Performing Like a Cybersecurity Champion

the next talk will be performing like a cyber security champion by chris cochran chris cochran is the director of security engineering for a financial technology company by day and producer and host of the popular hacker valley studio podcast by night chris's prior active duty us marine corps intelligence which led him into a career in cyber security he has dedicated that career to building and leading advanced cyber security teams for organizations across many industries his ultimate passion is finding and amplifying human stories and cyber security to inspire and enlighten our community chris excellent thank you for that introduction thanks david for the uh invitation to come and join everybody here at b-sides uh everyone i want you to

take a moment and indulge me for a second i want you to imagine it's january 1 of 2021 and you decide that you want to be a chess competitor and you start to play around you fiddle around with a couple games you might play with some people in your household or neighbors and before you know it the chess competition has arrived and you enter the arena and you sit down at the table you have the chess board in front of you see all the pieces and the person that's sitting across from you is a champion and you can just sense it you don't even necessarily have to talk to them you don't know their name you don't know

anything about them but you can sense that you're about to play against a chess champion and it's even more evident as they start to make moves they start to to crowd your pieces you feel this incense incessant pressure against your pieces as this is going on you start to develop a crowd around you everyone's really fixated on this game so this brings psychological stress you're just it's really not going well for you and before you know it the game's over you look down at the board and there's checkmate and you look across at your opponent and your opponent says let's play again and then immediately you are brought back to january 1 of 2021. what would you do differently between

the decision to play to that game how would you approach your training how would you approach your mentality your mindset in order to become a champion in that competition so this is what we're going to talk about today performing like a cyber security champion i'm chris cochran i'm one of the co-hosts of the hacker valley studio podcast where we focus on the human element the human condition to inspire peak performance in cyber security so we look at the the entire facet of cyber security practitioners we honestly believe that cyber security practitioners are mental athletes with no off season we're playing chess every single day against an opponent we can't see an opponent that's constantly trying to

get better and better at the same time that we are and so we try to bring in the different facets of of life and humanity into our cybersecurity practice to make everyone better i spent a lot of time in the government i was in the united states marine corps i was at the national security agency for a little bit i was at the united states cyber command when it first stood up i was at mandiant for a little while and ultimately i went to netflix doing threat intelligence but now i'm the director of security engineering at a financial technology company called marquetta so what's this going to be all about like how do you become a cyber security

champion so i'm going to give you two frameworks that i use both for cyber security and life and hopefully you can use that information to be your best and we're also going to give you some of our hvs principles which we've gotten from our guests we've had we've done over 120 interviews at this point and so we talked to really really intelligent people in different paradigms and loved talking to those folks and pulling out those golden nuggets and so we're going to share with some of those with you today as well and then also this is hopefully going to motivate you to be that cyber security champion that i'm talking about so what is a champion so a lot of times

people think of champions in sports people think of champions in other competitions but a champion is a victor and a challenger competition but who is this competition when it comes to cyber security well i'll get to that in a moment but i have some quotes here from folks that are champions in their own right mike dikka gabby douglas michael phelps and they have really good quotes here about being a champion and what i want you to notice at this point is that it doesn't it doesn't necessarily they're not talking about genetics they're not they're not saying you have to be this tall or this strong or this fast in order to be a champion it's not about

your your resources it doesn't matter how much money you have it's not about where your your upbringing where you're coming from it's all about your mindset and your ability to to have grit and persevere so when we talk about becoming a champion that is one of the only criteria that you're going to need to have in order to be your best at whatever it is and this is mainly going to be focused on cyber security but both of these frameworks can apply to anything in your life so exist is a framework it's a framework that ron and i created while we're doing a think week we do think weeks and if you're not familiar with what a think

week is it's basically when you focus for a few days at a time you disconnect from social media you disconnect from technology and you just sit and think a lot of times folks that do think weeks like a la bill gates they'll go by themselves and read books and take notes i like to do thing weeks with my my co-host ron eddings because we can bounce ideas off each other and come up with some amazing things and this past think week that we had we came up with this exist framework and what it is is the framework really for excellence in any facet that you can think of whether it's a new hobby whether it's a new career maybe you're

transitioning into a sub component of cyber security maybe it's sports but if you talk to anyone that's successful in just about anything they're gonna follow these this criteria and so we're gonna and i'll explain what the exist framework is right now exist is ex is explore so how do you explore this world that you've you've discovered i is immerse s is study and t is translate or transform and now we're going to go into each one of these components and see how we use this for life and in cyber security so explore one of the things about explore is the beginning of that journey whether you're in cyber security right now and you're thinking about

