AJ Leece

[Music]

those who know do those who understand teach and when I was teaching this really hit home because I had to know enough about what I was teaching to be able to advise students who' never seen the content before but most of the time I just felt like this guy s up kind of making it up as I went along uh there is enough time and distance between my students graduating becoming successful and uh their educational Journeys wrapping up I can admit most of the time I was one or two lessons ahead of them it's about all it was and that's not because I didn't know the material it was because there's so much material to

cover in security that you can't possibly hope to learn at all so you have to be able to go back and be okay with learning again starting from the fundamentals again building up that Foundation again enough to get to a point where somebody else who's never seen it feels comfortable asking you the questions that they need more importantly you yourself have to be comfortable and saying I don't actually know the answer I'll go get it for you and being okay with that next slide please okay so there's a bunch of stuff that comes from this so in Winter 2020 so I needed a plan to keep up attendance both for my sake and for my

students because I wanted to go start my weekend early even though I was teaching and you know weekends are a little bit different when you're in adjunct instructor but keeping students in seats at this time slot was really tough next so the PCI standard requires annual tabletop testing I'm sure if you haven't seen that you likely encounter it a lot of organizations in my experience overlooked this uh it was yeah oh yeah we'll test the incident response plan later oh yeah or we had an incident you know we tested it then um but there wasn't really a lot of you know structure around it so much and because I had the time and I didn't have any

Auditors asking for anything of this let's have a tabletop right famous last words when I'm trying to keep students in the seat why would I give them something that's likely to repel them right so it had to be fun interesting and engaging I wanted to do something else a little bit differently I needed it to scale to 30 plus students because I think I had about 35 at the time and the incident response process was largely a mystery at this point in the process it's a it's a tough nut to crack next so again there's enough time and distance between that session I can admit a good portion of it was heavily improvised so I walked into that

classroom with six very specific outcomes that I wanted to achieve and I just basically used a handful of dice that was provided by one of the students who had plenty of these d20s laying around right everybody knows one of those and it was just you know the ravings of a lunatic in front of a whiteboard teaching incident response making some of it up as we went along but what really happened was quite interesting next slide for me please what I found was I all of my students came to that session every single one at a tough time slot in a Bas windowless basement and they all showed up they learned a lot of the concepts very

quickly in fact some of the students who previously didn't show a lot of aptitude and interest in a lot of the material were asking me questions I would expect from the Executive Suite post incident what did this cost how do we prevent this next time how did this happen all of this really interesting information that basically I hadn't expected to hear afterwards but we got a look at how the incident response process plays out in a very specific and pragmatic fashion from start to finish was two hours so it didn't really take very long and I actually found that a lot of my students took those concepts with them into their businesses because I'm hearing from

those students who played the games that went I remember that and I brought it into the workplace all right it's time to do something cool with this next slide for me so I I once worked with the this sales manager I guess we'll call him he was a manager who also sold um so it was it was a little bit of a mixed

hats uh next semester I had so the original plan was actually to present the the incoherent ramblings of a lunatic at uh besides 2020 but there's a very significant pandemic going around everything was locked down so I had nothing but time to sit and do something else but I was still teaching but all of teaching went remote and I had a lot of other issues that really I hadn't evaluated before most notably I was teaching PCI that wasn't really a problem but a traditional midterm wasn't an option because I had mature students who were now time sharing their technology with their children who were going to school at the same time so to expect them to log on regurgitate a

bunch of answers onto two pieces of paper in hopes that they learn something just wasn't feasible it's not the way I want to spend my time so I needed something that actually worked got to the heart of what we were going to do the core components of parts of the class and would give them something that they could take with them that was lasting and meaningful next slide please so I said we were going to have an incident we were going to have a the students had this incident so we went through the first one uh and that was the first kind of virtual uh representation of it it was a handful of excel sheets a handful of reference

sheets we were all kind of fumbling with what to do including myself to some degree um but a lot of what I had done as far as the catastrophic failures were largely improvised in the moment so I actually had to write some of them down um because I wanted to remember them they were they were quite interesting um but the abilities I found were actually better served as information about the skills that you need for instant response and they also kind of made a little bit of light of some of the stories of my career so was it was a way to kind of inspire conversation and get some of that interesting creative energy flowing in the room at the same time uh

