CG - Hack the Hustle! Career Strategies for Information Security Professionals - Eve Adams

to messing slides up to what are you doing man it's part of the recording you're good go for it yeah um so people ask me all the time uh are you like an agency recruiter like these people from Aerotech uh or are you like a corporate recruiter like these people call me and say hey do you want to come work for my company and I say yes I'm both uh I am somebody who may try to get you to work for my company or may try to get you to work for one of my clients but it's all exclusively focused on information security so I'm a geek I tend to be something of a an apologist for Recruiters in the

sense that forgive them they know not what they do you're a lot of I hear a lot yeah I hear a lot of complaints about recruiters and they are legit and they make a lot of sense and they are sincere and worthy but I also love security and I'm passionate about security because I'm a former geek no do I am I not for you what not for the recording cat it on the video yeah put it on for the video you probably should cool um well former G I used to be the world's worst CIS admin I was a bad CIS admin because I did not care about the users because I thought their problems were

stupid uh some of you may find this somewhat sympathetic but uh I am passionate about doing Tech better and I am passionate about doing security better and that's why I'm I like to think an okay recruiter because I want there to be better people in these seats and I want the people in these seats to be happier and despite the fact that we think or there's a popular misconception that there's no unemployment in information security that it's the safest sexiest job market out there right now I wouldn't have a job if all of you were happy not all of you were happy so let's look at that uh this is me this is uh who I am I already covered

this I do stuff for halock in infos consultancy third parties I'm a recovering agency

recruiter I'm I'm highly

T is there guy in the room ooh really sorry oh it doesn't matter what are we doing don't do duplicate okay I used to love technology oh 60 htz oh of course oh yeah much better can I start over thanks wait how are you no so so I did this I'm a recovering agency recruiter I deal with

people really effectively um so the reason I thank you oh that feels good now the reason I mentioned that is that a lot of the hate that y'all have for recruiters which I find very understandable is because of stupid ass practices really stupid practices and 90% of that is out of agencies and I'm going to get into that a little bit later but what you need to know is that this is a practice that has been outsourced as far as information security if you didn't already know you have one of the most desirable skill sets on Earth right now I'm going to get deeper into that too but there's a reason this stuff has been outsourced

there's a reason it's been outsourced to people who appear to you to be idiots and there's a reason they behave in what appear to be idiotic ways I'm going to get into that I'm going to get into what you can do about it and I'm going to get into how you can be happier at work and or get jobs that make you happier so let's look at the stats uh so there's there's no unemployment in infos SEC right we all know that the statistics bear this out sort of uh the Bureau of Labor Statistics government agency and I would never doubt anything government says says 0.9% infc unemployment in 2012 as opposed to 8 is% nationally uh

security Workforce in 2012 52,000 that seems insanely low to me for perspective there are 57,000 cissps so no uh and this includes the posers this includes the people who are like I can figure out a firewall once I'm an information security worker and that's fine because in a sense it kind of are but it also speaks to how infc employment is hard to Define if you're a sis admin who is really in charge of securing large scale server environment are you an information security professional if you're an auditor are you an infos professional so hard to Define this is a symptom of newness also for perspective those web devs we all love to hate 4.7%

unemployment in 2012 uh I mentioned this because you remember the bubble days like late '90s early thousands when it seems like they couldn't hire enough Java developers and was all about the web it was all about programming there was an onion article recently local dad says those Tech Guys sure got it made it's just like that well now it's like that for security it's not so much about making things now it's about securing things and that's probably because they hired so many job [Laughter] developers there we're looking at 22% more infos jobs by 2020 so great this is growth industry it's growing there's going to be a lot more jobs for all y'all and yet and yet

not all of you are happy so time was you're 2000 security job market was like M and now it's like a fuing tyrannos in front of hoshima it's awesome but I'm sorry I love looking at this so so you're all okay you're all okay employed I talk to people all the time for instance who are in it who are in it Ops who are network Engineers who are devs who are CIS admins who maybe are already in security they're like oh my God my life sucks if you're so desirable why not be happy let's look at this highly desirable skill sets lead to highly volatile job markets this is not necessarily a good thing everybody

