Empowering Pentesters: Strategies for Team Motivation, Purpose and Success

welcome everyone so as you already mentioned anden um I would like to talk today about um the red team side so about um red teamers penetration testers and how in my role I can Empower those people um also sharing some strategies for team motivation for success and for also having purpose and fun at work because this is also very important pentesting is not a job it's a passion um and I think the pentesters amongst us there are some at least I have met some already um in in the audience um the pentest is amongst us um I know it's not like a 9 to-5 job it's a it's a passion it's a dedication you do

everything you can in order to detect the best the amazing findings um you do this with everything with your your heart with all the Curiosity you bring with to have the best attack paths to exploit the vulnerabilities it's hard to find people like you penetration testers rimas on the market because there's not many um to find good ones and it's even harder to keep you to keep them in the organizations and that's why I think it's very important to set the right environment to set the right conditions in order to motivate the people accordingly in order to appreciate you them accordingly um and to do everything that can be done in order to show purpose

purpose at work for organizations using the knowledge the great knowledge that you bring with it that you can contribute for the organizations in order to help organizations to protect to protect themselves the organizations and also Partners um providers that are also um integrated but also protecting society and in the in the end lives individual lives and every one of you is playing a great role in that and that's why um I think it's so important to really um have an eye on you and to as I said to do everything um to set the right conditions in my role um I would bring those ideas those strategies what what I can do um I'm a a leader of us said 10

more than um 40 cyber Security Experts penetration testers R teers also technical coordinators who do the planning the organization of those assessments and then also um process assessors that are in my team um and so I also had the pleasure to grow this team from about 20 people to now more than 40 people within the last two years so there's a a great um demand um luckily and we could also also show the great success of the work in order to be able to grow in that way um yeah and um I get positive feedback very positive feedback from my team from everyone who works with me this is something which motivates me and I can give this back then to the whole

team to everyone who works with me um in order to yeah to bring the motivation there to everyone as well um one famous um statement was petina don't change so this was something that I kept for me because um it reminded me that it's on the right way what I'm doing um for the team with the team to really show the success there about motivating the team so what I think what's really important are different um factors different key aspects on the one hand side to really show authentic empathetic leadership what this means I would um shortly talk about that also to help the people grow to help them growth uh grow in a in a

personal but also in a technical way and to bring technical challenges not to have a boring um boring job there to create a trusted atmosphere to do the right collaboration amongst team members but also outside the team and um also to bring the right connection between it and cyber security from my background um I I have an IT background um and I've worked in it for many years um I can bring in different perspectives to the cyber security people and the other way around and what this means I will share so to show an authentic and empathetic leadership um for me it's very important to support the people to help them grow to see what they really

need everyone has individual skills individual wishes individual um requirements ex um expectations so I think it's very important to listen to each and everyone to really understand what is the wish what is the need what um can I do what can the organization do for the people to help them grow for some of them it's very important for example to um to keep up with the newest Technologies in in terms of trainings so to make possible that the trainings can be attended even in in times of cost pressure maybe not having so much budget for that but still fighting for that and giving the people the opportunity to um develop further and attending trainings on the one hand side a very important

topic on the other hand it's important to attend certain events like bites but also other ones like the blackhead for example like like um defcor like Bron to exchange there to learn from each other to learn from the best ones also to do team building um it's not um yeah taken for granted that um yeah people can attend those um all those great events on an organizational budget but I do everything I can in really in order to really make this possible and um yeah to let the people go there on the other hand um the life as a penetration tester if you do this for many years it can also be very lonely after a certain time if you are doing

those assessments just on your own um and it's important for lots of people to work in a team to feel integrated so um that's why um I I can also ensure that um of course depending on the complexity of the assessment on on the project the people work to together in teams that two or more penetration testers are working together on an assessment and this is even more important um by working internationally so having the teams distributed in different countries in three different countries in Europe um with little bit different time zones as well um and being in the home office so most of um of the guys girls that work from home therefore it's even more

important to have this interconnection this um collaboration and to work together um it's also very important to foster a sensitive communic communication so a safe place where everyone can speak up where everyone can bring in ideas share concerns even um in order to have a trustful exchange and a trustful environment and of course very important also to give the right appreciation for the great work so um whatever can be done here for example celebrating celebrating best findings we detect within the team who has the best one the most amazing one how did anyone come to this finding to to learn from it and also to give the opportunity to share to share the knowledge and also to

shine not Everyone likes that maybe not in a in a bigger audience in a bigger community Community but in a safe safe environment in a in a team where you can really trust each other the people also like to talk about that to share it and it's a great appreciation also appreciating certifications it's very important um for the team to to have the right qualifications also combined with the certifications in the end and this if someone is passing a certificate then that's a big coray as well and a big congratulation going on in uh in the virtual environment so but letting everyone share and um being part of that on the other hand it's about growth