next slide so the reason why this was significant was instead of a traditional midterm the students got an incident and they had to take home the report and the reality of it was this was assigned on a Thursday and I needed it by Monday 9:00 a.m. because my Auditors in London we're going to lay an egg uh otherwise so it was you know as real as business gets right there was an incident we didn't predict it and now we have to write the report and get it done but what happened was they turned in excellent work some of those reports are actually really high quality I would use them to embarrass Professionals in the industry

doing this for longer than I have really really quality work came from a very short period of time because the foundation for it to grow was provided in a way that worked with the students their lives and the chaos that was around at the time because I was flexible on what I needed to see but very specific on the deadlines gave them the tips and made it real as in you can share your notes but you all have to hand in your own report there was no there was no competition there was nothing but collaboration between everybody and that was significant next slide I didn't look this quote up I looked up the Aristotle one I didn't

look this up I'm guessing Abraham Lincoln said it so one thing I learned about the whole process was I wanted to be more of a presenter in this concept and less of a game sheet management right because when I'm switch in between Excel sheets trying to figure out where this went and everything else H that doesn't work it doesn't scale and there's better ways to do it because part of this work was the presentation aspect of it right so if you're busy flipping through sheets you lose a lot of that momentum so was time to start building something that could do this work for me so I hadn't touched uh programming IDE since Circa 2013 there were a lot of them out there

when I went looking so it was a bit of okay which one do I want to work with uh I had spent some time with Java a little bit of time with C but all of that had evolved long past what I was doing so I remembered the programming Concepts that I took from school but I had to reapply them in a way that I understood I knew some python from having eak out a few scripts here and there to solve some problems but more or less it was kind of a mess um but the upside to it is you know my wife is a physician and was during the pandemic so when I wasn't

teaching all I had time to do was drink and worry so I might as well write some code while I'm at it right which was you know kind of like it was good it was a good way to like take your mind off of things a bit but there's a point in time in every aspect of every business including what I was doing here where I couldn't just strategize around the problem there's always a point where you have to just push through you have to do the work you have to do the manual labor I equate it to a basement that we've all been meeting to clean out because I have a basement I've been meaning to clean

out you have there you can reorganize you can put up shelves you can do all of it but at some point you just have to show up and push through it and that's what happened here so from the start to finish including all the learning all the mistakes all the mess all the hassle is about 400 hours next uh so a little about the original version of it uh it was entirely web based because I was able to push some buttons and host it on potato chip so that was genuinely appealing especially for a remote setting uh objectoriented is but yeah I'm not much of a coder so there were plenty of spaghetti incidents uh and you know poorly optimized poorly

designed but it worked and the idea was automated handling for nearly everything because all I wanted to do was show up with a tool that was ready and just focus on presenting teaching learning The Human Side of what this was about let the computers do the computer work I wanted to do the human work and that's what I built here next slide so there there was a bit of automation that went into it because I'm what I call the productive kind of lazy if I can get a robot to do my work for me I'm all about that the problem is you have to build it right you have to build that time and that takes a lot of effort

but it is worth it it continues to pay dividends and I I love automation I would automate everything I possibly could if I possibly could um but the way that I wanted to build this was I I needed asset inventories I needed abilities I needed all of these things to be presentable in game and I wanted them to show up and I wanted them to be flexible in a way that I could build and scale this so there was a lot of automation that went into actually creating the systems that built the first game in general so when I walked in with a tool that was ready to go that all started because of a lot of the

scripting and automation that went into creating the files that needed in order to run properly um but it worked it worked really well and I wanted to keep track of a few things because I had a feeling that some clients would be we have some custom processes and we need to see when this happens so I had built some of that in anticipation of that showing next slide next yeah there we go so at besides uh 2020 when we went virtual this was ready it it was a little bit rough around the edges but it worked and the first session was really well people came in they played they had a good time they learned stuff I met tons of new

