Glen Roberts - Take Charge of Your Infosec Career! - BsidesOrlando 2015

hey everybody how's it going I'm going to try to keep you awake I know you just came back from lunch and everything apparently there's some technical difficulties so the the colors are a little off here so if you can't see something and I need me to expound upon anything just let me know now it's a good time to just talk about the overall format of it what I like to do is encourage interactivity so if you have any questions just feel free to yell it out or raise your hand or something so that we don't have to wait till the end for questions and answers and you know I want to make sure that you're getting

the most amount of value out of this and I think the best way to do that is for it to be an interactive session sounds cool all right is anyone in this room under 18 Oh or is it 21 yeah nice try what's the drinking age here 21 all right

okay so as part of the speaker package I've got some orange smirnoff and some lemon sorbet smirnoff alright so this is going to be to reward those who are vocal and encourage more interaction say what okay yeah all right oh okay so but truly looking for some interactivity and also if someone asks a question and you have a really good answer maybe even a better answer or different answer than me feel free to cross talk amongst yourselves and it's all about helping each other out here that's what this thing is all about it's less technical and more helping each other so interactivity is going to be good for this my name is Glen Roberts and I've

got a podcast called hackers on fire and I live in charlotte north carolina doing a bunch of info sex stuff I love information security research and I'm very passionate about helping others to get into the field and to also advance in their career before we start I do want to thank the volunteers at bsides and the sponsors of b-sides for helping to make this happen including UCF you know for being a gracious host thank you for attending to so we develop our technical skills a lot of next week with sands a lot of the b-side stocks is geared towards technical skills and sometimes we spend a lot of money to get that training that we need for our

technical skills as an example a conference can cost close to five thousand dollars to go to is anyone here going to sands starting tomorrow yeah a lot of people right you mind if I ask how much how much that was about about 5,000 okay yeah I pulled this up actually from their site so okay five thousand dollars for the class itself and then you might need to fly you might need a hotel so that could be another two grand easily as anyone spent more than seven grand going to a conference getting some training now oh you have how much

but he told you not to not to go anymore start going to be sides it yeah it's actually funny because I get so much more value out of addy sides conference which is free to near free you know 10 20 bucks that then I do some of the other training conferences but even spending five thousand dollars on technical training at sands it's really really high impact good quality material and is well worth the money maybe even double the money so I don't mean to say it's not worth it but what I do mean to say is that we also need to be developing ourselves and our careers and so it's it's necessary to complement the

technical skills with also a little bit of the career oriented stuff and so that's what this talk is about and I'm glad that you're here for it so the question is are you developing your career at least at a balanced level with what you're doing to learn your technical skills I know several people that are really great technically but they have absolutely no visibility at work and as a result they get overlooked for promotions they don't get the lion's share of the raises even though they may be huge a huge contributor on several different fronts and so I think some of that comes to not really developing one's career their awareness about themselves and how they portray

themselves at their work stuff like that developing relationships we're going to go over five tips in this presentation now I'm going to leave you with and I also hope that you do ask some questions so that i can help you more specifically so with developing your career you know technologies are constantly advancing and you know if you knew visual basic you know then you learn vb net java python learn all these programming languages you learn qualis you learn rapid7 it's a never-ending series and it's never going to end there's always a new technology to learn and so it's really necessary to spend a little bit of money on some of those eternal concepts which is you know

some of the base career development stuff so that that's what I'm trying to encourage with the slide and just telling you that you know it's a very big part of your growth and ability to command the salary that you deserve to understand how to run your own career

so I've got some questions for you one of the most important ones on the slide is are you completely satisfied with your current employer in your current position at the employer are you completely satisfied is anyone in this room by a show of hands you know who is I mean there might be someone okay great the the Brando's are in the back sitting next to his boss okay great besides you okay okay all right oh you're your own boss well I I would assume you could be you have the great potential to be satisfied all right that's good in the fact is and he said I have only myself to blame the fact is whether you work