wanting you isn't necessarily a good thing here's why you get money and bidding Wares for those of you who will leave a job for $1 more per hour it's going be pretty attractive I'm not saying I'm immune to this but yeah people are paying uh from the same high dubus Bureau of Labor Statistics average infos salary is somewhere around 100K I've seen way more I've seen Cally less but that's still pretty nice in an economy where the average anyone's salary is like 40 50k it's pretty nice General it churn any technical field as technology changes there's going to be turnover we've all been through this does anyone remember when Sola skills were desired you burnout somebody who spoke before me

did a really good job talking about this information security trades I like to think of them are stressful you are paranoid all day you are getting screamed at all day something is always on fire you are worried all day a lot of you are on call all the time this is not normal it's really not it's and you laugh and what I find amazing is that we have come to accept it as normal but most people do not accept this as normal and we shouldn't either do don't accept this as normal most itops people don't accept this or they ceased to a while ago when they realized how valuable they were nor should you and then

inevitably working for idiots we've all been there and one of the things I hear most often I don't get buying management does not they say I'm critical they say I got to prevent fires from starting they say I got to put out the fires and yet they treat me like a mule they treat me like I'm someone who can function as a machine they don't understand that we're going to need money we're going to need time we're going to need resources in order to create a security program when maybe there's none I hear it all the time and I'm seeing nodding so this is the number one reason I see people move that you're working for this guy

[Music] yeah and you get sick of it so if you can go ahead and create that Sim architecture that no and that's asinine because you get paid well people like you people want you why are they treating you like you're just another cognitive machine so what do we do if you're unhappy which I know a lot of us are first thing you got to do uh I see some there's there's a gap to put it kindly uh in infos resumés with people who are unbelievably brilliant and shock me with how smart they are and how they present themselves on paper three big problems youall like to talk a lot about all the technology that's been in this

the same general office suite as you I nouns like yeah I with sonic wall yeah I work for art site but you don't talk about that much what you did with it so I don't really know if you're a technician or an architect you like to do weird things with your resume like make them into a race car or a pretty princess or a junk drawer which I'll get into in a minute and possibly because as a community we're a little modest a little self-facing you don't brag enough and I'm going to talk about that too so let's look at some examples of fail look at all those tools God damn is left off that is a lot of tools these

are all from real resumes I'm using with permission by the way that I have said to my candidates hey your resume blows can I use it in my talk and they're like yeah W get but no curl say again W get but no curl yeah I'm sorry no I don't even know so this is great this shows me again every tool that has ever been in the same office as you but it doesn't tell me what you've done with it I don't know if what the hell have you done with senic hailstorm Pro what have you done with impact web module I'm kind of getting a whiff of what you're able to do but that's not

that interesting to me if I'm looking for a pent tester if I'm looking for a Defender I want to know about how somebody uses these tools so 's this tendency to like throw tons and tons of tools in this big chunk at the bottom of a resume or at the bottom of a work experience try not to do that first of all I'm not that interested in tools I'm more interested in capabilities second of all I mean what is Port swiger somebody talk to me about what they do with for sger huh not tools the Au oh oh cool great what do you do with that why do I want to pay you to work

with it you should right so this is fail um I got a shrug you should for that so cool um your resume is also not a race once again this is from an actual real resume uh with permission he could have actually tuck the CNA right under right I thank you because you could have took the CCNA and stuck it right up in the RSA and it would be perfect I'm a little OCD too sir I get that that failed the layout first of all s AR that great second of all if the Cs are the best thing about you I get this all the time hey if I get a AG does that make be a

good hacker

yes if I get a cisp does that make me good at security that's like saying if I douse myself an ax body spray will that attract wi doesn't work no absolutely not now don't get me shs are not yeah Sears are not bad I don't mind a c i don't mind a cisp hell I don't even mind a semantic certified specialist even though I'm I'm fine with that I actually dig a CCNA it means you know something about riding and switching cool but if that's what you lead with it's like you're leading with a body spray would you or or as a not to be heteronormative it's like you're leing with a hideous boob job it's it's not good you don't