people in the process of doing that uh and it was an excellent way to contribute to an excellent conference that has done so much good for the ecosystem in the city the really nice thing about was it was designed virtually so now remote teams remote conferences this was all ready to go the per the in-person version actually would have been worse than what I had built so in essence seizing an opportunity at a time when it can be really difficult to do that actually accelerated everything considerably next slide so yeah where it started the incoherent ramblings of lunatic where it went this is the first version of it um again you can tell it's a little little

rough right there's you know buttons they all pushed they all did something but it certainly wasn't as nice as I wanted it to be and uh the new iteration of it way more robust way more features way more functionality I can get really groovy with a lot of your incident response plan with the new version of my game while the current version it's not even new anymore it's current it's rolled into production right so that Journey was quite significant uh next slide you know so what so this is the one I was looking for I had an English teacher once upon a time ago uh and this was his catchphrase and so for the first half of the class he would

stand up and uh pontificate about how big food is killing all of us you know the big food lobbies and as I got older I realized hey we actually did Poison our food supply that sucks um but you know so what he would always ask you that question and it was never meant to be derogatory it was which was kind of weird because he would ask it in class and we'd always feel like aren't you paying attention this was designed to change our programming in a manner of speaking because in school especially in in English literature classes you're taught to regurgitate an opinion about a book and he didn't want any of that he wanted to hear what we

thought about it what did did it resonate with us what happened why was it relevant did you like it did you not like it so why is this here right because I think the storytelling parts of security are amazing I think by showcasing that these Journeys are possible even in times of great chaos and bizarre situations it's important to understand that not all stories leave you with something you can take with you uh that just doesn't work for me I want you to take something from this so while we're all sitting here just in the back of your heads for now this is a thought experiment I want you to think about what your ideal day at work looks like

because I woke up some time ago and realized my generation was never going to retire and I was GNA have to work until I was dead and I'm okay with the reality of that that's okay because there is also some research coming out that says you reach a certain age stop working you stop having a reason to do some stuff it gets a little hard on the mind so while we're all here just in the back of your heads think about what your day at work would look like don't imagine the job exists ignore that for a second if you could pick your day at work from a series of things you want to spend your time on what would that day

look like just think about it just think about it keep it in the back of your head as we carry on so the reason this is all significant no so go back go back go back we're going to stay here for a bit so the reason this is significant is because this was what happened I sat down one day and I went what do I want my day at work to look like I wanted to spend some time automating the tedious stuff I didn't like I wanted to have fun I wanted to do interesting things meet interesting people and actually solve the security problems that I've been staring at for the last 10 years I

wanted to do something different and because I sat down and leaned into that fortunately I was teaching at the time and some of that work was coming into orbit organically I was spending time having fun I could automate some of that work if I really wanted to I'd heard tale of instructors that had scripted their marking I didn't go that far um because I felt that would be significant diservice I really liked reading what my students had and giving them that effective feedback but that was an option I wanted to meet interesting people a lot of the people that I met while I was teaching very interesting students I'm still in touch with today they're Milling around this conference

seeing them successful interesting people right all of that was amazing because I sat down and I thought about what I wanted my day at work to look like but I never stopped thinking about that and in late 2020 I realized that teaching was great but it certainly didn't pay the bills and I had bills to pay and I wound up using the game that I had built and the discoveries that came from it as talking points to work my way into an executive position of one of the world's largest banks they needed somebody in the instant response team I applied thinking okay maybe I'll get in maybe I won't it doesn't matter and the half hour conversation 15 minutes of

which were about this game that I built and what I taught my students with it got me through all the rounds to a point where they were giving me decisions which I mean sure I don't know that I'd want to belong to a club that would have me as a member but that's a whole other consideration but I now had an opportunity to work with some of the smartest security people I'd ever met and in an organization that was willing to invest heavily in the process where I had freedom and flexibility to learn grow and develop automate more of my work meet interesting people learn interesting things and expand my ideas and my growth because I sat down and I

figured out what I wanted that day to look like and I just kept working towards a job that would get me there and then one day in that bank I was given a decision I can either become a manager for uh less money more hours and very little thanks that was UN option the other option was change teams learn some new skills whatever else I had going on but I picked the third option do this instead because what I was building I had been building this the whole time that I was working there a little bit every day whatever I could muster keeping in mind that I was still a person I needed to do things like