transitioning into something like leadership or you're transitioning into a different component of cyber security maybe you've been on the compliant side but you really want to be a threat hunter maybe you've been a threat hunter but really you want to focus on incident response so being able to to pivot is another key component of explore like first you have to realize that this world exists and once you realize this world is exist you it might like speak to you and it might not so in this phase you really want to dabble dabble dabble what are the different things in this realm that i want to do when we were kids maybe we played an instrument

a lot of times we played a diff a lot of different instruments we didn't just pick the saxophone and play the saxophone forever some people did but a lot of folks said ah saxophone's not for me so i'll try the violin ah violin's not for me so let's play the drums so dabbling is one of the most important things when you're in this exploration stage figure out what's all out there figure out what worlds exist and once you figure that out you're gonna feel something once something try to uh gets a hold of you sometimes it's gonna hit you like a tuning fork and sometimes it's gonna be a slow burn i'll give you a story of when it hit me

like a tuning fork it was many many years ago when kazaa was the way to share videos p2p not the best way to share anything these days but i digress and i saw a video of a dancer and this guy was doing stuff i'd never seen the human body do before he turned his body into jelly he turned into almost like a cartoon character he turned into a robot he did all these things with his body and and instantly i knew i was like i'm going to start doing that and i started practicing i started figuring things out i started seeing the different sub uh styles within dance and i actually became a dancer before the united states

marine corps i was a dancer i traveled around i performed i taught and it was it hit me like a tune for from that moment i was a dancer and it was it was easy for cyber security for me it was a really slow burn for cyber security i had an interest in cyber security i was interested in technology i was really interested in building computers and connecting networks cyber security is just something that i thought was kind of cool but it wasn't until i got better and i built confidence and i was able to use my experiences my knowledge my creativity to bring about new solutions that's when things really got interesting for me so don't think that if something

isn't going to hit you like a tuning fork that it can't be something that you use in this exists model you can actually use a slow burn as well merely knowing that there are different worlds right if we're talking about sports understanding that football gymnastics cheerleading wrestling baseball different sports like that these are different worlds that you can explore in cyber security threat hunting threat intelligence incident response compliance even tpm work technical program management these are different worlds that you can explore each world has its own lexicon and its own concepts and personalities and books and things like that so it once you understand that each of these worlds is a world unto itself that instantly would spark your

curiosity what worlds might speak to me in the future and so once we find that thing that we want to to pursue and we want to go into we go immediately into immerse now what is immersion when you immerse yourself if you wanted to learn a language if you wanted to learn japanese one of the best things you could do is go to japan live there for six months and then by that into that six months you would feel like you have a good solid base for japanese is that possible for everyone of course not so what are the ways that we can immerse ourselves in our houses especially with things like kovid we're here

and we're stuck so how do we immerse ourselves we immerse ourselves in imagery concepts and community imagery what are some of the things that would trigger us to remember to be in this world maybe we're looking at incident response maybe we're looking at something like a bug bounty if we're in this want to go into the world of bug bounty maybe we have a bug bounty poster up on our wall and it reminds us every day that that's right i want to get better at bunk bounty maybe that's a competition that's already passed but it's a competition that i want to go to in the future so surround yourself with that imagery surround yourself with the concepts in

the community surround by surrounding yourself with these people you are able to just learn the terminology without even studying or looking things up you just ingest it by being around this stuff all the time i'll talk about my dance career again when i was a dancer i would dance with a bunch of folks and i would literally level up every time we would all gather around even if i didn't dance just by watching and observing other people doing their craft i was able to learn and so being around people that are really good at what you want to do is another way to immerse yourself into this world one thing that i just read this is a

relatively new book and actually just uh interviewed stephen kotler um he writes all these books on flow i think he has a like three or four books on flow at this point and the art of the impossible is probably my favorite book on flow so far and it combines flow it combines purpose it combines pers uh passion and one of the best nuggets of wisdom that i got out of this book was this five book strategy he calls it the five books of stupid and this is another way that you can immerse yourself because you might be thinking like oh wow it's easy to immerse yourself in a language how do you immerse yourself in a topic

