job where your resume was doesn't look like as used to

write the job scription use working because once you engage with a person and they can provide you the introduction that's always the best way to go since we're talking about networking um I'll just throw something out there I've heard it said a number of times that you're the average of The Five People You spend the most time with and the data point there is most people uh for most people you make within $10,000 of your five closest peers and um not just about money but in in the field if you want to be a speaker if you want to be a leader hang out with the other speakers and leaders don't just hang out with the people that

aren't they're kind of hang out in the corner picking the locks all the time and doing nothing but that not not nothing against that I [Music] love but don't spend your entire time at the conference playing the CTF or doing the lockpicking and notw that's my plan I love all wow are are you saying like like my grandfather always said like if you want to Fly Like an Eagle don't hang with the chickens I mean what Rob is saying be able to present in front of different audiences right to I think uh with not don't always be the person behind the computer looking at the screen it's great as well but be able to talk and

communicate with different at different levels doesn't matter what kind of people you talk to especially going outside not only at this country but being able to talk at different locations as well it interesting point right it's in the getting out from behind the computer but also using social media which I think is really important um when even when you're just breaking into the field get a Twitter account follow the people in the field maybe some of them will follow you back get involved in the discussions and that can be a great way to you know there are all kinds of tweet UPS or it's just a great way to stay involved with the community and it sounds weird because I

think when a lot of us use Twitter for the first time like I did I was like what was that and then like four months later I'm like for some reason I got to try this again and then I just have them stop using it soon so we Twitter the security communities Embrace Twitter like no other community I've seen it's so yeah if you want to be a leader in security and you don't have a Twitter account you're doing something wrong probably unless you're Bruce I think I think he does now all right so moving on you guys have talked about some of the networking stuff so if someone's interested in interning or volunteering which I think

you know probably some people out there are um how do they go about finding a place to do that you can tweet me we usually have internships available if anyone's interested at sign security weekly is that Shameless plug is that you said there were no rules there are no rules we actually do have a running internship program and we're not the only one uh either so um the other thing you know a lot of people mentioned open source projects if you're not the most experienced coder or even if you know nothing about programming you can still get involved with an open source project right you can help test the code you can help run their social media manage their

GitHub write documentation um and that's a great way to kind of fall into an internship as well so don't think you have to be like the super awesome programmer to be involved an open source project with lots of other rules let me throw one additional question up doesn't matter where how do you know that you're getting quote unquote the right experience or does that matter if you're just getting experience because you guys are say yeah yeah just go do open source so is that good enough so I usually tell people to of project out 5 years in the future if you can and figure out what you want to be doing and look at your

resume today and see where the gaps are and then take jobs that do those things that fill those gaps for at least you know do it each one for at least a year or two just to kind of fill the Gap and you can completely social engineer your own resume to basically put you in a legitimately in a position of whatever you want to go in uh within a you know a relatively short period of time uh also um one thing that helps is working at a startup because in a startup you tend to have the opportunity to do a little bit of everything and I often tell people you can get 15 years worth of experience

in three to five at a startup if you go to the right startup and right so and and if you're if you're going down the path and and you find that it just sucks at that place find another one don't don't be too committed to one thing and feel like you have to stay somewhere that's not fun so kind of B keep that balance exactly like uh Rob was saying right um like I always say as well do a pen test on yourself right we do pen tests on other companies but let's do a pen test on you know the gap of us as well right you want to do a pen test on yourself and additionally you also want

to find a good Mentor a good Mentor like like Paul asadorian or actually Rob or or or Ming or actually anyone right but make sure that um you want to learn the main thing is you have passion to learn and uh but again do a pen test on yourself and see is the infos Mentor project that's still running right exactly so that's another great place mentors as well can we get a shout out from the audience one of the best bits of advice I got from a mentor recently is that a single Mentor really isn't enough you need to get yourself a chairman of the board uh you that person's your chairman then figure out who the rest of your

board of directors are find the person who's best on security but a person who's best on business a person who can help you with life balance as well so you get advice not just from one single perspective but a whole array of folks yeah my wife my wife is really into public speaking and in 2009 she was second in the world in the Toast Masters Championship contest and she did that in four years from scratch and she did it by H doing exactly what you said by the time she got to that level all of her mentors were the previous world champions and that wasn't an accident I'll get another shout from the audience mostly watching