want to do that you don't want that to be the best thing about you you want your skills what you can do to be the best thing about you and that's the first thing I want to see not this race carard [ __ ] please again fine if you have shs love you if you have shs but don't leave with them they should not be the best in fact so this is fail I thought semantic certified specialist a little lonely over there so I thought i' resme is not a pretty princess oh my God I don't know why but in security specifically and I used to do General it recruiting it sucked I hated it I am way better at focusing on

infos saac specifically in infos saac you're into like weird cir to solle formatting and you use weird fonts like Algerian and a bunch of horizontal lines and charts I I've seen charts and it's not necessary this is It's a true type [Applause] f if you actually said that to me I might Advance like yeah it it is like a 1980s website noink Tech yeah it's this is the Geo's resume um no I mean it's okay I get this I get that we are quantitative thinkers I get that we want to display information in not necessarily traditional R ways listing out I did this here at this time in this place is boring yeah it is resumés are

boring they were never suppos to be sexy they were never supposed to be fun but they're necessary this may be prettier but unless you're going for a UI Dev job man I'm not that interested in your Microsoft Word formatting jobs it just detracts from what I want to know which is how you're going to function on information security engagement that's it that's all I want to know so we go fail matter bold

under this is uh iffy so this is my friend Bobby tables little Bobby little Bobby tables thank you respect B and R so this is I get this I'm very sympathetic to this a lot of you have weird diverse backgrounds uh one of the best hackers I know has a BS in biology but he's very goddamn good amazing coder an amazing pentester writes fuzzers that would turn you white and he also has experience with things like ISO 270001 auditing and T compliance weird can't be easily summed up in this one short little onepage document first of all this a bank I do not give a [ __ ] how long your resume is don't care 10,000 Pages as long as it's

all relevant information don't care there people say to me oh it was longer than two pages I don't care tell me everything you can do that's awesome I love that but looking at this can anyone tell me what this person does they make lists they do make lists so maybe project management is the best thing for that yeah yeah thank you um you know thank you trying to get past HR beautiful you talk about that too thank you but a lot of you have been involved in all of these things or a bunch of these things and that's fine but it's time to think about what you want want if you want to be an auditor I pray for

you but if you want to be an auditor talk about what you've done that's relevant to auditing if you want to be a pentester talk about pentests you've done even if it's not on professional engagements even if you just took Joe McCrae or George weidman's course tell me about everything you've done in your home lab tell me about everything you've done that's relevant because we want you I have hired people who have never worked one day in information security professionally only experience was in Labs their home Labs their school labs ctfs and they're phenomenal so don't think that you have to look if you want to be an IR person don't think you have to Pat it with this

other stuff if you want to be a reverser don't think you have to say yeah can do pen testing too if that would be handy no target your resume to what you want to do maybe Phil I can't tell this is a good resume this is my dear friend Jan Q infosat who works for monolithic Financial megga Corp in Chicago so this is a good example of what I I was just talking about uh Jane actually has a really diverse background Jane started as a circuit designer weird thece was way more Hardware oriented started in defense and security architecture as a low-level firewall jockey way back in the 990s way back in the PX days went into large scale security

architecture to a little of pen testing on the network level and now has a kind of Blended role trusted advisor can do some policy work can Implement all these tools the kind that we're in this big like glot of tool speak in the first slide I showed you but Jen's talking about what she did with them Jan's talking about how it impacted the company this is what I'd like to see more of I I don't have any Illusions about what Jane does I don't think Jane's a web app pentester even though I know Jane is concerned with web app security I know Jane is concerned with network security but I also know Jane's not a firewall jockey anymore I know

Jane is concerned with policy is concerned with architecture is concerned with overall design I know I'm not going to get Jane for 50k a year I think I'm going to pay Jane 200k a year this is the difference between a good resume and a shitty resume so it goes even though I don't like her who does great question this is great resume too little bit more gram detail this is web at pentest resume use little bit of uh python drag in there but that's okay uh yeah this is a web app pentester who breaks down this is what I do this is what I'm good at here are vules have fun I love to see vs in

resumes I love to see exploits in resumes don't be scared to talk about those if yes yeah you want me to go back yeah actually kind of this one too so where do you put in your experience like I make and break things in my lab all the time when it kind of looks like it's oriented between jobs oh child I hav get to that P two you don't like that did I hit see another hand up no okay good um so web app pentesting this is very granular it gets very technical don't assume recruiters or hiring managers are too stupid to know what you're talking about here a lot of recruiters are stupid I'm not going to deny that people