and so this is what he says he says the first book you should read and you should all read all five of these books as if you're reading a novel not even necessarily you're reading it to study because we're going to get to study here in a moment but read these books as if it's a novel and if there's anything that you want to note note it because it speaks to you or it's interesting or you're curious and you write that stuff down don't write down definitions or all that only if it's interesting to you so number one the first book is the book that is the best seller in that particular genre maybe it's the best book on

our analysis and it should be a book that's relatively fun it could be fiction or non-fiction something that gets you jazzed up and interested about your topic so you go from that book and then you go into the next book which is also as exciting but it might have a little bit more about the basics of what this this world or this genre is about maybe it's uh something simple for vulnerability management but it's still relatively fun and exciting your book three is going to be your first technical book it's a book that lays the foundation for whatever world you operate in so what what are the the key components the key concepts that we might know

about book four before is going to be the most technical book you're going to read out of the the five books this might be difficult it might have problem statements it might talk a little bit over your head it might talk about certain challenges that people at the top of their game are facing every single day and it's not for you to uh to completely memorize that book it's all about immersion it's all about understanding the terminologies it's all about exposure to this world and then the final book and is actually a little easier than book four book five is all about the future of whatever it is you're looking at so what is the future of mou

malware analysis what is the future of security operations what is the future of threat intelligence this is the forward thinking book that allows you to apply abstract concepts to your learning as well and so one thing we wanted to say about or one thing i want to say about this immersion is enter the world as much as you can so right now i'm using the exist model to learn chess i started playing chess maybe two months ago this is after we had grand master maurice actually come onto the podcast and ever since then i was like you know what i'm gonna go ahead and i'm gonna explore this world and i'll tell you what it has been a slow burn for me uh it's

tough because i've been competing i play against people quite often every single day i'm playing chess and it's humbling because i'm not great not by not by any stretch of the imagination but i'm constantly applying these concepts to get better every single day i have a chess coach i play every single day i take classes i watch videos i have books i have two books sitting here right now 100 games you should know and uh complete end games course non-stop so enter the world as much as you can because that exposure and that repetition will help you for the next stage in the next stage you're going from immerse which is pretty passive it can be active

if you're reading books and things like that but study is the active component of getting better so sharpening the axe what i'm talking about is metal learning so learning how to learn and you're thinking like why the heck would i learn how to learn i i went to school i went to college i got my master's i got my phd a lot of times we don't think about how we learn until it's too late we learned how to learn when we were kids and most people never go back to revisit it so i've done a couple courses on learning jim quick he has two courses that i took one is on reading how to and to better your reading speed

your comprehension uh and then another one is memory how do you remember things uh better faster and more completely so learn how to learn like think about how you take an information best and how can you apply that to whatever it is you're doing so really understand like maybe you listen uh to audiobooks and you are able to retain information that way maybe you have to read it uh on on a book or on your computer maybe you're a more tactile person you have to do things over and over again over again to get better figuring out how you learn best and then applying those concepts of learning to your exist framework is going to be

super useful in study you're thinking about what are the courses books articles podcasts and mentors that you could have in this world because if you're trying to learn on an island it can work and you can figure out some really cool and unique things but if you're trying to shorten that learning curve as short as possible this is what you're going to need in order to to shorten that learning curve and begin to perform at your best one of my favorite books is tools of titans by tim ferriss and tools of titans is a distillation of his podcast um he's had a podcast for years at this point and he took the best techniques uh pieces of advice the technologies and

tools that really really successful people use and he boiled it all down into this one book and one of the best concepts i thought was in there is this idea of a mini mba and it doesn't have to be about business what it could be about is whatever it is that you're really interested in let's say you're interested in threat intelligence right now you're a security analyst but you want to eventually get into threat intelligence so what are some of the courses you could take you could look at uh different uh organizations that have threat intelligence uh content uh what are some of the books that people have written on threat intelligence articles podcasts that are focused on threat

intelligence who are the top top performers in threat intelligence reach out to them can they be your mentor so being being able to pull all these resources together and sort of setting up your own learning path is super super crucial and just knowing that that's a possibility would really get you excited about being able to learn in the way that you best learn the main thing about the study component is adopting that craftsman or that craftsperson's mindset understanding that you're going to have to work every single day to get better at whatever it is that you enjoy and even if it's one percent better every day if you add up that one percent every day for 365 days