before actually what you said Rob actually strikes a tone with me right now is I'm going from an area of being very comfortable jobwise to an area in a development aspect as a security uh analyst as a lead analyst in my next job in in a week and I did it because I found the Gap in my career um that certifications mentorship previous experience wasn't feeling for me and it's kind of taking a you know piece of Humble Pie and say I know what I've done but I know I've got so much more to do just knuckle down do this fill in that part of your your Gap in your resume or your Gap in your skills experience and

that'll set me up to where I want to be in 3 to 5 years so that really really Rings a tone and I think everybody in infosec um we kind of have to stay hungry and stay humble and just continue to keep driving and driving ourselves to to what we really feel passionate about that's one of the things that that multiple mentors have explained to me on you know where I'm at in the maturity process and I'm just taking it to heart yeah I think there's something else when you RI the word stay humble stay hungry out of my out of my mouth because by the way that's also a model of the New England Patriots but

also I think um what was I going to say you know there's I think one one thing I wish I did a lot more of in the past uh and I think we're going to address this later on um is taking risk and doing something that is out of your comfort zone is not a good thing it is a phenomenal thing it is how you learn it's how you grow as well if you're always only living within your comfort zone your comfort zone stays small and as soon as you step outside of it well now it's scary but then the more you step outside of it the bigger your comfort zone becomes and you you grow

that's how trees grow that's Everything grows that's exactly right I mean I started Life as a sports writer I was being paid as a sports Rider before I was old enough to drive the car and um you know 15 years old and then I wanted to change the career when I was 30 and within a you know couple of years um I actually started a company I figured out a way to put corporate data on a mobile device the highest degree security and the lowest cost of ownership in existence and I never could have foreseen doing something that crazy back when I was like on the copy desk you know but I had confidence willing B on

myself and I wouldn't be where I today uh had I not taken that bold move and and do out of the plane I know that par TR so we've talked about degrees we've talked about technical stuff what might be some of the soft skills you look for when hiring someone cuz that's kind of critical well one of the things I look for when I like when I conduct a tech interview it's not enough to see that something can regurgitate the uh the the fence post of of a correct answer right it's it's all about how effectively do they communicate so when somebody when I ask kind of an open-ended question I'm listening to their answer but I'm also

trying to picture them and stand up you know and and how effectively are they going to be able to communicate their idea and and I'm thinking like okay if in 7 Seconds the rest of the room's going to be rolling their eyes like this guy's just not going to fit so those soft skills like that the ability to uh Express Yourself effectively in writing uh as well as presenting interpersonally those are absolutely critical I I I look for primarily two things and you know not necessarily as a qualification for hiring but you know we take on interns really what I look for is how they solve the problem it's not whether or not you get the right answer

or not it's how you approach the problem in your process to problem solving you got a good approach to that um which is kind of a tough thing to teach right then you're going to do really well the other thing is communication skills you know can you take what You' just learn and communicate that to others um and that's a lot of what we do with you know y you see in terms of our technical segments is we're giving them a problem seeing how they do with it and then making them communicate that and well really just to say right I think U everyone mentioned but thinking crit critically thinking outside the box so if one one there's one option right

there's always going to be different options but if you can resolve it like going this way instead of just different options always thinking outside the box and anything that you do having passion for things that you currently do but also exploring all of the risks that you have right because you're doing something new um that's that's what I would say and also communication skills as well I tend to look for can I put this person in front of a customer would I be comfortable sending this person the Goldman Sachs right and that's not true for everybody and it depends on you know not not for every role that matters but for a lot the roles that I kind of hire

for I tend to want people that are customer facing so I want people that can think technically and can approach technical problems but at the same time I don't have to tell them that they need to actually you know dress appropriately and that kind of stuff and so presenting themselves professionally and but also being able to communicate clearly and effectively and you know not just diving straight down to the weeds for 10 minutes without any kind of context or anything like that that's kind of important remember those uh and the things they said those interpersonal skills will get you the promotion yep can we get a shout out to the audience