are [Laughter] stupid but the person who makes the hiring decision is the one you want to think about not the damn recruiter the person who's going to look at this and say okay use burp Suite but you've discovered these kinds of bongs and that's kind what you see here is sort of impressive if the person could explain sees serve to me that would be interesting but this guy's done or girl has done compliance work this guy is telling me about actionable stuff here she is done that I can use on engagement sick do like so we've got a great resume now you've done what I say you've obeyed me your children awesome so you've got your great resume

what do we do now how to get a cool infos job there's a couple strategies uh the first two that you see here I think are dumb don't do them old news uh first two are post and prey you throw your resume up on the job boards I don't see a lot of people in infosu doing this this is sense making this is good continue to refrain from doing this couple reasons number one resumés are the glitter of the internet your pii is all over the Internet the minute you post a resume online a lot of you don't realize that if you throw your resume up on Monster or dice it is there forever so if you throw it up there when

you're 15 and just kind of looking for a part-time job and you're living in your mom's basement I have your mom's phone number and that is not a your mom jokes so don't do it it's just Dum and people like me we're really determined if we're focused on them for SEC have other ways of finding you move I will you uh you can spray and pray you can apply to what's posted this is problematic too uh job descriptions are vague thank you going to get deeper into that to job descriptions off him don't make any sense don't tell you anything about what you're going to be doing and it's much more sensible to get close

to somebody who is acting in the role that you're going to be close to so you're applying for a pentester job talk to a pentester at the company to get a sense of okay what is this actually I'm going to talk about that more in a second much better Network in like I said you can learn about jobs before they're officially open HR generally has to rubber stamp uh job requirements and say oh yeah we have budget for this and yeah we've written a job requirement and it's officially open to hell with that companies know what they need months before they admit they need it every single one of you who's working has a deficit somewhere I don't care

incident response or swiming floors every company can stand to improve and that means that every company can stand higher someone now the gap between that and getting HR approval and budget approval and all the other [ __ ] is enormous so it pays to network in go to meetups go to cons there are people on LinkedIn don't be shy most people are delighted to help people who have simil more interest to themselves if somebody said to me hey what's the best way to get a job at Haw walk I'm be like I love you let's hang out your mileage may vary but most people are delighted to help you if you want to work at their company so just

hit them up you all have o skills even recruiters can be helpful but again this is not a recruiter appal loia I like to think I'm okay as I say your M dumbass job descriptions can anybody tell me what this person

does they secure all the things they raise cars and pretty princess dresses that actually sounds really fun love to do that they are responsible for security and they are given no resour which to do it right actually looks like they work for the it security engineer that does all what the hell does this mean this is from a real job description not one of mine I'm proba to say job descriptions in general are terrible they're awful they don't tell you anything about what you'll really be doing all day so I can't go on the basis of them your goal when you're moving towards a security position any it position really but specifically in security because there's

such a gap between what HR understands about what you do and what you're actually doing get close to the people who are doing it ideally get close to the person who will be your boss as who is the hiring manager here or who would I be reporting to just get a name again you don't have to be shy it's like a tax support call get a live person on the phone as soon as possible avoid HR now is my time to say I'm not HR you ask do hack what happens if you call me HR there be words so what's what is this job description what what does the job actually Everyone likes beer sometimes the qualifications for

the job are actually Impossible by last years of experience at kly Linux good luck thanks a bunch of certifications that have nothing to do with each other yeah but you got to be loc to know Alaska and live 700b that is also from a real job description I'm pretty sure they meant