that the the percentages are going to be stacked in your favor and imagine if you did that over the course of five or ten years you really start to see things that were impossible for becoming probable for yourself and then finally when we get to the end of existence that translator transform this is where we execute and give back to our community we teach peers translating we we show them uh exactly what we found our research things that we've been working on are our tactics and and techniques that we've acquired over a long career being able to give back to them and also for our youth because our youth is really going to handle those problems

in the future problems that we don't even understand are problems just yet so giving back is one way to to translate the information that you've gained over this this journey so far and then leveling up our community maybe you invent maybe you innovate maybe you completely change or engineer something maybe you created something like a framework that people could use for their day-to-day work really try to give back in some way and now i'm i know you're thinking like well what if i want something just for me what if i'm entering in this world and it's for me and it's not for anybody else i don't want to teach anyone i don't want to show anyone

i don't want to change anything that's completely fine it could be all for you if you want to do ctfs but you don't care about the score you just like the puzzle that's completely fine if you pick locks you sit there and you pick locks all day and you never tell anybody completely fine it's all about transforming yourself it's all about translating your skills to practice that's really the key component but if you can help your your community while you're doing it that's all the better so this is where we really look at excellence and then i'm going to show you how we've used our translate and transform into creating easy now easy is an

acronym that was originally focused on threat intelligence while i was at netflix we had a visitor come to speak to the entire company we were all in the auditorium it was jerry seinfeld a pretty popular comedian and we're sitting there we're talking having q a and someone asked what is something that you're focused on now you've had this incredible career what are you doing now and the thing that he said really resonated with me is that he wants to give back to his people other comedians he wants to show them uh the ropes he wants to show them you know the mistakes that he made maybe give them a leg up and literally on my way from the

auditorium back to my desk i came up with this concept of easy because i'd spent a long time in threat intelligence and i've i thought what if there was an easy button that you could press that people could use to get back to ground zero from a threat intelligence perspective so i'm going to go into that in a second we created a course for it i'll have a link at the very end of this uh presentation of how you can check out our attack iq academy course it's a free course it's a couple hours long you get a badge and all that good stuff but i'll show you at the very very end and also throughout the end of the rest

of this talk i'm gonna sprinkle in some of our hvs principles and these are some of the principles that we've pulled from all these great guests that we've had over the last couple years or so so easy is a another acronym right so exist and now easy e is for illicit requirements that is the the backbone of everything a is assessed collection plan s is try for impact and why is yield to feedback now you're thinking like all right i'm not in threat intelligence i don't care what's interesting about this framework is that it not only applies to threat intelligence it not only applies broad more broadly to cyber security but it applies to just about any

service-centric thing that you can think of and you'll see what i mean in a second so illicit requirements requirements are the most important thing when it comes to services intelligence and cyber security they're the foundation of any endeavor what are the what is the information that you need the equipment the skills that you need to do to perform your role from threat intelligence what what is the threat intelligence platform i'm using my threat feeds what are some of the accesses that i need internal to my company if you're doing something like incident response do you have an incident response plan written out so that people understand who's doing what do you have some response automation in

place so whenever an uh an incident happens you're able to hit that that red button and launch into a war room and pull some documents together what are the skills that you need if you're building a specific team and on your cyber security team if you have a vulnerability management program that has no one right now what are the skills that you're going to need in order to do that mission identify the stakeholders as cyber security practitioners we have stakeholders we need to support everyone else in the company so that they can do their mission a lot of people think of cyber security as like this department of no no you can't do this you can't download

that you can't use this application but i like to think of cyber security in a very different way i was never into formula one until about like two years ago and then netflix came out with this the series called drive to survive and it enters you into this crazy world of f1 racing there's only uh 22 f1 drivers and and they are they are all fighting for these spots and they're all fighting to win and they drive these incredibly expensive cars and the most interesting component i think about this entire formula one world is the pit and it's not just the pit the the folks that are actually doing the the changing of the tires and all that stuff but the people

that are watching the gauges the people that are saying up the run engine's running hot you might want to back it down a little bit oh you're you're losing tread on your tires you might need to bring it in your axles off they let the driver know how hard they can push their car to make it to that next uh position maybe they they're in fourth place but now they know they can push their car a little bit more to to go to third and then maybe you could push your car even harder to to take the lead so the that is the the role of the pit is to let the driver know how hard they can push the car

without running into danger and that's what we do in cyber security we tell the business how hard they can push into innovation into speed without taking undue risk to the health of the organization so if you think of cyber security in that way you're in a much better place and in fact the majority of the folks that are in the business units are going to appreciate you for it so one thing that you want to to understand this is one of our principles the quality of your work and your life is based on the quality of your questions so understanding the needs of others eliciting those requirements talking to people what do they need to do their mission if you're doing