for yourself which you know you're really working for your customers to or you are in a w-2 situation with the boss at work you still only have yourself to blame and that's what this presentation is about taking charge of your own career so other questions that are provocative are are you getting compensated based on the value that you're delivering is what do you do making the world a better place sometimes that's a personal goal that someone has are you working on your life's work do you aspire for a more meaningful role in life and at work only you can make yourself successful and you know if you think about your day to day when you wake up when that alarm

rings you know are you jazzed about getting out of bed and going into work are you waking up before the alarm rings just to go in and work on some project are you really jazzed about it life is short you got to make the most of it you've got to be doing what you love doing with the people you love doing it with and it's a symbiotic relationship so you know there's a little give and take where you know you need to be appreciated at the work you need to feel appreciated so you have to be conscious of that your feelings there and also look at the objective stuff like total compensation packages that you're

getting for your work but the most important thing that I think is you enjoy what you're doing you feel that you're living your purpose you're living your dream and you're just really loving your job so we're never all going to love it a hundred percent but if you can reduce the amount of percentage that of your job that you don't really like so much and increase the percentage of the pie that you really love doing at work you're doing what you should be so you're the main ingredient for your success and sometimes that starts with having a good attitude and a good outlook on what you're doing on that point I've got two things I want to

share with you two types of mentality one is the victim hood mentality we all I think we all fall into this from time to time and the other one is a take-charge mentality where you're conscious about what you're experiencing your feelings and you know you know when to take a break when you're falling into a bad attitude so just to break down the two mentalities first of all does it you want to have any questions so far okay because if no one has any questions I'm popping one of these open and downing it right now I don't even drink this stuff so okay all right you just want to see me down and I'm not going to

yeah you're right so gentlemen's comment is this presentation is not just about infosec that it could apply just in general to a leadership angle and that's true and I think that we are all whether we're owning our own business or whether we're owning our own career we are leaders of it and there's ways to be leaders at work whether we're a manager or not so very insightful lemon or orange all right one more where that came from so victimhood mentality this is a this is dangerous we all fall into it because we're all human but you know let's talk about it so victimhood mentality is you're going to work and they've got some vision for you and

using up your career for their own ends and you know you are struggling to go this other direction but they're wasting your time on this other stuff and you know so there's that feeling I don't know if anyone resonates with this but I have felt that way at various points of my career and I'm just putting it in my own language but you know they tell you what to do and you know you have this feeling that the end of the day you need a paycheck to survive or support your family and maybe you start just going through the motions so that leads to stagnation in your current job and you could have you know motivated by fear

that's not a good thing when you're at work and you're motivated by fear you're not exactly going to produce your best work in that type of scenario so I would also say victimhood is when you're overly reliant upon an employer for a promotion you know or you're waiting for that bonus in March you know and you know maybe there's something else some other carrot that an employer dangles in front of you for my retention standpoint and what I just like to say is if you ever struggle because there's a couple of paths in front of you one is you know the carrot in front of the donkey whether it's money or anything else prestige positioning a position of authority try

not to be swayed by corporate accouterments because after you get raised to that new level whether its financial or you know title if you're like me you know after you get to that new level it starts to be normal again and you know you start to want the next level a next level but really all of that leveling is is it's a it's a distraction because at the end of the day you know what you want to do the contributions you want to make in our field and the more time you spend kind of chasing the carrots and getting distracted with corporate accouterments it's a it's going to take away the time that you have to devote into performing

your life's work in infosec so so that's a victim hood mentality yeah it's awesome I think it's interesting seconding your current job car left with fear of leaving I've seen people get into that metallic and then the job leads down because their second they're no longer yeah that's that's a wise observation so are you so the job leaves them as their stagnating in their job maybe they get terminated yeah that could happen

yeah the job has evolved beyond your skills and you've just been more in an operational role just keeping the business running as it is instead of developing the business in developing a lot of innovative ways to do the same thing all right you got women oh you've got good okay all right I don't want to walk out of here with this okay okay so thank you for that though on the take-charge mentality side it's it's a it's different it's not the exact opposite but it's different different enough to be worth noting so you have a vision to fulfill with your own career instead of some job title controlling what your career is about and you know

