Craps, Clout, and Career Chaos: The Game They Forgot to Explain

craps clout and career chaos.

Thanks all. >> Let's see. Just uh Okay, you guys can hear us, right? >> Test test test. >> Test test test. Okay. So, uh good afternoon or you know if you go by the gambling Vegas slides. I guess maybe I could say good luck. Uh welcome to our presentation on the career side of things called craps clout and career chaos. The game that they forgot to explain. My name is Jake Lurs. I've been in the IT and cyber industry going over 25 years now. I started off on a technical help desk and then worked my way up the ladder. Now I'm currently a CISO for our large Fortune 500 corporation and I've been CISO a couple

times over at this point. I'm really happy today to be with my friend and industry peer Nicole Beckwith. >> Hey everybody. Uh nice to be here today. Uh Nicole Beckwith I've been in the industry a lot longer than I like to uh admit sometimes. Right. So, for those of you who are nerds and have been around a while, um, to put it into perspective, my, uh, first computer was a Tandy 1000 from Radio Shack. So, we'll just leave it there, right? Um, so, right. Yeah. If you know what Tandy is or Radio Shack, you're in the right spot. Um, yeah. So, uh, we're not going to talk about corporate buzzwords or talk about, um, the latest zero day exploit today. So,

what we're here to talk to you about is, you know, something that's a lot more chaotic, right? Your cyber security career. So, we're going to walk through some personal stories of ours, dig into some tips and some tricks that we wish that we would have known before we got to this point in our career. >> Yeah. I mean, the whole point of this particular session, as Nicole said, it's not on the technical side of things. It's got to be more on the soft skills side of things. So, like if you've ever felt that your career is a bit stuck, if you're ever tired of the long hours of jumping around from fire to fire, putting out this dumpster fire or that

dumpster fire, but more importantly, you feel like you're not being seen. That's really what this session is about. >> Yeah. So, we've both navigated the unpredictable waters of, you know, security operations. We've fought the battles in the boardroom and now we really just want to um give our opinions and advice to you all. So, uh, you know, we're going to share our wins, our losses, and we've all had those days where you just throw your hands in the air and say, "What the heck just happened, right?" So, we're going to talk through some of that. >> And definitely also interested at the end of the presentation, we'll take some questions, but interested in your perspective. See if some of these things

kind of hit home, resonate with you. >> Um, the I will be just completely transparent about it. These slides were generated by Genai. Although they're fun and fantastic, there are definitely spelling mistakes. Yes, we're aware. We were gonna take some blow pops and throw them out to people that actually reference the spelling mistakes, but they're out there. So, but anyhow, we're here to have some fun. Uh let's go ahead and kick off. >> Yep. So, the first uh lesson we want to talk through is speak human, not jargon. So, this is one that we've all, you know, uh witnessed, we've probably done ourselves, right? Um, I used to pride myself on the ability to explain

concepts, uh, you know, deep dive into the technical using 16 different acronyms. Um, you know, referencing a MITER attack framework or some threat matrix, right? But then, uh, I would get the blank stars back at me like, what the heck are you talking about? Um, and it wasn't until I I was a little bit later in my career that I realized that perfectly explained or what I thought was being perfectly explained was not perfectly understood by my audience. I was just, you know, throwing stuff out there expecting that people were going to understand what I was talking about. >> And there's a reason that this slide is kind of the first in the presentation and that is because it is key. It's a

fundamental key to everything that you do in your career. You have to make sure that you are understood depending on who your audience is. If the board can't understand what you're trying to tell them as a cyber security leader, they're not going to fund you. So, I can walk into a senior leadership meeting. I can walk into an audit committee or board of directors meeting and throw out threeletter acronyms or four-letter acronyms. I can start talking about multifactor authentication or MDR, MFA, start talking about TPRM. But if I don't explain that TPRM means third-party risk management, but more importantly, I don't explain from a business context what thirdparty risk management is and how important that is to the

organization. My leaders, the the board, they won't fund my program. >> Yeah. And if you're not funded, your security program isn't going to move forward, right? So the lesson here is clear is better than clever. You really have to understand your audience. Whether it's a an industry peer, whether it's the seauite, you need to know where their technical abilities lie, right? And as Jake said, even if they are technical, you still need to understand or and explain the what and the why so that they understand what you're talking about. So, um, you know, really knowing your audience is key here. So, going into the next lesson, we're going to talk about showing your work strategically. So I remember early on in