threat intelligence what do you need to know to make better decisions and take better actions if you're the cyber security leader or the cso what can i do for the other folks in my in my business unit on the executive team to make their jobs easier so they don't have to worry about security so think about that think about the quality of your questions now you come from these requirements and now you assess your collection plan very very specific to intelligence but also to cyber security as well what do you need so let's say you need to build a few different teams you need uh governance risk and compliance you need security operations and you need something like a purple

team you need those things so how many people are going to need how much budget are you going to require in order to get the tools that you need for visibility into your network any facet of cyber security that you can think of is going to take requirements maybe you're leading any one of those teams that i just mentioned what are the things that you're going to need to execute your mission and being painfully on what you need is going to help you not only develop respect with everyone else that you're supporting but it also it's also going to let them know to what to expect from you and your function so knowing exactly what

you need and also think internal and external so think about it as like what do i need internal to the team and what do i need from everything out there also specific to threat intelligence internal collection what is all the information maybe what are the different logs uh different resources and events that i want to pull in to understand and what do i also pull from the outside but the same thing applies to cyber security as well what do i need to know internal to the health of the organization but also what does the threat environment look outside to my organization so being able to pull from both is going to be paramount identify the gaps in your collection

when you don't have visibility when you don't have information from a threat intelligence perspective you need to ask for it you have to say hey in order to protect x we need y and we need to understand why and we need alerting on a regular basis so leverage technology to find the people in places where they have answers to those questions so pulling from open source pulling from your favorite uh podcast or pulling from your favorite researchers on twitter thinking about where you can pull all this information and if if you can do it in an automated fashion all the better because we are usually pretty constrained when it comes to resources on our cyber security teams so if we can

use technology to pull resources talk to people leverage those networks we'll be better off for it strive for impact one of the most important things that i've seen when it comes to cyber security and threat intelligence is making sure that you're making an impact and then how do you understand that you're making an impact or show you're having an impact on an organization that can be pretty tough and this is one of the things that's usually missing when i've done consulting engagements for when i was a consultant the most important step is the next one so continuing to iterate and get better constantly getting better in whatever field that you're really focused in cyber security

is paramount like you can't rest on your laurels you can't rest on what you did at last company you can't rest on that stuff you can't rest on what you learned in the in the course you have to continue to move the ball forward because one of the most important things in cyber security is mental agility how many times have have technologies changed since you've been in the game exactly things change all the time so having that mental agility is super important so always stepping forward is is an incredible piece of advice for folks that are wanting to make an impact and then looking for those high leverage solutions that will help build momentum if you're

a brand new leader or you're a brand new practitioner to a team you want to look how do i make the most impact with the the lease amount effort sure you want to work hard but you want to be able to to scale that impact across the team across the company across your community so look for those high leverage points that you can just say up fix it and and now this attack vector is no more uh measure your progress and performance through metrics i know net metrics isn't this awesome sounding thing but metrics will help you gauge your performance in the the health of your organization today and also help you set up goals for

the future so maybe you're you have certain metrics to show you the health today and then you're like you know i want to be here or x y and z uh by 2022. metrics are going to help you really get there and see the impact for the organization and also you can look for metrics and app and farm for dissent talk to other people in the organization like what metrics would be interesting for you to see from a cyber security perspective and then putting the time in through deliberate practice one of my favorite books is cal newport's be so good they can't ignore you so constantly practicing i know sometimes it's hard to pull away

for tabletop exercises it's hard to pull away for for war games and purple team engagements but those things are really important because you you never rise to the challenge you always fall to the quality of your training so making sure you deliberately practice whatever it is you're trying to be good at is one of the most important pieces of advice that i could give and then finally the last portion of the easy framework is yielding to feedback because feedback is a gift feedback even if it's not necessarily correct feedback tells you something so if someone's telling you uh hey this is this is not right i don't like this even if it is correct and it is the best

course of action there might be a situation where you would want to communicate or educate that stakeholder or that person that feels like they need to give you that feedback but use that feedback to constantly get better those little improvements is how champions are made like just constantly tweaking and tuning when i started the podcast we had no idea what we were doing like it just over time i just messed with it every single day so for the past two years there hasn't been a day that has gone by that i haven't thought about the podcast and trying to improve it so everything from the marketing to the audio production to how we ask questions i had a vocal coach