letting that be so you really need to be true to that and you're maximizing your impact in the world in your career and you're taking deliberate efforts to align your career your your work with your career goals and sometimes you have to recognize when it's time to move on and this isn't necessarily a bad thing it could be a very positive thing for your employer and for you and it could be mutually beneficial to recognize when it's time to move on now when I say it's time to move on that might be it's time to move on to another role within your company or a different department in the company you know to maybe you found

something you're really passionate about cleaning up or some business process improvement that might take a year or more to improve and you just might want to propose to your boss that your position changes a little bit so it doesn't necessarily mean that you're leaving the company but I think it is important to know when you know your your job is getting out of alignment with your career goals and i would say i'd recommend talking to your boss about that because unless there are a complete jerk you know manager 101 is is trying to really get the most out of each individual based on what their talent is and what they can do for the company so

they were probably welcome that conversation okay yeah I've seen it many times so the comment is you might be creating your own job within the organization a job a title that doesn't even exist I've seen this happen time and time again and you know if you're even considering it you're probably a top performer because you know let's face it cellar dwellers bottom performers you know they're not going to even have the idea or vision to create a roll around something that's so necessary so innovated that it just has to happen the conversation just has to happen the fact that you're even thinking about that would tell me that you're probably at the top Rank's where

you work and valuable contributor to the industry so good stuff so here are the five tips that I promise I'm going to talk to you about these five tips there's so many but we don't have all day to talk but these are the ones that I want to share and talk to you about so I welcome the dialogue back and forth so visualize your success create a plan to be successful and have a development plan for your career build your brand build your network and take deliberate action on the first one this is visualize your success so what we've got here is a visualization of what I think success needs to be in infosec when you start

thinking about this oh gosh I didn't realize this live is that bad let me talk to it though so at the top is attitude having a great attitude sometimes having a great attitude can help you overcome a lot of obstacles and help the team get unstuck unjammed from certain situations especially if things don't go your way some political battles going on stuff like that having a good attitude is really really crucial below that in the center of the diagram is purpose so understanding what your purpose is in your career and what your purpose is at the place that you're working so how is the place where you're working or a customer or client that you

take on how does that fit into the puzzle what piece of the puzzle is that for you so purpose is really a good thing to visualize your success discipline discipline is something that a lot of us lack and but there's so many tools that can help us to do that so this is having a good morning routine having a calendar-like with different tasks periodic tasks that you need to do on a daily weekly monthly basis I'm talking about things like following up with one of your former bosses just to say hey man I was thinking about you and how's everything going here's what I'm working on you know how is it with you or maybe it's someone that a former

colleague that you shared a cube with or something maybe you follow up with him say hey I was just thinking about the old days when you know we had to share a cube and now I had to buy you that underarm deodorant you know but you know staying in touch with people you can systemize that through discipline through calendars and such so I think that's necessary quarterly looking through the goals that you have set for yourself find out where you are relative to them and you know the last one and its last for a reason is your skills you know skills I think everyone knows that we have to have skills we have to have mad

skills really to be competent in the infosec field so you know I'm pretty sure you guys know that already but I would like to say that skills is not just the technical skills you know can you write a Python script it's you know do you know how to talk to someone in the business about why they shouldn't be using a 7 character password maybe they should move to a passphrase you know can you explain that in layman's term terms to them and then go talk to the system admin about why shared credentials should not be used you know so being able to have those conversations yeah go ahead yes that's a good one how to make your

field relative to their field I think that's a very good call I mean we've all got different roles in in the company but we're all striving for the same thing sometimes you have to have there's some obstacles that need to be overcome and you know conversations need to be had you have to be good at having conversations that involve conflict but not cower down from conflict yes

why the question is why is skills under both purpose and it's also under skills no real reason probably probably is it real great from a presentation standpoint yeah so you know initially when I put this together it was kind of based on a word doc that I wrote but you know from the slide you know it says purpose having a definitive purpose something that you know focuses on your strengths and then also with an understanding of your weaknesses you know and trying to really focus on those strengths areas that make you unique which includes skills right so I've gotten a association in a lot deeper it could be either yep all right so my view of this triangle is that when