please so I think communication is really important but there's sort of an undercurrent that I'm hearing here of communication as a form of talking but equally if not more important is the aspect of communication that involves listening and that's not a soft skill that's a hard skill got that yeah I think listening is you're right I think that's it's one of the hardest things we do as a human being and it it's amazing when you if you ever want to just play this game at a conference because you have a lot of people you have access to walk around and just strike up a conversation with somebody and see how long it is before they actually ask you anything about you

chances are you'll just hear blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah like and that's it's always interesting when you meet somebody that stops and just asks you about you and you're Fu I'm suddenly the center of the universe and that's how you feel when you get that so what uh that's one of those skills that you can practice and develop and it's easily practice so Switching gears if you could do it all over again from the very beginning so I'm a little scared guys what would you change if I had to do this all over again what would I do uh a few months ago Melissa Elliott

uh from dero I don't know if some people may know ZX a bad idea posted this tweet which hit me like a truck and she wrote Because I think about this all the time and she said if I had to do this all over again if I was a kid in the '90s I should have uh it was along the lines if I was a kid in the '90s I should have started or joined a uh a hacker group that had a zero in it uh but what dides that say but what does that mean you know I think if you take a look at you know I think the thing that I really missed I really should have done was I

should have committed more time and more passion to what I really enjoyed which was you know programming and tinkering on the match I and uh back in the days I did pretty good I I would say I did pretty good personally with you know the Computer Sciences the at coures I really really thoroughly enjoyed programming on my on my math but I think the one thing that I I should have gone a lot lot further I think the just just the fear was there was a lot of stigma uh the stigma is oh the the people who actually steare the computer too much uh they'll never you know they'll never go anywhere you you know just like a a loser um and

that that that was something I I didn't want to be I think there was the peer pressure um uh kind of helped me back a little bit uh I even had a by the way is this video is this is this video Cape by any chance not at all not at all good old high school friend of mine said oh Ming knows everything about the compu like he he he's like the most passionate guy in computers but at the same time he was also rag on me and hey did you do any of the other work like you got to do you got to get out you got to get out man so if I had to wish I did this all

over again I wish I actually went even further like created like an underground bulleon W or something uh you know and I and I I wish I actually took my skills a lot further uh when I was a lot younger when I was in high school uh if I can go back and change things I would definitely go back to that time at brwon when I drank way too much dle definitely change that I would also uh uh go back in time to that time when I worked for the University and my uh director at the time had brought in this guy uh and some of his friends who created this really cool firewall company and it did deack and

inspection and they were first uh you know getting on the market they wanted to see what we thought of it uh I wish I had like broke out my checkbook at that point in time and wrote them a really big chck cuz they're pal Alto today um other than that I you know I've made a lot of mistakes and and done some good things I wouldn't change any of that I mean because your mistakes I mean that's really what you learned from so for me it would have been when I started that company um organically I was chasing the VC money I was trying to raise like 5 million bucks back in the uh post.com bust um and it was just and

there was nothing in my back on this could have suggest that I should have been able to think of the solution but what I should have done was to figure out any way possible to get the dam built first and start getting customers like anything to just get the damn thing built and um I wound up you know came too late trying to part up a carrier but if I had done that from day one and just like okay let's let's build this thing we'll license it truthfully but just to have it actual working product in said I just would bought into the notion that doing the Cent way going to BC raising money and all that stuff and I would I

should have been more focused on just getting the damp thing built and not worry about all that noise I'm happy where I

am no I uh I I would say that um you know everyone learns from mistakes right you have to make mistakes in order to learn from them right there's so many risks right I still think that right you should do a pen test on yourself because who's basically out there um you should do like a pen test well going doing like a social exercise looking at all the jobs um and what those jobs require right there's different skill levels and things like that but I would say that if I were to change one thing I would probably be a part of more different groups bolon board groups I used to uh have some Bolton boards that I had many

a long time ago anyway and uh yeah basically uh be a part of that and be a part of groups because they can stick stick up for you so if you make mistakes you learn from them right you don't have to be a expert or anything like that right I would say that you know there's the people that say they're experts it depends right but um everyone's always learning right and and also if I were to have any change I would probably major in more Computer Engineering because I I like uh Hardware hacking as well I think at any given time any given point in time you are the sum of all the experiences you've had to date so I

