Where Do I Go From Here?

[music]

[music]

[music]

to start off. Hello and good afternoon everyone. Uh for those of you who don't know me, my name is Robert George and I'll be pretenting a topic that I'm very passionate about. My own success. I'm just kidding. Um but we are talking about success. Success by design and not default. Uh I think too often in cyber security and even careers in general uh we happen to fall into paths maybe by accident by taking a job that's available following the latest social media trends or what you see on LinkedIn maybe even copying some other other person's path. Uh but lasting success doesn't happen by chance. uh it comes when from making deliberate choices and aligning your strengths with the right

opportunities and designing a path that works specifically for you. And that's what today is about. Uh just a little heads up, I've intentionally left a few visual errors in this presentation. Uh just as kind of fun little Easter eggs just see if you notice them. If you if you do, you do you don't. They I missed them the first time I made this presentation myself. So, so today is not a technical presentation. Uh, I believe the greatest value that I can provide is by sharing my own journey and highlighting one of the most overlooked aspects of cyber security, the non-technical side. Uh there are plenty of resources out there for technical demonstrations, discussions, but we're here on how to

augment your technical skills with strategic thinking about your career, your choices, and long-term growth. Uh we'll explore thoughtful questions and ideas, and by the end, I'll do my best to answer your questions, but most importantly, answer these questions for yourself because no two journeys are the same. Following a rigid blueprint risks diminishing your own unique perspective and my journey is definitely not typical as well. But before we dive into the presentation further, I'll share a bit about myself, my background and my personal path into cyber security. So currently I am a senior information security analyst at Service Credit Union, a role that I've held for almost three years. But my career did not start out in technology. I spent nine years as

an automotive service technician before realizing that banging up my hands, getting covered in oil and grease, and beating my body up wasn't for me. Um, not for another 20 to 30 years, that wasn't the life that I wanted. So, I decided to take charge of mine and my family's future. So, in 2020, I quit my job cold turkey and jumped into a cyber security program. At first, it felt like a radical shift jumping into cyber. But over time, I noticed that it and security weren't completely outside my understanding. I started to recognize familiar patterns and processes that customer complaints weren't different from user complaints. Sometimes user would explain uh sometimes customers would explain the issue and talk to me like I'm five. Car

makes noise. car, don't go. Uh, it was up to you to figure out really what was going on. And in the shop, I learned we learned a simple framework, complaint, cause, and correction. Funny enough, that same structured approach of thinking carried over to when I joined the cyber security industry. Whether it's chasing down an HVAC system when your AC doesn't blow cold anymore to investigating a fishing alert, the process is still the same. Listen to the problem. Dig for the real cause and work towards the right fix. Different industries, same critical thinking and structured problem solving. And no, this is not an elevator pitch for myself as a job candidate. I have a few senior leaders out there, so DM me

after. So, what I But I do I just want to make one point clear. This wasn't some arbitrary decision or moral epiphany that I had. I didn't wake up one morning and say,"I going to be a cyber security analyst." My path included moments of what I call directionless ambition. Uh for example, before jumping into cyber security, I tried power engineering. Uh I heard you know those conversations, those jobs pay well. You should look into that. And he says, "Hey, I did my automotive uh training at NES. They also offered a program for power engineering. Figured I'd be successful there. So, I put in the work. I dedicated a year and a half of uh evenings, weekends, doing the book

work, doing the hands-on lab time, not so dissimilar to cyber security, and even writing the provincial certification exam, eventually getting my fourth class power engineering certificate. But here was my reality check. In 2017, the oil industry here was not booming. Uh, and just like moisture in superheated steam, the glamorous jobs were all drying up. And that's my horrible power engineering joke for the day. But most of the opportunities that I found were for vacation coverage, scattered 12-hour shifts, out of town work, and often I came in second place to candidates with more experience than me. And after a year and a half of trying to find a position, I realized that that path wasn't sustainable for

me. And all of that taught me something. It wasn't just about chasing a job or hype. It was about chasing the right problems to solve and with a mindset that made cyber security stick for me. Unlike some fields, I believe this offers endless opportunities for growth and learning and is extremely self-driven. You really get out of it what you put into it. Whether that's completing training modules, hands-on labs, personal projects, the results are entirely tied to your effort. What I enjoy the most is I don't need an expensive lab environment. I don't need a power plant like you do for power engineering or even to fix my grandma's car to sharpen my skills. I could

experiment, build, learn on my own terms and seeing the impact right away. That's a mix of autonomy and real-time feedback that made cyber security a place where I could thrive and that's what's kept me committed when other paths have felt unsustainable. So what can we take from this story turning let's turn this into actional insights for your journey in cyber security and that's where the what so what and now what framework comes in. So what is the critical reflective model? it comes uh the critical reflection theory usually applied in healthcare and education. We're taking that mindset. We're borrowing that structured analytical approach similar to how a security framework or compliance standards guide technical decisions in an organization to help us