you're looking at creating a plan for yourself to be successful that all of those components need to be at play not just one so as an example have you ever known someone that has really great skills that has a bad attitude has anyone ever known someone like that okay now sometimes they can get away with it it depends on the environment but it's usually not long so you won't have any stories to share

okay I won't force it so how about someone with a lot of discipline so they're really good plugging and chugging discipline oriented but at the same time they have absolutely no purpose whatsoever maybe don't even know what the company purpose is right so I mean sometimes this could be compliance analyst or you know someone that's just really good at ones and zeros i's and t's but they really don't have a friggin clue so I think we've all seen that that type of person as well sometimes this is a junior level person just getting in the field and they might waste a few years before they start to realize the bigger picture

okay so on creating a plan this is all about defining your mission and your goals and you can combine life with career I would encourage it it does i mean it's probably to most of us our life and career is just a blend anyway but define those missions and goals for yourself identify what gaps exist when you assess yourself and where you are do you have what it takes to achieve that mission depending on how far the mission is out you know you probably are lacking in several areas and need to develop an action plan in order to get there and and then of course execution is a large large large part of this instead of just

planning some piece of paper I don't mean to de-emphasize the role that getting it down on paper is but you also need to execute execute execute don't wait til hundred percent do what you can I've got a lot of people as an example that asked me hey I want to get into information security but need to get my cissp first wrong answer my opinion what you need to do first is know what you're talking about know what you're doing developed skills you can do that in a lab and a lot of people that are interested in information security already have a pretty good understanding of enough to start at a junior analyst level and you learn so much more just

kind of jumping in getting that job and doing it eating breathing it all day with within your job you'll grow so much faster than waiting and taking some tests you don't even know what you're talking about entering the questions so that's just an example but execution is everything yes

certification

I agree so for those who couldn't hear he's talking about you know a firm that's asking you to have your cissp within 90 days of starting should be a warning sign and you should be asking the questions of them such as what are your mentoring programs what are you going to do to help me be successful you know what kind of investments being made did I capture that all right good one area you have to give this away I don't care if you drink it or not so there you get what's her

contact with the FB picture let's you be willing to most things that happen to you are weird little highways really so yeah by all means have about your plan and it's something I try and do but I'm never five years not never fair i thought i was going to be i'm so happy but it's not I didn't reach the bullets that it's about the trip right it is it's I wish I hadn't so let me make sure I captured this for everyone else so basically it's good to have a plan but also continually assess and be flexible with yourself and be comfortable with the fact that where you end up may not be exactly i represent on

plan and you need to be even willing to change your plan did I get that that's that's very insightful yeah

hey maybe I wanted to be a weapons for graphic designers let it be something else and it took me a while to figure it out

yeah I think that being comfortable with yourself being who you are and even if what you thought you were going to do doesn't pan out that's I think that's key to enjoying life and work is such a large part of our lives so you know we do need to be comfortable with ourselves I think there's a process that we as people go through until we get to that comfort level so there's some thrashing about you know in different directions until you get there but you know that's all just part of growth and I think mentorship is really helpful to to get to that understanding was there another question back yes

oh thanks

it sure so for anyone that couldn't hear it's a comment is about really understanding yourself where you are in your career being able to get forward in your career through but what would you say would be some of the key tenants well okay but let's just say what it isn't what it isn't is just technical skills alone so yeah interpersonal skills yeah business acumen communication skills yeah agreed but you know it does it's just an awareness that there's something else that we need to address in our careers besides our technical skills that's all and you know I doubt that it would be ninety percent of what we're doing but you know maybe it's ten percent maybe it's fifteen percent you

would know for yourself if you are doing this properly through a disciplined approach maybe you set up a monthly like one hour a month for you to look at your career where you are are you making new contacts different things you know with your own plan and then continually assessing it to find out are you on track or DD to Double Down it's in different areas but yeah that's good to know and you're right about companies not really having a track for technical people and so you end up getting either tap to move into management sometimes or you're just coming to work doing the same thing so that that is difficult i have seen some of the better companies

create a strategist role that is maybe a blend between what the business needs at the moment opportunities that they could seize you know combining that with some security concepts so okay good stuff