anytime anybody's ever asked me this question my my real answer is I probably wouldn't change a damn thing because it got me to where I am right now but just as the hypothetical game um I think I would have started starting companies earlier please that is the path to Freedom as closely as I can determine okay I got one last question for you guys in the popular game of ask grab grab would you choose to go first or second Paul Paul I I choose uh to go first how's that because that person gets to do all the grabbing and since it's my fictitious game I can make up the rules does everybody in the audience

know why he got asked that has anyone heard of asked grabby grabby game before other than on the show no that's cuz it's completely fictitious and he loves to ask people this question so I wanted to hear it actually came if you want to know the history behind it came from a a TV show does anyone recognize the TV show bully beat down anyone yeah like one person right it was just game where they find this person being picked on in the bully and they would take the bully and they'd put him in the ring with a yeah with a UFC fighter right wow awesome and if the bully lost he had to pay the person he

was picking on like money like 10 to $5,000 and if he won he didn't have to pay anything or or he got $55,000 yeah I there was no bullies that really made it I think one I think one did and needed like immediate medical attention was left in the rescue but the host of the show used to sit down with the bully and he'd be like ask me questions like if you write a book about yourself what would the title be you don't have to answer that cu the deer in the headlights look but one of the questions he asked him was the ask grabby grabby question and we stole it from and then the host got arrested and

they canceled the show that's the story of as C CRA people like I Google search for that I couldn't find it anywhere so that's where you got the book question too yeah you got the book question from there too and I I tell that to everyone that that ask grab grab is popular in Europe like oh that's why I haven't heard of it social engineering F all right do we have any other questions from the Audience Show hands who would go first who would go first oh yeah second who would go second second you like to be cow we

yeah that's my other favorite show now is Tosh.O so if you know my juvenile level of this this just adds to my evidence that Paul is the Howard Stern of the security [Applause] world when we have oil wrestling in the studio I'll invite you

rob questions questions questions

yeah so the question is I I'm a grad student so everything you Spoken Here meant a lot for me so all of you have mentioned that you don't care about the letters you know behind your names no certifications no degrees Yeah degrees you mentioned I I'm doing my masters so but uh before all of you belong to technical background you know you will be the technical recruiter but it will my resume will first reach out to the HR System or the filtering system the software so in case if my resume doesn't have a good certification or say experience of n number of years it will not pass through the HR System it will not reach out to you wait did

you hear you're making a fun you're making a fundamental assumption here you're assuming you have to go through that system in the first place exactly I I haven't got a job no offense Mark I haven't got a job through a recruiter in at least 15 years and it's not because I haven't been working right so go meet people here the the Security leaders are all here if you want to get into the industry they're all at the conferences go to the conferences hang out with them find the people that are speaking they're probably leaders in their field awesome talk to them tell them about what you do find someone that resonates with you um if you want don't want to do security

you want to do something else there's other conferences there's conferences for everything and that you know that is the way to do it you don't have to go through the recruiters if you're so if you if you want to go that path it's fine but if you're trying to bypass it learn some social engineering tricks and you can totally bypass any of those requirements you need to just saying yeah I me for example if you want a job ATT tenable you can come find me and tell me about your skill set and what you want to do in your passion and uh if we talk we have a good conversation I think you're a good fit we're going to

bypass HR like you just need to talk to Ron or vau and you're you're in in from that point and that's all just about networking like Rob said and I've done that there are people who work for tenal today because they talk to myself or Jack or someone else at a conference can you pass it down to the recruiter please can you pass it to the recruiter to answer that question thank you okay so well one thing I want to address there are a lot of fallacies or misconceptions and I got from your question that put into the HR System if I don't have enough experience so there's there number one there's no kind of automation

that companies use in any kind of ATS where it's going to flag your resume based on certain bqs what we call Basic qualifications uh so you're not getting knocked out by some type of automation all right uh the problem is in most positions that you do send into jobs at right the recruiter is going to be trying to find the resume that looks like the job description and unfortunately most of the time the recruiters don't understand neither the requirement nor things that you do on on on your resume right they're just trying to line up words and so that's why I emphasized if you truly want to Target a position network your way in there get