70 so here's the point of this that these are all in an ideal world where unicorns crap rainbows here's what the person would be able to do if col Linux had been out for five years we would love somebody with five years of experience in colx if it were possible to have all this stuff and a PhD in act Actuarial math that would be great and if we didn't have to pay reload to know Alaska that would be wonderful but you know what they want you more than you want them bear that in mind all of this is negotiable what about the it seg Barista uh the coffee part is not negoti I'm sorry you are not qualified

for jobs yes sir seen a number of listings like this where they're basically just trying to make a speciic person who's already contractor internally HED in and oh yeah that's how you basically know that they're not going to hire you pretty much um yes and no so yes that happens a lot and you're not paranoid for thinking that but if they have an internal person who is a contractor either on2 1099 they might be on a fin a contract or a contract to hire this has nothing to do with that if they've made up their mind to hire someone who's already an internal contractor they're going to do it regardless I'm going to get to the fact

that job descriptions and job postings can be extremely cya but short story long essentially legally they have to they have to post the job not a so does that address your concern very [Laughter] what these these talks are really just more to entertain me than to inform you or just oh so getting to that uh job descriptions can be depending on your state and jurisdiction they can be legally binding documents they're usually written by by non-practitioners of anything technical they are usually written by HR Andor legal gues there's therefore a high degree of vagueness in cya to them if you are a person who was for instance fired and they say it's because you weren't doing your job they

can point to their job description and say oh look this was your job to have five plus years in col L even though that's not possible so that's how they cover their asses get the real story as far as what you'll actually be doing by asking somebody who is either in that role or in a role that is adjacent to it I'll learn about jobs before they're open this is awesome I already talked about this friends and Associates go to cons go to meetups don't be shy I have social anxiety disorder I have problems going up and talking to strangers and yet if I were looking for a job I would take a deep breath and find

the person working at the company I wanted to work for and say help me two words how do I get in and people will shock you with how friendly they are and how willing they are to help trust me just try it once telling you a lot of you have gotten jobs this way I know this if you haven't give it a shot social media off neglected LinkedIn is okay LinkedIn is kind of the suit and tie social media Network I like Twitter man I've made a ton of hires using Twitter alone the cool thing about Twitter is it's fairly Anonymous you DM people you can follow people you can say huh here's a job I'm passively

interested in I would like to more about I've also made hires based on people I met in IRC I don't know it's not that traditional anymore I would say job boards birds stay on social media best thing you can do for your career [ __ ] around on social media all day telling you uh good recruiters can help look I know recruiters get bashed there are really good reasons for this I'm going to get into this in a second a lot of recruiting practices are really stupid not lie if you find one you can trust if you find one who seems to be vaguely clueful cool work with them but be aware that they're in the minority

very much so so we're talking about the uh Bridging the Gap between the Hunter anded uh let's talk about attack PA people ask me all the time hey I'm a CIS admin I want to break into security or I'm a I'm a Dev or I'm a network engineer or I'm just doing help desk how do I bust in the security there are general rules that can help with this but for instance CIS admin CIS admins I have found make awesome pent testers when they grow up because they understand systems they understand large scale networks and they know how things break and this is good it can take some training though as far as methodologies scripting and coding is something that I

find S SS need to learn uh common large scale systems config and large scale especially Linux hosting environments Windows somewhat so not so much also if you're interested in defense or ir and or if you have a systems Administration background you're going to have an edge because once again you understand how things break you understand how things patch which is good you're dead secure coding is going to be a thing secure coding is already a thing I am already hiring developers who understand not just the OAS top 10 or the web app security Distortion Publications developers who understand not just have a right secure code but how to architect secure software environments how that bleeds down into

devops how software can govern a secure it environment that's sick if you can do that you name your price period and we're not seeing a lot of this we're not seeing in terms of Rags that are written by recruiters or HR we're not seeing people saying yeah we'd love a developer who can at all write secure code not a lot they're more focused on languages HTML 5 beond rails who cares if it's riddled with vulnerabilities it's a feature it's a feature um dads can if they wish learn we pen testing very easily I have seen uh software developers become insanely good r pen testers obviously observe zero and bonds in the wild consider how those DS are CED consider the foolish

mentalities that led to [ __ ] it ship it and therefore very insecure do you want to go into project management cool we are always looking for project managers who have a sense of security this is just letting me know what's getting hot Network Engineers cool 10 years ago I could not hire enough of you people I love you I love Hardware I hate software but that's okay Network Engineers are awesome because they are focused on making things work they are focused on making things work even when they can work so the fastest way into security through network engineering is through Network pen testing but demand for Network pen testing is somewhat plateauing we're seeing a lot more app level code level

uh security demand you need to realize that defense is about more than devices by walls Bal you know that it's about architecture too it's about smart policy I have found this is going to be painful for some of you I found that Network Engineers are really really good at policy implementation and compliance I'm sorry I'm sorry I know I know you don't want to do it but it is lucrative it is necessary be good at it and if you don't want to do policy in PL go on just walk on just be a network architect security architect none of these jobs are going away but people ask me all the time hey what's hot it's getting hot it's a

couple things W out pen testing secure coding defense because nobody wants to be on the