my career I would send out you know these exhaustive reports. I thought I was being incredibly detailed. I would you know have these charts and graphs and send out a 47 slide deck where I would you know work tirelessly on for days. And I thought that I was really excited about this report, right? And I thought that everybody was going to see how much work I had put into this project and they were going to see the return on investment that I had provided. Um, but again, I wasn't get the getting the feedback. So, I wasn't getting emails back. I wasn't getting the excitement. I was excited about this, but didn't understand why others weren't excited about this. Right. Um,

so from my perspective, it was just frustrating to me to not get that back. >> Yeah. And I actually meant to ask a question to kind of start off this session, but a quick show of hands, like who is on the individual contributor side of the house and then who's kind of more on the leadership management side of the house? Okay, we can kind of tailor our presentation around either side, but it looks like we have a good mix of both. On the leadership side, when somebody sends me a 10-page report or they send me a 47 point slide deck presentation, I know a lot of effort went into that, but candidly, I'm not going to read it.

I'm not going to go through all 47 slides. I mean, it has to be extremely extremely important for me to take the time to do that. And it's not because I don't value the effort and the work that went into that. It's just I don't have that amount of time in order to consume the point, right? So, what I learned early on as I'm trying to communicate something that's important upwards, I might write a 10-page report. There might be an incident that requires a 10-page report, but I'm going to start off that report with a maximum one-page executive summary. Even better, if I can condense it down into two paragraphs, that's a win. A key a critical component of the career

path for me was learning that I needed to be good and be better at summarization. So when I'm talking with my audit committee or I'm talking with my senior leadership team, there are really three things that I only ever need to convey. What is the issue at hand? Why is that important to them? And then what do I need from them? Am I seeking more funding? Do I need them to make a decision point or something? Or is this more for just awareness? I might give them that 10, 15, 50 page report on the back end that says, "Hey, if you're super interested, here are all the details. Dig into it." But as long as I

can convey that upfront, give them that what we call the bluff, the bottom line up front, I'm going to make sure that I get their buy in more easily and that my message is easily understood and easily consumed. >> Yeah. So, one of the pivotal points in my career and learning this lesson was, you know, I had put together one of those long reports and when I was preparing to present to our executive leadership, the person that I was working with was like, "No, no, this is not going to work. we need like two paragraphs tops. Well, I had like 14 pages, right? It was a big project and all the different budgets and line items

and why we needed it was all in there and he threw up co-pilot and threw my entire document into co-pilot and it summarized it in like two paragraphs. And I'm like, there is no way it conveyed everything in this document in those two paragraphs, right? And so I was a little disappointed. Um, but what I realized was those two paragraphs really is all an executive needs to make that decision or it should be, right? Um, it's all the other stuff behind it that maybe if they want to dig into later, they can. >> Yeah. I mean, the lesson here that we have on the screen is that visibility doesn't equal verbosity. And I think what we're trying to convey here is that

we understand that there are times within the career where you're just not getting that feedback from your senior leadership team, even though you're putting an extreme amount of effort into it. take a moment to kind of self-reflect and say, "Am I giving my leadership too much information to the point where maybe they don't understand the technical details and I could be a little bit more concise in what I'm trying to give them. So the next lesson we want to talk about is bring solutions, not problems." So again, there were times early in my career where I thought I was being really helpful, right? And I would bring some problem that I had found or some

gap or or issue to my leadership and I would basically throw it on their desk and say, "Here's a problem." And I expected them to magically fix it, right? Like I was just going to walk off. It was their problem. Now I had said what I needed to say and just moved on. But now being a leader myself and having people do that to me, I realize I was probably being incredibly annoying and um you know wasn't offering a whole lot of assistance to my leadership. >> Yeah, I think this is a point that probably everyone in the room has already heard of at at some point in their career. We don't need more problems, but we definitely need more of

those individuals that are out there trying to find a solution for the problems that they're the ones to identify. Sure, leaders need to be aware of the problems, but we don't want to be kind of put on notice to fix the problems. That's where we're really looking for those solutionizers, so to speak. And solutions are sometimes rare, as the lesson says here, you know, to identify the individuals in the organization that will take the initiative to solve those problems. We need people that are going to help us. You know, you need to be able to uh stand up, find the solution, help your leaders so that they don't have to make a decision. We all have a lot of problems. We all

