How to Plan for Your Security Career Advancement

[Music]

Okay. Hey everybody, how we doing? Welcome to your hero's journey. Planning your cyber security career. We have 20 minutes. I have a lot of stuff to get through. Normally I like to take questions as we go, but hold them to the end. Write them down if in case you forget. Um, but we are kicking off happy hour and I'm last. So, I'm happy to hang around and answer any more questions or find me out in the happy hour lobby. We can chat there as well, too. This is me. It's my LinkedIn. If you take pictures of me, post about this, tag me. I will be sure to comment on your posts. Why do you care if I comment on

your post? This is the hero's journey. For those of you who don't know, that is a storytelling mechanism. Let's consider this the prologue or the prelude. Your network, your brand is going to be key to you getting a job and growing your career. You need to be on there doing that. Now, there's whole classes and lots of people that will help you coach through that. Don't have time to go through it, but it's an important part. I wanted to make sure you got that. Also have a podcast called Keyboard Samurai where I talk about the business of cyber security. If you want to look at my resume, you can see all the cool stuff I've done. 25

years, lots of acronyms. Currently a field CISO. So, let's get into Oh, wait. Let me talk about that real quick. Um, what you want to shoot for in your career is you don't want to have to fill out a job application ever again. You want to have a group of people that you want to work with or want to work with you and companies that want to hire you. So the next time that you get ticked off or laid off, you can pick up the phone and say, "Hey, I'm available." And they go, "Great. The last I don't know most of the jobs I've had in my career, I've written the job description myself." So

that's what you want to aspire to. And that starts with your network. So the hero's journey, again, storytelling mechanism. Um Star Wars, Lord of the Rings, all follow this very well. Um we're going to assume that most of you here have already answered the call to adventure. you have a desire for fame, fortune, bad eyesight, sore backs, no sleep, all the stuff that comes with working in our industry. So, we're going to kind of focus on the last twothirds from the threshold around to the end. The goal here being you want to know what that north star is. What is it like when I return home? What have I accomplished? So, that's a lot of what

we're going to talk about today. understanding those trials and tribulations that are ahead of you so that you one move with direction and purpose and two um maybe I mean things are going to happen but at least you kind of maybe have a little foresight to be aware of that and plan ahead. Now I'm going to assume nobody in this room had a space wizard with a laser sword come into your house and tell you you needed to join cyber security. So many of you may not have a mentor yet. So we're going to take a little half step back and just talk quickly about mentors. So, the purpose of mentor, everybody kind of should figure this out and know

what it is, but essentially they're going to help guide you. They should have been there and done that before. They're going to keep it real with you. They're going to call you out on your They're going to make sure that you're doing the right things, and they should have the skills that you want to develop as well. Now, there's a couple of ways you can find these. one, the organization you work for now may have a mentoring program. If so, go get involved in that. If they don't, or if you can't get involved in one of those for whatever silly reason, look to your direct manager, maybe their manager, a couple of managers to the

left and right of you, look around and find people who are doing what you aspire to do, and start to engage with them and and see if they'll coach you a little bit. You do also want to start looking if you're planning that executive leadership. I want to grow and and be a sea level someday. You do want to start finding those executives now and start building those relationships with them. Those are going to become your long-term mentors. They're going to be the ones that are going to help you time after time, roll after roll, negotiating, all of that great stuff. They're going to have a lot of information and stuff that they can share with you that's going to

be helpful. I will say this, if you don't have relationships with people like that today, hence LinkedIn network brand, do that stuff. Um, also, as you're looking for these individuals, if you especially do not have a working relationship with them, make sure that you do validate their credentials, that they do have the skills that you want to develop, they do understand the path that you want to take, and that they pass the vibe check, that you guys are going to get along well, be copacetic, and be able to help each other. When you do find those individuals, sit down, create a plan. It sounds weird and formal, but both sides get way more out of this if both sides know what they're

putting into it and what the expectations are when they are what they're going to pull out of it. So, we are all mentored up because uh you know, you can't blow up the death egg without Obie. So, what's next? You want to leave that moisture farm. You're staring up at the the sun's there and and poor Luke doesn't actually even know what's out there. He has no knowledge of the universe. So, this is my first question to everybody here. What do you even know about the industry besides your little silo, right? And then thinking about that, what is it do you want to do? Do you want to be a Jedi master and have a bunch of little

padawans following you around? Do you aspire to be an emperor and lead? Or maybe you just want to be a bounty hunter. Go uh Alabocaton. So thinking about all this and then side questing. Side questing is fun. There's nothing wrong with side questing, but do it with some purpose. You want to make sure that whatever you're doing on your side questing, it's going to contribute to your larger plan. So if you're going for experience, that's great. Experience points are going to help you level up, get new skills. If you're going and chasing after loot, what are you going to do with that loot? Are you going to use that loot to fund training for yourself programs education