Poli oh it's not hard [Laughter] you like to stand up tomor oh okay no and okay so blue team is considered less sexy than red team I'm not breaking [ __ ] it doesn't have penetration in the title that's more yeah come on pentesting is not for everybody it really isn't I think we can all agree on that some people are just better Defenders and yet these are really well-paid jobs they're actually kind of fun fun and interesting but people don't want to do them because it's because it's hard pentesting isn't hard right better you are a blue team better you will be a red team yeah sounds like you're you're more likely to be a skatebo on a blue

team so good yeah I mean those are the big ones r that all right so Fu how do I incorporate gry hat Community involvement Etc addressing what somebody and thank you how do I incorporate gray hat Community involvement say I uh packed into parisan sidekick or say I you know have been going to meetups or cons whatever how do I throw that in my resume rad you may encounter mistrust especially if you're applying for internal security jobs if you're applying at Chase Bank people are going to be dicks about it more than they are at a security consultancy right so how do you get around that establish trust yes I know how to tie a tie yes I understand that

it is patently wrong to do illegal things and yet in my lab environment at home I have determined that there are certain mobile device exploits which exist in the wild and we had the part that they have to do with Paris so yeah talk about what you learned Community involvement terribly underrated people ask me oh should I talk about how I went to bside should I talk about how I went to Defcon should I talk about uh CVS I publish should I talk about x y and z say yeah all the things later because that to me says you'll do this for fun you're happy to do this for money you're happy to do this8 plus hours a day but then you'll

go and do it for four more hours I love that I talk to people all the time who like I hear there's money in security there also Decades of misery but fine if you're get into security for the money I I don't know how to finish that so good mention all the things in terms of community involvement talk about talk you given cons you attend uh vs you find anything check it at the bottom of your resume brag it's great just make sure it's relevant other projects patents Publications I talk about the uh uh the electrical engineer circuit designer I work with cool that guy interviewed for a job with a guy who was an Electronics

GE and it turned out awesome but try to keep it relevant cool uh why is my resume getting so many irrelevant bites or no bites at all dumb recruiting software Andro processing the speed through this it's not that interesting it's mostly just dumb uh fixed were years away so I hear a lot these stupid recruiters they look at my resume and they see that I can exploit Java vulnerabilities and they think that means I know how to code Java most of those recruiters are not actually looking at recipe we use secret robots in order to send you horrific levels of spam I don't do this anymore I used to work for shitty companies that did this and I hated them and I yelled

at them not to do this I said this alienates the very people off of whose backs we make money and various expletives but it's just the way it's going to be you can troll them back I know a lot of you enjoy trolling us back that's fine but the Del button is right there uh your local market might suck you might have to move or you might have to start hustling in terms of looking for either remote employment or go out and slow yourself say to your local business even if it's a shoe shop on Main Street hey I noticed this massive gaping SQL eyeball on your website would you like some help with your security

post can't hurt I've seen it work for a lot may you didn't do what I told you to do [Laughter] do I care about certifications once again Ask body spray no you can't make me they're not bad but it says they do in the job description no ask be very skeptical about the job description ask what in that is negotiable because I guarantee you most of it is fishable if not all of it some organizations actually do care about certifications like the government I think it was a couple years ago somebody told me at the disa conference Somebody went and sold them a big old pile of snake oil saying everybody who touches any secured

information in the US government should have a cissp everybody to the level of like an Edward Snowden and they're like and now the US government only hires people who see isps and it sucks and they pay people with cissp is $10 an hour so is how it goes I'm told to stop now I'm saying get the Sur but it's nothing in a vacuum uh Q&A do I have time have we're not going to kick you off I think the camera needs to go but like you're it's now time to change rooms but there's a microphone well all right he