have a lot of daily tasks that we're jumping from. We're multitasking like crazy. >> I don't need another problem dumped onto my desk. >> So, you're expecting your team to be empowered enough to give you a solution, right? >> Yeah. And that actually dubtales nicely into our next slide. Yeah. So, don't wait for permission to lead. I think that in my experience throughout my career, a lot of the people on my teams didn't realize, and that's probably on me, the level of empowerment that they had. We're looking again for people to find the solutions. And typically, it's going to be that person that doesn't even have the title, but has that natural ability to be just a natural leader. Uh the type

of person that others will look up to. >> Yeah. So, a quick story um for myself. There was a moment where I was trying to provide return on investment for building a threat intelligence team. We had been sending out, you know, executive summaries and and notices to to senior leaders and we were getting good buy in there, right? But we really needed to prove ourselves more. And um it just so happened that during the Russia Ukraine the start of that war um I knew and and the team knew that we were going to be asked to provide value and a summary on one what was happening what the um impact was going to be for

the company and we would probably be asked to to give that in the next day. Right? So we stayed up overnight. We created this beautiful report. We gave the bluff the bottom line up front, right? The summary. And sure enough, it wasn't even 8:00. we were going to send it out 8 am the next morning. I was already getting pinged at like 6 am by senior leaders asking like, "Hey, can you give us a summary on this? Luckily, we had already come up with that, right?" And so that was probably the the key catalyst for the team on uh building our our what is now threat intelligence team um that I happen to lead. >> Yeah. So because Nicole took the lead,

she identified that there was a need, she stood up the team behind her to satisfy that need. Now she's in a position where she's actually leading that threat intelligence team. And that's also a key point or a key takeaway from this slide. When I'm looking, if I have a new or an open position and I'm looking to fill that with the leader, I'm not going to promote the individual contributor that hasn't just stood up without being prompted to, without being tapped on the shoulder. if they stood up and they took the initiative to actually do the work and take the lead on something, they're the ones that are going to be shortlisted for that next role.

>> So Jake, if you had two options, you're a CISO and you had, you know, one person who brought, you know, from the previous slide brought you 10 problems and then you have another individual that brought you problem solution and you see them take the initiative, which one are you going to promote? >> Yeah. So, um I think there's two answers to that particular question, but I didn't ask this question. Is there anybody in the room that has an internal audit team? Okay. So, you all probably work mostly for public companies. Is there anybody in the room that works for internal audit? Okay. Then I will tamper this response. [laughter] Our internal audit partners, and I will

call them that because there is a definite need, tend to bring us a lot of problems. They're they're helping to identify those technical controls that aren't working exactly quite right. So, if I had somebody on my team that was bringing me problems all day and not solutions, I would probably identify that person as a high performer for an internal audit team that's not on my team, you know. But if I identify somebody that's really taking the lead to find a solution to my problems, those are the ones that I'm going to come up. >> Yeah, absolutely. All right. So, I >> think you skipped >> I skipped a slide. There we go. All right. So, next uh lesson, and this

is a big one, and one that we have to continually remind ourselves over and over, you need to learn the business and the risk, not just the tech. So, for me, early on, you know, as an individual contributor and even now in leadership, um especially in cyber security, we tend to be really focused on mitigating risk, right? Um, so you know, there's a a CBE that comes out, there's a a problem, you want to fix that problem, right? And we're really uh myobic on, you know, good versus bad, and we want to mitigate that risk. So, you know, being on the operations side, um, you know, think about incident response or think about the CVES or vulnerability management

that comes out, right? You know, if there's a a CVE classified as a nine or a 10, you really want to mitigate that risk. Your first response is we need to go patch this system, right? But what we don't think about oftent times is how that's going to impact the company. Is it going to affect operations? If we have to take systems offline to patch that, how is it going to impact the company overall? Is it going to, you know, cost revenue? Is it going to cost, you know, engineering hours and time? So really learning the risk behind the technology and partnering with those other, you know, uh, teams and the business is really key here.