and Technical challenges and I already mentioned some examples so um seeing what the people really want what the people really need also in order to develop in order to grow and as mentioned in the beginning the team um I could grow from or I could almost double um double the team in um in a relatively short time so there was chances for other people um to also grow into new roles to take over leadership roles to come from a technical expert um role being red teamer being penetration tester and then leading a team of penetration testers leading a team of red teamas having um also successors of this leading role so really new responsibilities new areas um to work in

to grow and for those um who would like to um to get into this step it was a great opportunity and I um with the the leadership experience I had um it's about um 10 years of leadership in in different roles first in it since or for the last five years in cyber security I could also coach the people what is important how um to yeah to set the right strategies how to motivate the people in the teams how to collaborate with each other and this is something that really goes throughout the team um and creates a good um and um sportive team atmosphere team spirit um yeah also to promote strategic initiatives Innovative initiatives so

it's very boring to only have one penetration test after the other to only have one reima assessment after the together it's very important to also provide interesting research topics for example how do we test ai ai applications it was coming up now a year ago more or less as a as a new topic how do we approach this and creating the room for that in order to have time time to um to go to trainings to exchange um to to do kind of research how to um set up the right testing methodologies the right testing approaches this is something that needs to be created and something very important for my point of view um also to to push

forward um technical challenges interesting topics for a penetration tester after a while it's really boring to only have web application tests infrastructure tests um so yeah what what else um Can Can we test what else is out there and there's so much in a organization um for example doing product assessments doing Assessments in the OT environment ensuring that those kinds of assessments are really requested that those assessments are important in OT there's so much to catch up in it that's in the meanwhile a more or less um yeah cyber secure um thinking or or mindset established but in in OT in the products area as well um it's really important also to create the transparency there to test more to

improve more in the end and those are the things um what I can influence of course in order to um yeah to create the awareness that um those assessments are necessary that we need to do more of that and to provide those Assessments in the end of course to the colleagues who are testing trusted atmosphere I've talked about this already um to ensure that the people feel safe to speak up to to create this safe environment um it's also important to stand behind the teams to to stand behind each and everyone there's always something that could go wrong but really then clarifying um what is the root cause why are specific communication issues maybe um that is

something um I see also in my role in order to um to really stand and behind the people support the people and everything um there doing a trustful communication and I will come to this as well um also a very important topic to handle the sensitive issues we detect the critical findings we detect how to handle this in the right way that you um that you enforce an effective communication in order to improve to solve the issues but also doing this in the right way in a very sensitive way in order to have the Right audience who who can really influence it in the end and building this trust then in the community through that

transparency um that can be created with those results collaboration I mentioned this already um very important to have one team I I told you that um in this area of um era of growth it was also necessary to create sub teams because 40 people that um cannot be just just led by by one person it could be but um it's not very efficient anymore there needs to be a certain structure and therefore it was really important during that time to ensure that there's no Silo thinking in the um separate teams that there's still a collaboration amongst the teams on the one hand side having pentesters red teamers but then the coordinators who do all the organizational um topics

and really working closely together so that the technical um the the technical guys girls they can focus on the technical assessments whereas the other topics are managed but still there needs to be a very close collaboration in order to make sure that the topics are addressed accordingly um yeah connecting it and Cy security and um there was a talk before um regarding um development um this is also something I could um bring in um through my experience through my past in it where I saw there is so much cost pressure the solutions they need to function there is no time and no budget for security it has changed in the meanwhile I guess or it's still a way a way to go but there's

lots of pressure and and those um people that really have the pressure to bring the things to work to let them function cyber security is still something that keeps up and um that costs something in the end and bringing those um perspectives also to the cyber security people to understand why do we have those issues why do we detect so many findings so many critical findings and also the other way around bringing those findings the ATT Tech pass um the the awareness to the people in it this is also something very very important um to create this understanding in order to improve to bring it in where can um some some measures already be implemented in

the development process of um certain Solutions and also how can it be tested in the end how can it be improved how can we make sure to have um cyber Secure Solutions with the yeah um best effort with the most in the most efficient way detecting the same findings over and over again I think there is nothing more frust trading um for a penetration tester for a r tea then um detecting the same findings all the time always the same symptoms where uh whereas it um was reported there's um the findings are fixed um still there or maybe some are fixed and other ones are popping up this is something where it's very important to show purpose purpose at work so that

something can really be improved in order to get to a more or to a higher cyber security posture and this can be done in the different ways pentesting red teaming second line of defense a new topic um that I could also um implement or cyber security Assurance we call it going to a global assessment transparency what this means for our team for penetration testing staying up to date with the newest Technologies focusing on those technical um tests only and not having this um all U yeah the overhead that needs to be done on an organizational side mitigation and exception handling so having or making sure that all the findings are um collected but then also um monitored

monitored and triggered to to make sure that there is a a kind of escalation process behind that the asset owners are um getting information about when to fix what finding and if this is not happening then at least there needs to be an explanation a risk acceptance an exception handling why this cannot be done and if this is not be done in the right way then um there's an escalation process insured that this is really made transparent and something is moving forward otherwise you will never improve red teaming it's um from my point of view not enough to only have the the penetration test with a limited scope but really acting as a real attacker would do it moving throughout

the n network doing lateral movement um also testing if detection mechanism work in the right way being very silent but still um having a certain Target a certain worst case that um would be attacked and showing this big impacts that uh a red team can can have here being domain admin in the end for certain domains um taking this um this knowledge and and showing this to the right people to the management to to really make them aware of what could happen if an attacker would go throughout our Network making them aware and ensuring that um the red team is really important that it could grow a lot so uh when I took over the team it was in