for three months people thought i had a great voice as is but honestly i i knew there was more there and there's probably more that i could do i could continue to go to vocal coaching and and get make things better over and over and over again but this is how much i put into my craft this is how much i put into my cyber security career constantly getting better in different ways now i'm focused on leadership so how do i support my team and operate my team in the best way to get the best outcome for the company and and also i want to think about my my people how do they need to grow

what are their goals and their their career where do they want to go in the future how do i help align what they want to do with what we need to do as a team so that's really what i'm focused on from a cyber security perspective look for immediate and frequent feedback just like in chess if you make a bad move you instantly know you made a bad move because that person is responding it's it's it's easy to kind of sit back and wait for feedback at the end of something then you have like this whole mess you're trying to boil the ocean oh wow this this whole process was completely jacked up whatever it is that you're building

but if you get iterative feedback as you go down the road you're going to have a better product on the end of that so always look for feedback and measure your growth we talked about metrics before metrics help you see the health and the future of whatever it is you're building so measure your feedback maybe if you're doing threat intelligence you could look at relevancy and impact um and you're you're sending out a google form and saying hey i need i would love some feedback on the rfi that i sent you or uh the answer to the rfi and uh if if you could rate me on a scale from one to five on our support would uh gladly

appreciate it and you can use that to help measure the same thing with incident response once you do your your post incident review or your after action talk to the folks that you worked with what could have gone better did what what did we do right what was surprising how did we get lucky using that as feedback as well is going to help you get better in cyber security and read and listen intentionally to learn every day so this is another way that you can get learning is just by listening to feedback if you're constantly asking folks hey you know is there something i could have done better here or i couldn't and sure some people might find it annoying if

you're always pinging them but uh it's better to know than to not know so constantly just have that mindset of learning every single day one last thing that i want to say in one of my my favorite principles that we live by on the hakaveli studio is create your habits and allow your habits to create you it's all those small iterative changes and i've said that a few times during this talk we've talked about the small changes that you can make to become better at whatever it is that you do and slowly but surely over time you become this champion you become this monster of a practitioner you become this monster of a soccer player you become

this monster chess player all because of those iterative uh improvements and we had like i said uh grandmaster maurice ashley and he said something that resonated with me and i'll take with me for the rest of my life in order to become a grand master you must first be a grandmaster now what did he mean by that he meant that if i decided today that i wanted to be a chess grandmaster i should start operating as if i'm already that grand master so if we want to be the best incident responder in our in our team on in our company we should start operating as if we already are the best ir practitioner that we are whatever it

is across the board whether you leave cyber security and go to a different role or you're talking about parenting operate under that context and you will instantly improve your your ability to operate and that's through patience and persistence it's not going to all come in once it's not going to come overnight it's a constant grind and part of that grind is where we operate as cyber security practitioners so uh with closing thoughts and i'll definitely open it up for questions use exist and easy as you see fit for your life or your career get creative with cross paradigms on our podcast you know we talked about having that chess grandmaster on we've also had fight analysts and authors and

life coaches all sorts of these different people but i we try to apply all of those nuggets of wisdom to cyber security and then also leverage our community we have brilliant powerful hard-working people in our community and if you reach out to to folks more than likely they're going to respond back so definitely leverage your community as much as possible and with that thank you very much these are some of the places that you can find us definitely reach out to me on linkedin um decent with twitter but if you're interested in the uh the podcast hackervalley.com and then also if you're really interested in continuing to learn about the easy framework uh when it comes to threat

intelligence we have a course that we put together with tech iq and you can get that at hackervalley.com forward slash easy and i'll leave this up for a second and i'm going to pop over to some of the questions hey chris thank you very much for all your insights while people are formulating questions type some more into chat i just want to mention well the first time i met chris was on a sort of a book club meetup where they were highlighting tribe of hackers security leaders and he was one of the panelists and discussing some of his insights into leadership and some of his styles and of course he was applying his frameworks um and telling it teaching us all about

them so uh that's how i was like yeah like that's that's a good keynote that guy needs to talk to the people of hunchell alabama um one of the first questions i see here is uh thank you for having that information so anybody else has any any questions um i believe if people here have the ability to unmute themselves but also in a smaller format if you're okay with it chris our discord has a room called talks q a are you willing to sort of hang out there for a few minutes to give people a chance to again ask some questions yeah all right so one of the questions here was um someone else is learning chess uh any