think critically about non-technical aspects of your career. We start by looking at where your current position is and more importantly what excites you about the field. Identifying your passions and your starting point is the foundation for everything else. Then we explore why do these choices even matter, the problems you feel called to solve, the skills that will make your contributions impactful, and how that connects to what organizations truly value. And finally, we bring it down to action. creating a plan that directs your career, making intentional choices instead of reactive ones, and taking ownership of your professional future. By using this approach, my goal is to help cut through the noise, reflect critically on your journey, and walk away with practical

insights to help shape your path. So, we've all seen the ads. Earn six figures in cyber security in just six weeks. Sounds too good to be true. Well, that's usually because it is. Then there are endless YouTube videos or things you see on social media that all kick off the same way. Want to get started? Here's a quick list of certifications and a couple job titles that they tie it to. Like that's all it takes. Through my journey before I started, while I was learning, and still even now, I find these to be no more than a clickbait hype machine for the algorithm. It creates noise instead of clarity and makes it hard to see real long-term

direction. The oversimplification of breaking into and thriving in cyber security creates unrealistic expectations for new people. It leaves you feeling frustrated, second-guessing yourselves, and convinced that you're already falling behind. Even though the demand for professionals is real, it's not just the quick one-sizefits-all story that the internet loves to sell. And maybe I do expect more than what a YouTube video can offer. I am a little greedy, but this isn't some side hustle. It's my career and it's your career. These decisions deserve more than shortcuts and halftruths. Recognizing the gap between hype and reality helps us stay grounded to build a more meaningful career and and the fact that there is no one quick fix solution is a good thing

whether or not it's the degree that gets you past HR. But what matters is proof showing that you can apply your knowledge and not just pass a test or a certification. Certifications are useful, but certyz alone won't land you that job. So what does success look like? Projects, your portfolio, your labs, your social media visibility, tangible evidence that you can solve problems and not just study them. Employers care less about acronyms on your resume and more about the impact that you can demonstrate. That shift in mindset from collecting paper to building proof answers the question we keep coming back to. What does it take to turn the hype into something real? So you've started whether you're just

entering the industry, finishing school, in school, or maybe your first job. You've earned that certification. But what comes next? This is where I found that I stalled out with my progress. The temptation to blindly follow someone else's road map to collect the next badge or chase a skill without direction. It's not growth. It's autopilot. By applying this critical reflective model, you can turn uncertainty into clarity. So, where are you now? Again, what tasks energize you? What feels like a drain? Uh, a quick story here. Early in my career, I realized a key realization from looking at the metadata of my days. I needed more work. I needed more from my work than just dirt, oil,

and grease in the automotive industry. I craved the challenge. You know, that part that scratches your brain that feels good when you solve that problem. That dopamine feedback, not just the repetitive tasks of replacing brakes or tires or an engine over and over again. That repetitiveness. That realization led me to cyber security. That no two days have been the same since I started. And that variety and problem solving is what gets me out of bed in the morning. And why does it matter if you pick a path that doesn't align with your energy long term? Burnout and stagnation are real. It'll make those hard days even longer. And so now what? Begin with small experiments, lab

projects. Explore different types of work detection automation policy threat hunting before committing to something. Once you understand that starting point, the next step is to figure out exactly what excites you the most. And passion isn't just about hobbies. It's about what sustains you through those challenging days. Loving the work gives you stamina, which allows you to grow and tackle those increasingly complex problems. Ask yourself, do you enjoy investigation and analysis? Maybe you do enjoy digging into security alerts, logs, or anomalies, following threads until the root cause becomes clear. For instance, tracing a fishing email from recipient to impact across multiple systems, connecting the dots that no one else noticed. What about mentorship and knowledge sharing? Do you enjoy sharing your

knowledge with others? Maybe you mentor junior people coming into the industry or into your workplace environment and help them have that aha moment when you when a complex vulnerability or alert or concept clicks. You're passing the torch ensuring the team can grow collectively. Documentation and communication. You take pride in creating clear actionable guides and reports. Perhaps you standardize an incident response document so that any team member, regardless of the situation, can follow those procedures seamlessly. It's explained where everyone can understand. Turning those messy notes into into something anyone can understand and execute in the moments that you need them. What about automation and innovation? You enjoy building efficiencies and creating new solutions. Even small wins