so you become the higher yeah on the back you can there is that's a good point you end up being a consultant anyway whether your internal or external but the point is for those who couldn't hear that becoming a consultant can be a really good way of getting unstuck from that situation yeah

that's right yep well good so on the plan just some things to keep in mind would be have some short-term goals so maybe some middle term long term goals you know figure that out but you know think in terms of like a one-year two-year five-year 10-year plan it's going to be different for everyone but the other thing I like to encourage people to do is when you got your plan when you figure out what the heck you're doing in life and in this field the contributions are going to make and what your plan is what I recommend to people is to share that plan with their peers with their boss as many people as you can there's

no secret to it we all have this natural hesitation to share in the security area because someone might own us with that information or whatever but just put that aside for the moment you share that with someone else and unless you're a complete jerk they are going to want to try to help you you know people don't know how to help others unless they know where which areas they can help them in so sharing the plans a good idea from that standpoint but it's also good for them to tell you hey that's a bad idea let me let me tell you why and so you bounce it around a little bit and you you can benefit from their experience

all right so this right here is what i'm calling the career cone and if you so again sorry about the projector but what it is is it's a nice step over here so imagine that you know wherever you are your career and this is an example so let's say we're a complete new when it comes to security so we start out as a nude and maybe our end goal maybe just maybe we know as a new that eventually we want to be a CISO at the end okay so i am not advocating that everyone becomes ciss or anything but this is an example so you throws and dude there's some positions in between that or kind

of natural an analyst maybe pen tester architect truth is you really don't know the path but you know we could be a czar security analyst certificate forensics and lettuce burger know some some somewhere in between there but the one thing as you're progressing you should be picking up a lot of different experiences along the way you can give a talk whether it's at work or besides whatever you can write an article various projects that you can have to be placed on so all of these types of experiences along the way should benefit you by the time you are at that in-state and some of these can be real accelerators for you so if you're a new and you know you're going

to be SCIF so what's wrong with studying information security leadership or how to manage a sock and put together an article on that and get that published and you can refer to that waiting down the road and you are applying for that ciso job so here 50 developed hold us in your resume that you're going to make reference to a decade from now so you should be developing those bullets right now continuing on that so you have a long history of the top of experience type of connections that would be expected of someone in that role does that cone make any sense is anyone into lock-picking have you been to the lockpick village yet okay I'm a

big-time lock picker I love that stuff so another way I describe this cone you know so that's another way to think about it and sometimes you get a couple of pins just immediately you know so you can skip a few levels and you know if you're very skilled at what you do you can open that lock faster

next build your brand on this i would i would like to point out that there is a workshop going on across the hall someone that I know her name is Krista Pusateri and her workshop is called brainstorming your brand and I will at the end of the presentation I've added a link to her website where you can download that material so that you can go through it if you're interested in brand building but you already have a brand whether you know it or not the catch is to be conscious about what that brand is had that aura of like self awareness about what you're portraying to others whether you're in the boardroom or whether you're working in

the server room with one of your peers so how are you coming across to them and is it appropriate because you know I really don't think we should just be as authentic as we are I don't think we should I mean I wouldn't walk into a boardroom wearing a t-shirt and tennis shoes but I do think it's appropriate here and that's just a personal dress example but I think it is important to understand a situation that you're in and what the expectations are and try to meet and exceed those expectations so that being said you do need to be authentic and you need to leverage your what's special about you your your uniqueness and you know you still need

to do that we talked about getting published giving talks whether it's at bsides or elsewhere and meeting other people in the community that's all part of the building your brand and I also put a comment in here about developing a portfolio so I just got off the phone with someone this week that has a very active portfolio and what he's done is all of the articles that he's written and the Thompson he's been in the news he'll he'll just have links on his website kind of referring to that so it can be conveniently found for people that are looking for it and I thought that was a fun little idea that he had but you know

the key is you're doing a lot of great work and a lot of this can be fashioned in such a way to convey what you know and convey what you have done and so it's important that we do that and not be tempted to think that that's just bragging and you know just avoid doing that all together so begin to show the world your value into contributions and and it will pay off on building your network this is probably one of the most important things that I would recommend in our field I think that the relationships are everything especially in in folks infosec so you know I like to look at am I continuously building my