certifications, or are you just chasing the loot? I think anybody in here who's ever played an RPG game knows at a certain point just chasing loot gets really boring once you have enough money. And in our industry, it doesn't take very long to do that. Becoming a murder hobo is very, very boring. Okay, you eventually want to be part of a bigger plan and do something in with yourself and so that's where you want to go. So that's where we sit at with there. Know what you're doing. So now that we kind of have some ideas of what the plans ahead are, let's kind of get into some of the details specifically for what you came

for. This at the high level is kind of the buckets of what cyber security looks like in our industry. Right? Me as a CISO, these are the kind of things that I think about managing and dealing with daytoday. Now, if you just want to be the best hacker in the world, that's all you want to do. That is great. That is fine. There's nothing wrong with that. You can go and be the Jason Bourne of hacking, right? You go out, you hack every day. Every day you get to work, you you just up those skills and be happy about it. Understand, you will top out. What I mean by that is you'll kind of hit the the highest level of your salary

at a certain point and it's going to be much sooner than those who are going to be looking to generalize or become a uh looking at that executive leadership path. And that's because the ceiling is just higher. So those of you looking for leadership wanting to um sit into those executive rooms, it's going to take you longer because you have to learn a whole lot more. So like I like to tell everybody, I know a whole little about a lot of things. I don't know a lot about any one thing and that just took 25 years. There's really no substitute for it. So those are the two aspects you think about from the working as a

specialist versus working as a generalist. Now there are organizations that will have technical leadership roles. So in this case you can kind of be the Jason Bourne but you're also going to have to have some thought leadership. You're going to have to understand the silo that you specialize in, how it impacts the other silos around you. Think of it as like being in a war room where they get every expert to solve a problem. You're going to be one of those experts that part of that's part of that conversation. So, a lot of times you can do that, but you don't have to worry about managing a P&L uh time sheets and you know, management and

promoting people and dealing with all that good stuff that that uh those of us working in leadership roles tend to have. Okay. So now we know what well you know what let me give you a little note here. Um regardless or definitely if you're looking at the generalist looking at excelling and becoming a leader I would say know what you want to do but be open to doing anything. Maybe not anything but be aware that the next opportunity may not be that direct line of progression that you have. You may not take your manager's job. You may be working in the sock and there may be an opportunity to become the manager of the vulnerability team. That's an

opportunity that you can take. That will help you generalize. That will help you be advance up. So just be aware of that. Don't be too focused on your silos. So we have a character class. We have a backstory. Let's uh let's roll some stats. This is what you have to develop. Again, Jason Bourne's excluded. Um, well, there's a little bit of Jason Bourne stuff in here to kind of grow and round yourself out as a cyber security professional and advance up the business. Number one, whatever company you work for or if you're like me and you're in consulting and managed services, all of the companies that you serve, you need to understand how one, what is their mission and how do they

accomplish that? So, for most organizations, it will be some type of money that they're trying to make. They sell doodads, whatnot. For others, nonprofits and stuff, they'll have a specific mission. Understanding how that business operates is important. Understanding how they make decisions is critical. Some individual contributor may have a problem with the way that they do their job and it's like, man, this sucks. It takes an extra 15 minutes of my day, but the resolution may cost the business a million dollars and that's not justifiable. And a lot of times those who stay in contributor roles don't think about all of the bigger business things that have to happen. So you once you as you elevate

yourself into those higher roles, you're going to be dealing with things beyond just cyber security. It becomes about people and it becomes about the business. That's how they make decisions. Communication. You're going to have to translate technical information to non-technical people. That could be finance and HR, but that could also be other people in this room, other people in your industry. If you run a vulnerability program and you have to go talk to the GRC team, sure they know your job. They understand what you do. They should. But if you get down into the weeds and start talking about acronyms and processes and things that you use every day that they don't, you will lose them and then the conversation

will go nowhere. So you need to make sure that you are able to communicate that. Break things down Barney style. Um I think there's or yogaba for the younger group in here. Uh the next two, problem solving and critical thinking. These are the two things I personally look for and sort of trial the most when I'm uh looking to hire people. If you can find efficiencies in your team, improve business processes, that's one makes your team better, makes your job easier. Two, it shows that you have value beyond your technical skills. It shows that you're thinking about the business that you can you're thinking about solving problems. Solve problems as much as you can within the confines

of your job. Don't neglect your job and go find another problem to do. That will create iss or problem to solve. That will create issues. On the critical thinking front, you have to understand the hows and wise. Just knowing what buttons to push is not enough. You need to understand the reasoning behind it. We can teach anybody whats to push. It's the people who actually understand the underlying technology and why it works and functions the way it does that are going to bring value. And the more you do that, the more you will be able to continue to do that and bring in that knowledge of being able to critically think about different situations and

problems that you're brought and solve them. Collaboration. Look, you're going to have to work with people. That's it. Figure it out. That's all I'm really going to say about it. You just have to do it. um go to team building exercise presentation skills. This goes in line with the communication again with that technical translation. Yes, you have to be able to get up here on stage, learn how to speak. Um me for instance, I've worked at a lot of global organizations. When I do presentations where I know I'm speaking to people from all over the world, I speak much slower. I don't use as many idioms. There's certain things that you have to take into account. You need to know your