like tuning security alert rules, for example, can be deeply satisfying to me. Investigating patterns, filtering noise, and watching that daily alert count go down because you're tired of looking at the same alert over and over and over. It's the tangible payoff to solving problems with both skill and creativity. for example. Oh, Mark from accounting logged into his email while traveling. Ah, I don't need to see that. I don't care. It's a mobile device. It's managed. It's approved. And so, now that we discuss what is your passion, the next step is translating that into direct skills that will make you that'll make a real impact. So your interests and passions tell you where to focus your energy, but skills

is where you turn curiosity into tangible impact. This is the middle building block before asking what does the business care about. Identify where your passion interacts with problems you enjoy solving. Love detecting threats? Focus on SIM queries, detection engineering, curious about systems and infrastructure. Build skills in cloud security, attack surface hardening, incident response. Do you enjoy policy and governance? Learn frameworks, compliance mapping, and reporting tools. The key takeaway here is that skills aren't just checkboxes. They're tools to express your passion in ways that create measurable impact. And with that foundation, you're ready to align your work with what the business truly values and makes your contributions matter. So ask yourself what problems are important to the business? What outcomes

do leaders care about? I've been in enough highle meetings to know that if you start talking for longer than 30 seconds on a high level problem, somebody's eyes glaze over. Mike,

examples of examples of high impact contributions. Reducing the risk, creating detection rules and hardening systems that prevent breaches save the company time, money, and reputational damage. Improving efficiency, automating repetitive tasks, alert triage, reporting, patch management frees up time for other for yourself and other team members for higher value work. Enabling better decisions, dashboards and analytics or reports to help leadership understand the posture, where you're going, and make active changes for the better. But be ambitious. If you see a problem, look for ways to provide a solution. taking initiative and proposing improvements, automating processes, identifying gaps. That kind of work rarely goes unnoticed. This is how you stand out to become a trusted contributor. But make sure you document and

communicate your wins. For example, I automated alert triage reduce analyst time 20 hours per week. Metrics get noticed where effort alone does not. But most importantly, your soft skills matter. The business values people who can explain technical issues in plain language, influence decisions, and collaborate with other teams. Technical talent without business context can limit growth. We've all been in that position asking why didn't I get that job? Why didn't I stand out amongst applicants? From my experience going from an interviewee to an interviewer, I've seen what really differentiates candidates and where they often struggle and it's usually communication. Whether it's their resume or the verbal communication skills, candidates fail to showcase their impact and advocate for

themselves on why they're a great fit. Why you? Why you amongst all these other candidates? Most people do have the same certifications you do. They have the same education you do, but why you? Cyber security interfaces with many different departments and people. So clear and concise communication is truly what makes someone stand out. Let's let let's take a cyber security approach to this. Let's let's conduct a mini audit. Look at your resume. Map it to business outcomes. Does this activity showcase that I can prevent losses, save resources, or make my team more effective? With a clearer understanding of what the business values, you can take ownership over your career and make intentional choices. So, take control over your future,

building visibility before it's needed. Just like prepping for incidents, build your professional presence early. Post on LinkedIn. Write about CTFs, projects, and policies. Translate the technical to the non-technical to show that you have that capability. Create a consistent online brand that showcases both your skills and your interests. Monitor the market in your position. The job market is saturated. The last last few roles that I've been a part of for interviews, we're talking a thousand applicants per role. And that's just a small scope within Alberta. Understand where you stand and again identify what differentiates you. Why you amongst all of those people, but cut through the noise. Résumés are just snapshots of your experience. But your actions, your projects, and your

visible work create that continuous online brand. And by putting yourself out there, you can demonstrate that skill and consistently build experience. Control your narrative instead of waiting for someone else to decide if you're good enough. This approach helped me and eventually landed my first cyber security position. And the story I'd like to share about that is while I was working my practicum placement with through my college program, someone told me that I I could expect 5 to 10 years of working in IT before I could get started in cyber security. And I'm sure I'm not the only one that's heard that story. [clears throat] But that was disheartening to hear from a newly enrolled student. To hear that from an

industry veteran, that didn't make me excited. But I decided to keep putting in the work, studying, earning certifications, doing projects with no guarantees of anything. Well, what was the alternative? I could wait until someone else decides that I'm good enough to join their team based on ex experience alone, tenure. Just because you do something for 10 years doesn't mean you're good at it. I was an okay mechanic, but you know, not my cup of tea. >> [clears throat] >> But here's an important reminder. Just because you're coming from a different field doesn't mean you have no work experience. I spent a decade interacting with customers, co-workers, training new people, and building those transferable skills that directly apply to cyber

security. And by recognizing and leveraging that experience and by consistently demonstrating skills rather than just hoping for someone's permission, I eventually reached the point where I could apply for that position. And that's where I'm at now. And so apply knowledge with business value. Don't just learn. Again, it's the same it's the same point. Demonstrate that real world application. Show that your technical skills solve problems, not just some word dump verbiage on your resume that has XDR, NextG, SIM, AM, DLP, all of that stuff. You can't be an expert at everything. But reflect and advocate and improve. Be your own best advocate. Reflect on what works. Iterate and improve your outreach. take a chance and present on a topic

you're passionate about. Maybe at Bides Edmonson next year. And no, they didn't pay me to say that.