Yeah, I mean there are so many different ways that we could go with this particular slide, but I think it comes down to this. Cyber security is a business function, right? In order to be a business enabler, you as individuals, we as cyber individuals, cyber practitioners, cyber leaders, we need to understand what our business is first. If you work for a public company, the easiest way you can do that is to go out to the SEC and read your company's 10K filing. That will tell you what market you're in, who your customers are, how you service those customers, and how your company generates revenue. Again, understanding that cyber is a business function. Uh you want to

understand that cyber security risk is just one component, one small slice of that overall business risk pie, the enterprise risk pie. And the cyber risk to your business leaders probably is nowhere near as important as say what's the latest acquisition that we're trying to go for. Yeah absolutely. >> All right, >> moving on. We're going to pivot a little bit in our concepts here on the next few slides. The title of this one is to be coachable and not defensive. So, I was super guilty of this early in my career, and I'm sure I'm not the only one. Um, whenever somebody would give me a compliment as a feedback early in my career, I thought they were kind of

patronizing, right? And then whenever somebody would criticize and give that constructive criticism, I took it as a personal attack. I thought I was the best. I knew everything, but again, we have some Dunning Krueger kind of going on at that point. It wasn't until I had a leader tell me, "Hey, listen to what I'm trying to tell you, not the actual words that are coming out of my mouth." It wasn't until I got my ego out of the way, so to speak, that I was able to take constructive feedback that I was able to actually personally grow from it. Yeah. So, if you're not able to take that constructive feedback, you're not able to grow is essentially what Jake's

saying here. And as a leader, if I'm coaching somebody over and over again and I'm realizing that they're not taking that feedback and they're not trying to adapt and change, at some point I'm just going to stop giving feedback, right? Because our time is too valuable to waste on somebody that's not going to um take that and try and learn and grow from it. On the flip side, so for me personally, and my boss is in the room today, I ask every one-on-one for him to give me constructive feedback, right? And sometimes he has something, sometimes he doesn't. Sometimes I get the same feedback over and over again, which is my key to, you know, hey, you

didn't listen the first time, maybe you need to hear this again, right? Um, so for that feedback, and it goes both ways, too. Like you can take feedback, but it's also good to give feedback to your leadership as well. Yep. >> So, the the lesson here is feedback is a gift and growth starts where ego ends. And it really is about getting your ego out of the way. Um, none of us like to hear feedback, right? Sometimes, like Jake said, you take it personally. Um, or you're just misunderstanding the intent. As leaders, we are are taught to to give you feedback. We're taught to ask those leading questions. So, a lot of times if your leadership is giving

you a leading question or asking you in a different way, they really are trying to help you grow. And I know it's a novel concept, but we really do want to see you succeed, right? >> Yeah. Great points. >> So, this ties into the next lesson, and this is one that's near and dear to my heart and one that, you know, I have to work on consistently, we all do, which is build allies, not just a network. So for me um whenever I start a new team or go into a new company my first focus is on understanding uh the network internally externally who are my partners who do I need to work with some

of the first teams that I partner with are going to be legal HR our internal audit team or compliance team right those are the teams that you really need day in and day out to help you do your job and then secondly like you know focusing on building a network is great but understanding building allies is even better. So within those contacts and that network, you want to identify key individuals that you want to take out to coffee or to lunch or you really want to focus on that trust in that partnership at a higher level than just a connection. >> Yeah, I think it's pretty well known at this point that the importance of

networking. Like I was late to the game to try to build a network. Um, but I definitely had those roles where I found it was a lot easier if I had crossf functional allies that were kind of more horizontal in my organization that I was able to get things done. I was able to be more successful. Uh, one anecdote of this in a role a couple jobs back I worked for a shared services umbrella organization that was over these 13 rank one multi-billion dollar organizations in their own right. They all had their cyber teams. They all had their IT teams. They all had their operations teams. But my role at the shared services was to say, "Hey, we're as an example, we

want to replace all of our Cisco firewalls with Palo Alto firewalls." So that meant that I had to convince 13 CISOs that it was a great idea to do it, secure idea, convince 13 CIOS to somehow pay for it and then work with dozens or even hundreds of country and local managers to make it happen. It took a long time to figure out that that wasn't actually my job. My job became a lot simpler once I figured out I needed to make friends with three of the CISOs and convince them that it was a good idea so that when they went and sat down and had dinner with the other 10 CISOs, they could be my advocate.