an introduction you know via LinkedIn because a warm introduction is going to be so much more impactful than you hoping you get discovered now if you have a resume that lines up perfectly with the job description great but most of the time that's simply not going to happen but you have a belief you can do that kind of work maybe you've done projects on the side that don't reflect that maybe you didn't actually your resume you didn't think that was appropriate but you're going to be able to do the job because you can get an introduction if you can talk with the manager because you got an introduction do that all the time and and sending

your resume in it is you're you're just a victim of all the other numbers in there and then it's just you know kind of random um um I mean you talk about you know being messed in in in I mean right now you go to place like the monster.com of the world it's an abyss you got 800 people applying for one job and half of the you know half of the candidates are all you know they're using generic resumés a wise man in Las Vegas one time told me and this is where the value of place like Devcon and you know a wise man in Las Vegas once told me that your connection will give you more not job

opportunities all right than you can ever imagine by the way the reason why I have my phone out right now is there's also a lot of PHS that are not advertised right now I have a friend of M who's on my he actually he sent me a Twitter message he said Ming hey Ming know of any Java developers out of your program at tough looking for work and a very cool you know red star startup a lot of jobs are not even advertised they're just under the table and you know it's it certainly with a trust Factor you know would you rather trust someone off the street you know like LinkedIn like the the not LinkedIn but

like monster.com or would you trust someone that you know you already know as as an employer I can tell you that I hate having to go to a recruiter to find people I hate having to post job advertisements I feel like if I've gotten to that level on some level I my network has failed me because it's so much better to find people that I know or they can vouch for somebody because I know they're going to be good because it's really expensive to get rid of somebody after you've hired them so I'd much rather find someone that's right in the first place it's a good fit and do my best to do that through my network

yeah I mean those interpersonal relationships are so important um even a field like ours you know I also produce a cigar podcast and you want to talk about an industry that is built upon personal relationships they're not going to give you the time of day if they haven't met you sat down had a cigar with you for like two hours and that's just how they work but I mean it's a great model right you like Rob saying you come to a conference here you sit down you talk with people and then later on if you're looking for a job or all that's the person I sat down with at that conference one time um it's

extremely important to have you know someone said earlier that warm introduction goes along way and it's not just with jobs either right we bring guests on the show we go out and we look for sponsors I if a n times out of 10 if we don't have that warm introduction there's some kind of background or history we haven't spoken with them that relationship is uh not going to be as fruitful as you would have hoped um whereas if I know someone that works at a sponsor I have a relationship with them then that's a totally different story um so it's not just about your career either right it's how you do business you test you created companies

right it's about relationships um rob you talked about talking to business talking to customers and do you see value in certifications Advanced degrees when you're talking to business that's not security related or um talking to customers you know who don't know you and they're just trying to get a feel for whether they can trust you so you mean just to get your foot in the door having the

certificates now do you guys think that you're going to listen to somebody just because they have letters on their name I don't know like I think that's more it's more interpersonal skills at that point once your foot's in the door and you actually have the ability to call somebody up and say hey I know you then you call up and you know so the long game on this guy is like you're it's not always about I'm going to conduct a transaction with you right now it's about hey let me get to know you and then maybe at some point the in the future we'll have something that's mutually beneficial I I look at selling as not a bad thing because I don't look

at it like I'm trying to get something from you I look at it as I have something of value to offer you and if you want it cool and if you don't maybe later and then tell someone else or I'll tell somebody else yeah I'll help you if I if I can but I look at it as more of a relationship thing and in the long run that tends to work out better it may not give you the short-term result you want now but in the long term it always does and and just to say really uh right talk to people and make your don't make any assumptions right it's about those long-term relationships so uh just want

to see so you had kind of two different conversations one was about filling in those gaps in your resume how do you do that you said go be on open source projects volunteer here do all this stuff and then you talked about this and how you need to network with people I just want to point out that the first gets you the second you don't have to go out and be like my whole goal today is to just meet people if you go and you volunteer for projects if you do things you will make those connections which will get you the the things later on look for opportunities to speak even if it's at a small group I got the job I