sleep and have fun and enjoy myself so a little every day got a lot done in a very short period of time and by the time I was faced with that decision I actually had a better plan I was going to do this instead because I was having fun automating the tedious parts of my work meeting interesting people solving the problems the way that I wanted the way that I wanted to bring to the industry in a manner that mattered that I felt was really interesting and really compelling and I think too often we're told that the way that we have to grow our careers the way that we have to grow our lives in general is specific you get

out of school you have to go get this job first you have to go do this first you have to go do that and I ran across students with this all the time I think I want to be a sock analyst why well because it's the next natural progression yeah okay but is it let me show you a day in that life and some of them would go that sounds awesome actually sign me up great there's there's all kinds of sock meals out there for you um but most no that's actually not how I want to spend my time so let's take a step back let's evaluate how you want to spend your time because

it's all you get right money is money it comes and goes it's great I'd love more of it nobody ever said no that's too much money please take it away right but time is really all we get it's all we get to spend our time on so how do you want to spend that time and so that's why I asked you at the beginning here think about your day at work think about it as though that job already exists because this job didn't exist all of the things I wanted to do all of the targets I wanted to hit didn't exist so I went out and invented it and did so in a way that was purposeful in a way that

I wanted to do it in a way that was unconventional and I've decided to grow the business unconventionally because it means that I have an opportunity to do something a little unconventional and it might seem a little bit weird but at some point I realized one day I'll be dead and none of it will have mattered and that might sound really defe right but it actually gave me permission not to worry about what would happen and that might again seem really like cool good for you right like the reality of it is you have to build some things you have to do some stuff that matters to you otherwise what are you spending your time on why why

does any of that matter so when you get weird and wonderful with your careers and weird and wonderful with your hobbies and the things that go outside of it you draw a lot of very interesting conclusions once upon a time ago I I'll finish this article series one day but I was getting a little bit groovy with the SharePoint Office 365 cloud and I realized hey this could take off some of the hassles of gardening for me and I uploaded and manag some of my gardening from the 0365 power suite and then I Drew conclusions between Growing Seeds in my yards to Information Security Management and I presented that to my bosses at the bank and that made the

rounds among Senior Management at which point they read it and came back to my boss and said are we about to lose AJ because they read it and they said this reads like he's angling for some Senior Management stuff somewhere else and my boss said no he's got about two or three months before he goes it was about two or three months and then I went to do this instead and all I had in mind was the typical problems I needed to solve with gardening were remembering to plant my seeds which seems like that's like the the foundation right how could you forget that life gets busy but building that up into some Automation and some

some interesting outcomes with the environment that I was working in created all kinds of new opportunities to see how yeah it was just gardening but the problem solved with the human factor translates between Industries between disciplines and getting people engaged in a behavior change in an organization that's what we're all trying to do in Security in general so whether it was me trying to figure out when it was a good time to plant my seeds or trying to convince people that a security program mattered considering the human factor and everything that I built was everything that I had brought to the table and by presenting it and talking about it and getting nerdy about the problem and getting creative with

the solutions now offered me an enormous amount of dare I say portfolio pieces so in the event that this whole business idea doesn't work I now have a lot to show for the time that I spent and I had learned and we evaluate a business as successful because it's still here so we all look at Blockbuster as being an abysmal failure except it was the rental movie Juggernaut at the time when movie rentals were all the rage they were wildly successful times changed they didn't they moved on not every business has to be here for a thousand years right but the reality of the situation is I wanted something that I just enjoyed spending my time on and when you

enjoy spending your time time on something you gravitate towards the people that enjoy spending that time with you you start to find a lot of the people that want you around case in point to talk about these things and it's those conversations that show people a little more of what you're about better than any resume better than any cover letter better than anything else you can present that's conventional because you walked into a job interview with I built a game and it taught this and I did this and it accomplished the following any senior security manager is going to go that's a demonstrated aptitude of understanding the problem and an attempt to solve it whereas the