pointers uh play as much as you can um i i got a coach uh coach kind of helped me build those those good habits so if you can afford a coach that'd be great um like the the books that i'm reading right now uh like i said i i'll uh try to throw these into the discord but 100 end games you must know because he said you should focus on end games not even even necessarily opens even though openings are are important um end games help you see patterns and throughout the game even if it's not necessarily in the end game and then sillman's complete end game course so these are two books that i'm going through right

now play as much as you can play the bots uh especially if you're not feeling like you're ready to start competing against people uh that that's what i did i really started focus on the the bots and like chess.com or even uh like chess uh but yeah there's there's so many different ways to get to get practice and then i love it too the um if you could uh like even if you don't play chess right just take the titles of those books put them on a post-it and then put them up in front of you for tomorrow right yeah because no matter what it is it's just a commentary on working towards your goal right uh

making moves that are going to make you a success in the end and having a picture in your head of what that looks like i love it and then yeah if you're playing chess i mean the end games it's pretty cool um we have some people saying thank you and they're loving the talk i asked the question so i'm i'm gonna ask it now and then maybe we'll we'll close it so um mentor mentee relationship so you mentioned your frameworks some other things they're very um self-empowering and self-focused steps and things that's pretty clear but maybe can you maybe translate some of those into the mentor mentee relationship if uh if we wanted to make that a success

or avoid pitfalls in that in that relationship what are some of the things you would recommend to really get people connected and get the most out of that interaction oh that's easy uh you can apply either exist or easy to the mentor mentee relationship from the exist standpoint it's all about that study like who are the people that you need to talk to that can answer the questions that you have and on the easy side think of it as a service-centric thing as well so what are your requirements from that that person if you're the mentee what is the information you need to know from them in order to to be able to execute on your your stuff

the things that you're doing and then figure out all the stuff that you need to know if i want to get good in x y and z maybe i want to talk to the best practitioners in x y and z who are those people can i talk can i reach them if i can't who are who are the number two number threes and um striving for impact what are the highest leveraged things you can learn because we are so busy now we're in zoomed fatigue all day every day i i probably sit in uh 10 or 11 zooms every day and so you really want to be specific or informative sorry sorry sorry oh sorry no

i'm i apologize yet another zoom here you are no it's all good no i love i love these zooms these zooms are good um it's the zooms where no one's uh getting anything from them that we run into problems um but as long as we're making an impact for people zooms are good but um yeah so being able to strive for impact looking for those those quick things and also getting feedback from your your mentor and then vice versa like understanding what that person needs what what do they need to be good at what it is that you are the expert at what are the things that you need to pull together what are the resources

how can they be the most impactful so really you could use that framework uh both ways from the mentee or mentor relationship i love it um let's see if anybody else has the question we have some people putting some questions in okay um my next question then i had another question and it's a related impact too which is good so if we're talking threat intelligence incident response um it's there's something that has happened and now you're expected to act and maybe your impact is is somewhat measurable right um back to normal really fast maybe it's for example but what if what if your job is make sure nothing happens right that age-old problem where if

you're doing a good job no one sees it right so if you take some of these frameworks or you want to talk to those people and say here's how you get better here's what you can do maybe talk to the people where making an impact um it's not too easy to see what do you say to them that's a great question and what i would say is think about it as uh let's say you're a championship boxer and you don't have a fight for years for some odd reason maybe maybe you got hurt or maybe people are too afraid to fight you what you could do is you can capture all the things that you did in order to

become this pristine boxer what what are all the exercises what are all the workouts all the time that you've put into so looking at uh running uh different war games how many simulations have you run how many uh things have you changed to the security posture of your team to ensure that we're safe how quickly do you remediate vulnerabilities when as they come out so you don't necessarily have to always only highlight cyber security when things [Music] happen from a negative standpoint you could say look at all the improvements we've made over our over the last year and that is where our value comes in because we're quick to respond we're we're ready to to rock when things go bad and that's

how we show our the growth in our programs all right thank you thank you um so there are no new questions here um the discord again has a voice channel called talk q a um if you want to maybe share some comments uh have a little discussion uh drop into there and and and do that it's not as big of a group and maybe you feel more comfortable doing that so thank you for your presentation thank you for the time uh insights um uh thanks for sharing your your links in those books i think someone actually wants you to maybe mention those books in the discord again yep so i can definitely do that