have now because I gave a talk at the end of a a course in grad school and a and a fellow student saw me and submitted my resume so I mean the more you can get out there the more people you can come in contact with the better it'll be that's just a good of living a balanced life if you're trying to you say get more exercise and get more social activities and get more if you can do those things all in one activity that's great um so anytime you can combine them that's that's even easier we we like to drink beer and talk about security so we created this thing called a podcast actually there's one thing I

also want to I yeah we're looking for beers too but also I gotta I gotta warn everyone and I you know I got to warn everyone this is you know but the key is you don't want to piss anyone off or just be a jerk because you don't realize although the field seemed really really big I mean it's like millions of dat it is Tiny everyone knows each other everyone knows each other so I mean you get you know you don't want to do anything stupid this so so if you're getting into the field and you're a security researcher I'll just say don't be a dick yeah right like be nice to each other you don't

like yeah you're smart but you don't have to you know I'm going to withhold my information from you because I can you know come on just be cool with everybody like we all talk to each other we all laugh at you at the bar anyway so anybody that that doesn't follow that Golden Rule ends up you know getting in some way ostracized whether they realize it or not this is going to be the last such pressure have you had an expectation that of what's going to happen that's just been spectacularly wrong for example I thought C would go the way of cobalt and after the Mars worm I thought security was actually a solvable problem

uh do you do you have any spectacular crap was I wrong about that I do yeah um so in 2004 I created my my first consulting company and I thought that traditional methods of marketing would work in the computer security industry it kind of TI in our previous conversation and they failed miserably like no one wants to look at a flyer and say oh yeah I'll hire you for a pen test right so I went to my friends in the industry one of them was Ed scotus and I'm like Ed so what am I doing wrong it Ed actually had a competing so competing company right and he helped me anyway and I never forgot that um so that goes

back to you know Rob like be nice to people um and so you're just going to get out there in the community and do stuff I'm like cool I'll create a podcast like they'll see if that works right um and that was actually something we latched on to and we've done for for seven years so um my initial expectations didn't take into account the community aspect of it but also the networking aspect right if you're going to go do security work for someone there is this initial Appliance of trust right you want to have some kind of relationship um for us that someone relationship was our podcast right they heard us talking every week they feel

like they got to know us um and that helped build relationships with the entire Community um so you need to do the same thing that's the other reason I encourage people to have Twitter to write a blog to you write papers and volunteer an open source right is you're kind of you're building that trust with the community as well and my initial expectations for that you know were didn't pan out so I learned that over time so so it looks like we have one last last question I remember reading uh recently on some blog or other I think it was the US I'm going to say US Department of Labor I may be wrong about the agency um

recently classified computer security as an occupation not a profession and I want to ask the panel if you agree or disagree with that assessment and what should be in your view the correct answer occupation or profession um well that that depends on what your definition of a profession is an occupation is something that you do for a living that's not a professional okay so that security is not professionalized is the is the implication of this get a paycheck yeah wait wait I got back up a second do they Define it in general that way no so it is a profession or is an occupation I don't know I just read that I read the article like to comment

on that um that's interesting because um not before anyone in my but as part of the TR in 1986 there was a um a 1706 um amendment to that that had to do with computer Consulting and what happened at the time was that remember remember there was the big eight and big six um they would have uh like 300 400 Buck an hour uh Consulting uh bill rates and all these Independents would come out there and be able to offer just as good as services but for half the price so the their lobbyist uh effectively got them to insert into the law that people couldn't be an independent consultants and thereby have you know be uh you not have

taxes withheld unless they met these 20 criteria being an actual Corporation and so they defined anyone who did work independently in in their their execution of the job was was based on their professional competence and not someone just being handed the list of grad activities was a separation between someone who's just a worker and someone who was a professional my understanding from the computer industry perspective um they were considered uh professionals by the government using using that criteria I'm I'm actually familiar with that study um now in my and that's more or less that's more or less what what it is and and the notion of this again came from Dan gear actually it's been one of

his themes over the last year or so I would say none of the above it's a [Applause] lifestyle I think we just CL on that lifestyle [Applause] well all right so time but stick around for closing remarks if you want to know ENT to win all that fun stuff and you can obviously hit them up before we get started if you want thanks everyone