This went a little bit faster than I was thinking. [clears throat] It's the end of the day, so I'll give you your time back. But you don't have to figure have it all figured out today. The cyber security industry is massive and your path won't look like anyone else's. And that's a good thing. What truly matters is how you use them to solve real problems and create that value. Your journey is a series of informed decisions, not random guesses. And by asking yourself better questions, informed questions like the ones that we've covered, you're already ahead of the game. It's not cyber security isn't just about securing environments. It's about purpose and impact. But keep showing up, keep

learning, and keep building your brand, your network, and your direction. You don't need someone's permission to get started. You just need momentum. One final message, discover what truly interests you and align those interests with skill development. Because there will be tough times and long days, but your passion and your direction will sustain you. Showcase your skills to those who need them. Become that trusted adviser that people rely on. When the right opportunity comes along, you're the you'll be the first person that they recommend. And I know that's where I want to be. And so with that, it's a little bit early, but thank you. >> Yeah. [applause]

>> [applause] >> And since we and sorry just before we get to questions, I do have my notes here. So for anyone that was interested in the Easter eggs, we're just gonna we're just going to go back through here. Uh so here's the first one. Can anyone tell me what the what's wrong with this image? >> Uh skip. Sorry. >> Yeah. I've never seen a car that has two mirrors on the right hand side like that. So, thanks AI. [laughter] The images were AI generated, not the content.

voters. [laughter] >> Yeah, it is. Yeah. So, there is another when when I asked it, I said, can you create an image that combines automotives with cyber security? And that's what it came up with. I don't know. My shops never look that clean. So, uh the next one, can anyone tell me what's wrong with this image? >> Yeah. >> Yeah. >> That's right. and the spelling of the engineer. Yeah, it's all kind of doesn't handle text very well. And then what's wrong with this one? >> That's only it's missing missing a couple fingers, one on each hand. So >> maybe diversity higher. I don't know. >> Um but yeah, any questions? Mitch, I mean random person. I don't

know. I didn't fill the audience. I swear.

Uh definitely. Um so when I decided to make that switch from the automotive industry into cyber, I knew no one and nothing. Um so what do I you know what do you do? You go you go online and Google it. Try and find some information of what uh what can help you. And I have a very specific story. So, um I didn't plant that question, I swear. But there's a story that I that I went through that that really helped me is randomly looking through cyber security YouTube videos and then I ended up seeing this live it was a live video feed. Uh it was a heat map of someone had placed some honeypotss across the

world and it could show the active attacks going on back and forth. And I thought I don't even know like at that time I didn't even know what a heat map was. I just thought hey this is cool. what what's going on here? This this looks really interesting. And the person messaged back to me within five minutes. If you think this is interesting, come to my Discord channel where we'll talk more about it. Um, and this isn't a plug for any specific Discord channel. If anyone's interested, I can give them the information. But what I did find was a community of interested professionals, people of anywhere from zero to 20 plus years of experience in the industry,

reaching out and asking them questions for that the answers I couldn't easily find or the answers that I wasn't personally satisfied with. When I'm coming from a a background that isn't typical, I'm not a CIS admin. I'm not a network admin. I don't know what the right questions to ask are. But if I sit around long enough, engage, and and take in the feedback that I'm getting and seeing what other questions are being asked, I can get that extra perspective and that value that, you know, I didn't get right away. I was already in my program for almost two years before I decided to do that. And I just happen stance came across something. And that,

you know, I don't want to be too cliche, but it kind of was a life-changing moment. It took that, oh, well, I'm just doing a college program because that's what everyone does. go to college, get an education, get training for the job. But reaching out to those individuals, and having that back and forth is what gave me like, no, I'm on the right track. I'm asking the right questions. And no, you shouldn't need that external validation. But when you don't even know really where you're going, it really does help to chat with people in the industry. So whether it's a discord channel, whether it's bsides and you're chatting with a vendor, you're chatting with an anyone here, that's where the

real value comes in and can help you through those tough times when yeah, you don't know the answer, but maybe someone else has been through that just like I have now. And I mean, that's why I'm here because when I first started, I didn't come to Bides. I didn't know who to ask. And I thought, hey, maybe if I share this presentation and my journey, I can cut the learning curve for for anyone here. So thank you. I think that's everything. So again, thank you all very much. [applause]