2020 it started with the red teaming exercises this were the the first um steps to um to experiment it in the meanwhile it's a really well-known team it's a grown team with many more people in it it's a a a team that is well known and um also very well seen from different um customers as well having recking also purple teaming having the red team and The Blue Team what um Chen in the beginning also announced seeing how um how they work together or what can be detected what kinds of attack vectors and seeing um what can be improved in those processes in their detection processes as well conducting R tests also a very important topic so not only showing the

findings and doing remediation or initiating remediation but also making sure that there's real remediation going on and also doing retests and if um there was no solution or or no finding fix um then also making this sure addressing this at the right level second line of defense that's a more holistic approach to also look behind the scenes to also test the processes the root CA why do we have those technical symptoms to see the root causes behind and also to show Solutions how this can be remediated the global assessment transparency um I would like to show so everything what we Tech in the team that's on the one hand side very important but um it's important to also

see what is globally um out there in terms of finding to collect this to work with this to aggregate the data to go more in a datadriven cyber security um yeah and now amazing finding but can I talk about it and I think now we are over with the time just maybe one last sentence um what I think is very important to have have the right sensitive communication yes but but the the right effective communication in all the different um areas that can be done so having the management um on the one hand side informed if there is something critically um detected having also um escalation procedures in mind using all the results in red teaming in second

line of defense we find in order to address it at the cesos at the in the organization in security boards they're using existing channels existing boards to address it also to ensure that projects are being set up in order to remove findings to really improve um if those um communication channels are not set up really then um I found it also my task to ensure this to find the right people the right um stakeholder in order to address the topics properly and to make sure that we can enforce um remediation and Improvement here we have a top findings poster we celebrate the best findings we do cves publish those so these are um also examples to really um communicate

the um great results we have and make the the outside world aware of those and in the end um I would like to thank you all for the great job job for helping to really protect organizations Society and also individual lives thanks a [Applause] lot thank you patina um so does anyone have a really good question for a patina no pressure any questions

I don't know if I saw hand go up and go down okay no go thank

you okay uh thank you yeah thank you for your speech I really enjoyed uh listening to you and I I really enjoy also when women speak up in a Podium and that's my question related to so how do you Empower women uh or how many like maybe in your team how is the percentage of menant to women or other in like inclusivity of all uh backgrounds and so on but especially my question being a woman um addressing this part thanks a lot and that's also a very important topic to me and also to um to the surrounding I'm working in um to um push the diversity topic forward and also to help women on um especially

to um to contribute to this great um yeah to their great cyber security area and to to really help that to um yeah to protect everything we can what I do in my team um so the percentage is um I would say it's also rather low maybe 15 um% women and the rest um male colleagues um but we are also striving for that and I do this with different measures inside helping with coaching and with exchanges and so on that uh the women really feel motivated and um also engaged and um yeah to give them the self-awareness I would say that they can do that they can do lots more than they sometimes think would be able to do um

and also um having different um different communication measures like um there's a an a mentoring program going on where specific um people in the organization but also outside of the organization are being mentored on the one hand side by me as an example but also from other colleagues um in order to see how do they feel where where can we help where can we support um to help help them grow in this area um yeah something really important I think to make them strong okay thank you any any other questions okay hello you're presenting a red team here from pretty huge organization which have variety of products and you mentioned cves so what do you think for the companies

uh which have their own red teams if you found as as as a red team in the huge company if you found a vulnerability in your own product devices or equipment should you do this like silent patch and just saying like this buckets fixed or you just should go for the normal normal disclosure over CVS and so on so everybody knows uh like how many bugs you found in your products and so on so what is your opinion here uhuh yeah thanks a lot for that question um I think it it really depends on the organization and um about how to treat special um critical topics in the organization I work in I'm in the um

pretty lucky um environment that um cves can really that cves can be published and it can be made transparent what kind of findings are in the products and that's very important for the culture and also for for being transparent um but I think it really differs and um it depends on the culture of the organization um but I guess this is the the optimal way to go and they can only promote a processes like that to work with s with product s in in this case um to really have the right processes um set up to to use those processes and um yeah to communicate about it okay thank you so much patina um this

is all of the time that we have thank you so much for being here this this afternoon and one more big round of applause [Applause] [Music]