resume was responsible for this managed that I want the one who can demonstrate the knowledge that they built so whatever you're doing learning needs to be at the core of it and whatever you learned applying that knowledge in a way that you care about is the Catalyst that you need to start these interesting conversations to get you into places that maybe you wouldn't have thought you would ever be the the people I was working with at the bank if they were giving talks I would have happily called in sick whatever I needed to do to go and sit and have a conversation with them every week they were booking calls with me asking for information about how I can help their

security program was wild it was just so wild right and it was a very collaborative solution and I I loved working there I loved being around those people and swimming in a bigger Pond and looking for something that actually meant more to me than trying to do it the conventional way so with all of that in your head if you're looking for permission to get a little weird and wonderful with whatever it is that you're looking to do this is it this is the conference this is the place did you know you can go crash a train over there I've never seen a conference where you can crash a train it's over there I know

the guy that built it you can tell because his hair is all crazy and when us when us these fellows have you know hair that looks a little bit weird you know we're always working on something um yeah and you know this is the place if it wasn't for Beast sides allowing information just like this to come in to an open Community setting interesting topics all kinds of things I would not have the game that I have today it wouldn't have been anywhere close but because I was willing to take a chance and they were willing to take take a chance and the community was willing to be a part of it all of that gravitated

towards something incredible and I think in our case we're too worried about this we're too worried about what if it doesn't work well then so what at least you learn something and if as long as you're learning as long as you're growing as long as you're developing that's what matters the most next slide please all right so all we have to do is keep talking right I love conversations they're good stories are great here's how to find me here's how to get in touch whatever you got going on I'd love to hear it just let me know it's all good maybe I'll Stand Out of the frame I think there's probably a rule against taking photos with me in

them just Photoshop a Sasquatch over it or something uh next slide all right any questions

yeah yeah yeah yeah you heard of dual core have you ever heard of dual core oh go look up dual core not right now you can do it whenever but doesn't have to beite the second yeah dual core was a mean staple at every derbycon that I went to yeah playing music at security conferences all about getting Nerdy with music the guy that built the train that crashes kept me in diapers with his music so you can go talk to him about that too it'll be all good I promise whatever medium you choose as long as you spend the time the way you want to and you learn something from it and you will line it to the problems that need

to be solved or that you want to solve the ones that you're crazy about you're limited by your imagination and maybe a bit of luck

yeah yep yeah you you have to showcase what it can offer and I found that the big struggle was if it looks too much like a game you lose the plot um so I've had to tone down some of the games that I built because they were just a little too stimulating um but if you can align what you're teaching to the outcomes whether it be within the security program or with whatever you're trying to change behavior-wise in the awareness program if you can demonstrate that even in a demo situation that can have a lasting in lasting effect the other piece of it is get a small group together if it's you have a captive audience of those

people somewhere somebody in that group would be willing to do that just start asking the questions hey what if we had a game instead of a PowerPoint slide some people that are interested you could set it up you know you do you do a bit of a lunch and learn right like everybody likes free sandwiches right you just sort of create an incentive for people to come and and you solve that captive audience problem and then you kind of Dazzle them with the engagement the effort that comes on the other side of it um and if that doesn't work then you can come find me and I'll I'll help out with some of that yeah yeah yeah

yes yeah uh I I think it what we're seeing now with gamification and and everything in the security space I'm not the only one playing games to handle security problems I'm not I'm definitely not doing it in the OT space um but I think it's an excellent primer it's an excellent way to get people interested and present the material in a way that blends the creative and the logic together because one of the struggles with learning is if you're learning in the abstract I can teach you about how a command line works I can show you why this matters in the context but if you aren't learning it in a cohesive way that gets you creative and expanding on

that learning all you're going to do is be really good at using it in this specific form so I think those of in the gamification space we have to be careful because if we simplify it too much then we actually lose a lot of the valuable knowledge that would come from having to do it the traditional way so I don't see it as a replacement I see it as an incentive to go okay I understand how these concept work in a broad stroke that's really interesting to me I'm going to dig into that and then that's where you start to get a little groovy with the technology and and whatever it is you're trying to solve so if you're

new to this business and you're trying to learn some of these fundamentals I would say it's an excellent way to figure out some of the the basics but it's going to get you part of the way there what you do with what you've learned and how you expand on that learning into the technical space and whatever it is that you find interesting that's the stuff that's going to help you solve the problems within the business because as much as security is serious it is also lighthearted so you do have to blend some of that together but yeah I would say use it as a catalyst to get you interested in the parts that you are curious about