They could help me succeed on whatever that initiative was. I didn't get I didn't need 13 CIOS to agree to buy in on it. Let me get two, you know, let them sit down over some type of board meeting and be like, "Hey, Jake's trying to push this initiative that's coming top down. I didn't really want to do it. If I can get those two to agree on it, there's a little table cross talk that starts happening, then they start buying in. That made my job a lot easier and made burnout less likely. >> Yeah. So, I I I want to push on that topic of, you know, building your network with your peers. We tend to

focus on going upwards, right? in building our our allies upwards, but at the end of the day, the folks that are in the foxhole with you and are really building those projects and doing the work are your industry peers and peers across your your company. So, building that network is also key and we tend to neglect those relationships quite a bit. >> When you come into an organization, right, it's very quickly to easily identify who you have some common ground with. You know, who is basically an ally out the gate, right? as as you say the people in the foxhole but I always like say these are my ride or die folks those are the ones that the relationships are

easy but it's the ones that maybe you have some just like natural conflict with the ones that you don't get along super well with in the beginning those are the ones where you need to establish and nurture a relationship you know that to your point earlier you know maybe invite them out for coffee take them out for lunch try and find out what their family or or kid situation is about trying to find that common ground once you're able to do that and you can start building the allies. >> Yep. And speaking of battles in foxholes, so choose your battles and know when to fold. Uh trust me, I have picked the wrong hill to die on more

times than I'm willing to to admit to. Um you know, early on in in my career, it was one of those things and and we've all done it, right? Where we think that our cause or our issue or our project is the most important project. And so when we go to leadership and we're trying to get buy in, we are pushing, we're trying to succeed, right? But we forget uh often painfully and and find this in painful lessons that we're we're harming those relationships as we go and we're killing political capital. And a little bit of a spoiler alert here, neither of those grow on trees, right? You have to work on your relationships and your

trust and you have to earn that political capital. And it's kind of like PTO days. You know, you build it over the year and then it's gone before you know it, right? And you can spend it really quickly. I really like on this slide how there's a little call out that says energy is currency. You know, that's definitely can't be any more true than that. Some fights just simply aren't worth the political capital or the energy you have to expend to win. In my uh scenario earlier where I was talking about the 13 CSOS and 13 CIOS, I would wake up in the morning, I'd put my suit on and I knew that I was going to fight for whatever

this initiative was for the next eight hours, 10 hours, 12 hours going into the evening. I would think of that suit in the morning as kind of like my battle suit, my battle armor. And it was exhausting, right? After a period of years, it almost led to burnout. That's why to go backslide, the relationships are so important. There are times when, yeah, that fight is necessary. Like that initiative has to be won and you have to go toe-to-toe with somebody that doesn't necessarily agree with you. You got to win them over. There are other times when it's a bit cliche to say, but you don't really need to sweat the small stuff. There are a lot of small problems

that if they're not your top priority, you put them over into this corner, they normally don't bubble back up. Like they somehow automatically solve themselves. Like I don't have to actually worry about it. It's being able to understand and identify what are the big ones that are actually needle movers that I want to invest my time. I want to burn a little bit of my political capital in. I want to waste a lot of my energy on. Those are the important ones. So Jake here, so what happens if all of your direct reports come to you and they believe that their problem is the best problem or the biggest problem? What do you do in that situation?

>> So I think it's every leader's opportunity to acknowledge whoever's coming to them with a problem that yeah, we understand that that problem is important to you. Then that problem is like probably your number one initiative, number one issue. But I I try to take some time to show them at least maybe more complete fuller picture of all the other problems that the team is dealing with that the company's dealing with and help them understand that that's just a little slice of everything. >> So showing them the bigger picture, some education, some feedback there, right? And making sure that they understand the bigger umbrella. And this for you um if you are coming to your leader with a an

issue and you think that your battle is the biggest, this is also an opportunity for you, right? If your leadership says like, "Hey, this isn't the most important issue. We have three issues that are our top priority for this quarter or this, you know, sprint." That's your chance to say, "Hey, that's great. These are great opportunities. How do I get plugged into those and how can my team help?" Right? All right. So, going on to the next story. Um, you know, this one again near and dear to my heart. Uh, bet on yourself. Show of hands. How many people in here have ever had imposttor syndrome or thought that they weren't good enough? Yeah, exactly. We've all been there. Um,

so one of the things that I I like to reference uh during this slide is um think about that job posting that you saw that you really wanted, right? And you looked at all the skills and the qualifications and you're like, "O man, I might have 30% or 50% or 70% of those." And you think to yourself, "I'm not good enough. I'm not going to apply for this role or this position. In reality, you know, you are good enough and you probably have more than enough qualifications. So, for me, on one example, it was exactly that. I wanted this job really badly. Um, looked at the the job posting. I'm like, there's no way I'm going to get this. Maybe I was