network within the infosec field and meeting new people with new ideas and you know me personally on my plan I'm looking at how many new people in my meeting you know that's that's pretty critical for me and relationship that you're building that's very important so I also said helping others and marketing them marketing their skills is is a good way to achieve some level of reciprocity back you know so you know you help others even if it's not with the intention of them helping you back they will if you can introduce people to others you know Kevin that might sound familiar from from earlier but uh you know as an example I hate to put you on

the spot but you know you know Kevin I met Kevin out there and we were talking and everything someone kept walking by looked like she was looking for something and you know I I said hey what's your name and you know hey this is kevin and we had a conversation about what each other does and you know but i think that's a some really good things to do is to build those relationships and nurture them over time touching base with the contacts yeah

yeah so I think that the points are making is it's it's definitely good to have those relationships within the information technology area but also outside of IT is that what you're saying yeah I agree with that especially in the company there is a quote that I like to to give out as often as I can it's you can have everything in this life that you want if you will just help enough other people get what they want it's a zig ziglar quote but I really love that and I I think about that all the time having mentors and providing mentorship to others is is a fantastic way to build your network so think about that to the

final tip tip 5 taking deliberate action so this is not just willy-nilly taking action we're talking about very deliberate approach to improving your career and this can be done so you want to unleash the gifts that you have for the world in order to do that at all you're going to have to take some action otherwise it's just an idea it's in your head it's on a piece of paper in your office but if you're deliberate about it you can do some great things so you know experiment live a little take some risks and stay focused on doing that take advantage of the opportunities that come around I think you'll find a whole lot more opportunities happen and you start

developing some momentum when you start taking a deliberate approach to your career you know things just start happening and that momentum it just keeps going and going so take advantage of those opportunities that are sure to come and in the last little comment there don't wait or beg for permission from your boss or anyone else you know what you want to do and you need to go and do it and you know so you don't need to ask someone if if you should pursue your passion or do some research project that you're highly interested in you just go and do it so if there's any obstacles or entrenched hierarchies in your way I've just encourage you to not be in the

habit of begging but be in the habit of taking action have a bias towards taking action yes that is tried and true the gentleman says it's always easier to ask for permission or for forgiveness instead of permission so yeah so don't ever give up on yourself we all go through ups and downs and you know continuing to move your career forward incrementally is it's going to be vital for you I've got a call to action I'd like to propose for you at this conference meet five people at bsides Orlando that you don't already know and so these five people exchange contact information with them and within the next seven days do something that helps them so if you started with five people

and you did something to help those five people what do you think is likely to happen you know I think that you'll find that there will be some fruits of that labor the fruits may be on their tree that's okay though right so this is the challenge this is the call to action for you so has anybody met five people already that they didn't know before the conference yeah okay good so I guess I would just be unfair and suggests that you meet another five but okay the other thing is volunteer to help at the next b-sides or a conference in your related city you know try to volunteer to help the next besides I think that'd be a really good

thing okay are there any questions at this point we've only got a few more minutes okay feel free to contact me I have put the brainstorming your brand link on this slide this is krista pusat aries location where she's going to have all of that material from that workshop uploaded for you to download so if you're interested in building your brand she's got a very in-depth presentation on that that she can share with you she's a happy to do that I've also put my contact information on there so if you would like to talk you know feel free to give me a call that's like literally my cell phone number so feel free to give me a call on my cell phone

I'd love to help you in any way possible I've also got my Twitter in there my email address so feel free to contact me at any time if you think that I can help or you just want to bounce some ideas off me I'd I just love talking to all you guys so all right anything else they have you stink I went to the wrong room all young kids were other presentation

you know what all those 19 year old really well I appreciate that you know fortunately we're videotaping this and my hope is that we can get the video tape online it's really tough in Abby's eyes conference with the multiple tracks you know there's so so much there but uh no hopefully we can get that uploaded within the next couple of months and then it'll be available for them but yeah that's a good point thank you alright well I appreciate everyone appreciate b-sides