yeah good

you know I it's I would say it's not about how much you enjoy it I'd say use it as an opportunity to present it right so it's not a don't wait for it to come up in the conversation because you will undoubtedly get a question of tell me about something Innovative you did what's something that you learn tell me about a problem you solved in a business and coming fresh out of school you might be a little light on that background but that caps St that's practical knowledge applied in a real setting albeit in a lab environment but it still solves a problem so the conversation you have is My Capstone accomplished the following and here's how I feel like it solves the

problem and I really enjoyed the work that I'm doing and outside of school I've since expanded on it with these new additions this new functionality I got tired of solving this problem so I wrote a script that made it for me that kind of stuff is still applied knowledge in a way that matters to the business doesn't have to be games right games are my jam but if that's not for you that's cool it's if you're don't we all but if you enjoy your Capstone for what it is and you see the problem that it can solve in a business lean into that problem if you find it really interesting there are businesses probably just right out there

who would also find your solution very interesting so just be really Unapologetic about talking about it in interviews I saw a couple questions

yeah yeah yeah actually the the game that's in my arcade cabinet at the booth SEC Ops chaos is very heavily into the game side of it less in the security side but it's a light touch with the security piece as you navigate through it's a familiar mechanic most of the students that you would play with at that age are familiar at least with super uh Super Mario or some variation thereof those mechanics are identical you're hopping along but you're dodging emails there's security lessons involved but it's fun interesting engaging but it's tough to get that in a boardroom because it's too far on the game side of it but it has a little bit more Mass Appeal absolutely

so more of those games are coming yeah the idea being I want a wider more enduser focus more student based Focus you know K to2 that that next step in education as well um because they're we have attackers that aren't finished primary school yet so let's start showing them the value of doing this properly yeah and let's do it let's meet them where they're at yeah

uh I was in the uh I originally went for a diploma in Business Administration uh and realized that I should probably do something else because uh I didn't really have much of a plan other than b is for business uh and so okay it was time to do something else and they had introduced at Mount Royal a degree that was half business half it the Bacher of computer information systems so you got a sample of some of the technology mostly just heavy programming courses for what that was worth and the business side of it was a little bit siloed but the idea was you know if you were applying the learning correctly the stuff you were learning in one class you

could apply to another um so it was half business half it at its core but I've always been really enamored with business apparently I have had this idea you know all these ideas since I was a kid so I guess it's one of those things that just just sort of came naturally but um yeah half business half it because it gave me the ability to speak to the business problems with a technology

solution yeah um I I would argue that you can read a textbook all day long but until you actually show up and get your hands dirty with some of it you're not actually really learning you're just you're just memorizing there you go so you just hit on it right there so the way that I got into it in general when I was in school I knew a guy that needed a guy so he was working at a a managed services provider and his boss came to him and said I'd like you to find somebody who can do an incredibly thankless tedious job for very little money and I was that guy um but the reality of it we were sitting in

the the interview room and I was I was having a conversation with my soon Tobe boss and he said I really like what you're about I'm not even going to interview the rest and he created a bit of a political Firestorm but that was his headache but while I was working in that space I was cleaning up a monitoring tool that had been purchased and just kind of abandoned and so in the process of cleaning it up and getting it to work to the point where we could migrate over to it I had actually learned so much about infrastructure so much about corporate it about managing Systems computer um customer service to some degree because you get tickets

coming in and it's like hey this is broken please fix it and so getting the requirements and understanding what needed be done working with you know emergent outage situations in corporate settings I learned more in four months on that job than I did in the past two years at school I know that's probably hard to hear for some of the Educators in the room but the reality of the situation is you can learn in a classroom all day long but until you actually get groovy with the work itself the learning doesn't quite cement so if you learn best by doing then get busy well that's fair that's fair any other questions oh we're out of time okay well we can do

this uh I'm I'm going back to my booth at the marcade if you have any more questions you want to come hang out please feel free to do so thank you for your time and attention have a great [Music] con