70% qualified, if that. But I decided to take a chance on myself, to bet on myself. I applied for the role and I ended up getting it anyway. Um, so you have to take that leap of faith. >> Yeah. I mean, honestly, like 70% I think is a little bit high, but I think that's kind of the guidance that you're going to get from some of your career counselors and your your job head hunters, that type of thing. But, um, I've never had 100% confidence that I was going to get the role. I've never been 70% qualified in any role that I've ever tried to achieve. In fact, early on in my career, I identified this role

that was open that I wanted to apply for, but I figured I was probably only about 50% there. Um, I had a friend of mine, a colleague, a peer of mine at the time say, "Well, go ahead and apply." I'm like, "But I won't get it." They're like, "I won't succeed." And he's like, "Well, Jake, look at yourself. You've been successful in everything that you've ever tried before, and you've always been uncomfortable on that first day of the new job because you weren't sure that you were going to succeed. You have to believe in yourself. You have to believe that if I if I get this role, I know that I'm going to do everything.

I'm going to move heaven and earth to make sure that I'm successful in that role. So, if you believe in yourself, if you understand that you are good enough, you will likely hopefully get the role. Um, >> yeah. So, Jake, you're a CISO. I'm a senior manager. Uh, you know, we both are uncomfortable in a lot of situations. Are you comfortable speaking on this stage right now? Yeah, obviously you can tell that was a loaded question. I'm not comfortable speaking on the stage. Um, but the reason that I do it is because at some point I I've I well, let me start over. The reason that I do it is I've recognized that's a personal

deficiency and I want to get better at it, right? But at some point down the road I want to speak at a larger conference and perhaps maybe even do a keynote somewhere someday. So in order to do that, I put myself out there in front of all kinds of audiences. I'm talking all the time. I'm leading panel sessions. I'm hosting dinners. I'm trying to get out there to get more comfortable because I believe that I can, right? And I know that I'm going to going to succeed in that. >> Yeah. And it's a little cliche, but you hear the saying, you know, be comfortable with being uncomfortable. And that's so true. Um, you know, I

speak all the time, but every time before I get on the stage, I get butterflies. I'm I have butterflies on the stage, right? We all second guessess ourselves and and you know, have that imposttor syndrome. But that's okay. It's okay to have that. And it's okay to continue to do the things that make you uncomfortable. Um, and as the lesson says here, growth happens outside your comfort zone. So, um, you know, test yourself. It's the best way to grow. >> If you take on a new job and you're 50% qualified for it, you have the imposter syndrome. You're 70% qualified for it, you have that imposter syndrome, you're going it's going to be a lot, right?

It's going to be a lot in the beginning. You're going to have new people that you're meeting, new parts of a program that you're building, new new processes, new technology that you're unfamiliar with, and it's going to be a lot. You have to understand that you have to be uncomfort. You have to be comfortable being uncomfortable. But it's only going to be a a lot until it isn't. There will be some random Tuesday when all of a sudden you wake up and you're like, "Yeah, this job is easy. I've got this nailed." You're at that 100% comfort level. That's when you need to be like, "Okay, what's what's next? What else can I do?" you know, you've reached that

that period in life where you're like, "Okay, maybe it's time to jump on to volunteer for something else." >> Yeah, absolutely. All right, so this leads us into our next lesson. >> Yeah. Which is don't just survive, build something that lasts. There's a small spelling issue on this one, but the point being is that as you're progressing through your career, if you're in a leadership role as well, and you've built a program, you've built the processes, you've built a team, but you can't take a day of PTO without the whole thing crashing down. You haven't actually built anything. You haven't built that team, you haven't built that program. You've built a trap for your organization.

>> Yeah. So, I used to be that hero. I used to be the one that would jump in and um volunteer for everything that got thrown my way. I wanted to be the person that solved the problems. But what I realized really quickly was I was stressed. I was overworked and I was getting burned out really quickly. So I wasn't building a sustainable system, right? I was building a reliance on myself. And it sounds backwards, but the whole point in building a high performing team is so they need you less. Um, you know, you want your team to be able to get those wins without you. And it may feel good in the moment to solve those problems,

but I can tell you what feels even better is seeing your team get those wins. >> Yeah. I mean, it's also cliche to say, but you want to work yourself out of a job, right? I want to move up at some point. I want to be comfortable that I'm going to have somebody from my team that's willing to step in and is able to step in and succeed. But beyond that, I think there's sometimes a perception among cyber leaders where um they want their leadership to understand how valuable they are. So they're kind of comfortable like boss, I have to be there. I have to be involved otherwise it's not going to go well. And from my

seat, I see that as like no, no, you're failing and I'm failing that allowing you to fail. Like you need to be able to step away and your program should last. And if you've done that, then I know that you you're a good leader. You've taught your team the right things. they can respond without you being there. >> Yeah. And learning to delegate tasks, right? So, um you know, being as handsoff on the keyboard as humanly possible, right? And giving those delegating those tasks to your team. You want your team to be able to solve those problems so that you can focus on the larger strategy while they're focused on the technical and day-to-day operations.

>> You know, I uh I remember my first role without admin credentials and that was that was that was a hurtful day. That one hurt. Yeah. Yeah, I I I feel that. Um, so you know the lesson here is sustainability trumps martyrdom and you know you really need to focus on the processes and the people and the technology behind you know uh what you do so that you can build a legacy. Um, you know, your legacy in cyber security isn't about what you accomplished, but about how you enabled other people to accomplish things and leaving the organization stronger, right? >> Yeah, exactly. >> All right. And then our final slide of the afternoon here is uh you have to

acknowledge that you need to be willing to play the long game. Um, a cyber career, you're not, let's say you start in GRC, you're probably not going to retire while you're in GRC. Hopefully not. Hopefully, you have that internal passion to want to learn as much as possible because it and cyber security, they're both careers that require lifelong learning. You know, it takes uh it takes a passion within you to be able to do that. You might get some quick wins like you see up on the slide there, but those quick wins are lowanging fruit to what should be a really long and wellestablished career. >> Yeah. So, playing the long game takes patience, right? And it takes intention.

So, all of the lessons that we've talked about today, they don't come overnight. You have to work at them and that's okay. You have to think past the promotion. You have to think past the next incident response to be able to see that larger picture. And that's how you play the game that they forgot to explain. >> All right. So, with that, >> so yeah, we're almost done. We we've covered a lot of ground today. Um, we talked a little bit more about the soft skills side of things, how you need to be able to get good at summarizing important events, break it down to those three things, you know, like what's the issue at hand, what do I want people to

know, what what do I need from them? >> Yeah. So, with this, you know, um, like I said, playing the long game takes patience. Uh, we've obviously covered a lot of stuff here today, and we want you to remember that your career growth isn't just about your technical prowess. It's really about those relationships and that political capital and the communication and the influence that you might have internal and external. >> Okay. >> Um we are going to answer questions now. So I know you're going to walk around with a mic. Um we will be around for the resume reviews afterwards as well and and we'll stick around if you have questions that you don't want to ask uh

on the mic.

Okay. Um, is this thing working? Okay. >> Okay. Oh god, I should I'm usually I'm usually pretty loud. Um, so you mentioned something I thought was kind of interesting about like, well, if you're trying to apply for a role and maybe you only cover like 70 or or 50 or 70% of the qualifications, you should do it anyway. But of course, there's always what what I hear from other career counselors is like, "No, you need to match up 100% otherwise they're not going to even look at your resume." And you guys are saying, "Well, because I I kind I tend to trust you because you're the ones actually doing the hiring." Yeah. >> As opposed to somebody who's just like a

consultant trying to tell us lowly engineers how to like get our, you know, make our next step. So, I just wanted to point that out. >> I appreciate that. And I think um you're you're right. they're they probably have an agenda. Um, but if you can get past the ATS, that applicant tracking system that says that I need to match 100% up on the qualifications, then from my seat as a hiring manager, hiring executive, I'm not looking for that unicorn that matches up 100% completely. I'm looking for somebody that can match a lot of the qualifications, but also has that passion to that can convey a story of why they want to do the role.

>> Yeah, same. So when I'm looking to hire, I'm not looking for the person that has 100% of the skills because listen, what we do is not rocket science, right? I can teach anything to anybody. So as long as you have that drive and the desire to learn, that's what I'm looking for more so than anything else. >> Any other questions? [clears throat] >> All right. Well, thank you all. We appreciate it. >> Thanks everyone.