audience. That also goes for the data that you're going to give them. Again, vulnerability management team. You're giving a presentation to a bunch of executives. You are not going to be preventing presenting CBES and criticality scores. You are going to need to bump that information up to maybe risk level, maybe not even that. You may just be the person in the room that validates, yeah, if this thing happens, it's going to cost us this much money. Like, so understanding your audience and the level of information that you have to give that is very, very important. tact. It's consulting 101. You cannot walk into the client or your boss or whoever and tell them their baby is

ugly. As much as we want to, this is an industry of very smart people and it is very hard. I come across a lot of people who know the right way to do things. There is never one right way and people do things wrong a lot. But understanding how to have tact and deliver those sensitive messages shows that you understand how to deal with a sensitive situation. This is especially important where you are involved in something that is going to be part of a sale or a business deal or something big happening with the company. A lot of times security is part of those and again if you're working in consulting or managed services you you were very

sensitive to the fact of what you say you have to keep the client happy. So focus on that. Leadership, again, there's a lot that goes into leadership. There's lots of courses, lots of things you could take and learn. There's a couple things I just want to talk about and kind of uh express from my standpoint. When you become a manager, when you become a leader, you are no longer the smartest person in the room. It is not your job to be the technical expert. Your job is to go to meetings. Your job is to make sure your team has the resources they need to accomplish the mission that's been given to them. Your job is to go

talk to other departments and let them know what your team is doing and why it's important. Your job is to know your team and support them. In that vein itself, you should get to know every single person that reports to you. Now, there's a rule of seven that says you should only have seven employees. Sometimes you'll have more. But you can see how sometimes that gets harder. But the key takeaway I'm saying here is because people are motivated for different reasons. Learn those reasons. People want to be incented for different ways. Not everybody wants to get praised on an all hands company call. Some people would like a little extra pay. Some would like PTO. Some just want to

be left alone and don't want it. I know lots of people who are happy to give away the information and just get no credit for it at all. You have to treat all of those people as individuals. That's what being a leader is about and that's the hard part about the job. Okay. So, let's go ahead and move on to the last bit here before Q&A. You are going to have to open your mouth. The worst thing you can do if you want to advance and progress is to put your head down, do your work, and think, "If I do the best job, I'm going to get promoted. They're going to recognize me and it's going to

happen." Not how it works. Going back to branding, LinkedIn, all of that stuff. Um, this is sad to say, but it's true. Somebody who is visible and audible and competent will get the job over the best person sitting in the corner all day long. Not just because they're being visible. You think they're being braggarded or whatever. That's not that with you sitting there with your head down. You are literally signaling I am happy. I am excelling. I am doing great. So you need to go to your leadership. You need to go to your management. Say hey I want to do this. I want to progress here. These are the things that I'm looking for in my career. You should

have a career plan within the organization you're at and with your mentor or with yourself. Ideally, taking a look at other opportunities as well. How are you going to move along? What is that side questing going to give you? All of that good stuff. Ask for the things you want. The last part I'll say is explore open positions within your organization and not just the next level. Find those stretch goals or those stretch roles that exist. So, if you're in a supervisor position, maybe there's a senior manager position and you look at it and you think, "I can do that. I think I can." Go and ask. Don't just apply. This is the important part. Talk

to your leadership and say, "Hey, I saw this role open. I think I can do that." One of two things is going to happen. They're going to tell you, "No, you can't, and this is why." And then you will know the skills you need to develop to be considered for that role. You can put those on your plan, and you can execute that. Two, they'll say, "Yeah, go for it. Apply." And you'll get to experience that. You'll go through it. You may get it. Who knows? But if you don't, that process of interviewing is going to be very important because you're going to start to see the types of questions, the expectations that leadership has for the next role that

you are looking at. Because a lot of times, 99% of the time, the uh job description is not always going to um match what the hiring manager actually wants to do. So, with that said, I think you guys all should and gals should all have a hopefully I gave you a little bit of a a little plan for what your hero's journey would look like. It is officially happy hour.

So, I will take questions while drinking beer. Um, actually, so I had one I was formulating before you started on it. the idea of um skipping like that first level of management in that goal for leadership. Do you have any any maybe expan expansion on that thought because that is something important to me. I'm not interested in that. Sure. Yeah. So it really comes down to again these so depending on where you are in the organization. Um I would say the higher up you get the easier it is to skip. So, if you're like a director getting a VP job and skipping senior director, that's going to be a little different. Um, if you're in a supervisor position and you

want to jump to that senior manager position if it's in your direct line, it's going to be again based on one of the things that's great about having a good mentor and even for yourself like keeping a win journal. Uh, somebody I was talking to on LinkedIn mentioned this. Write down the tangible things you've done. write down the skills you have so that when you go to do that, you're like, "Well, no, look, you asked for these four bullet points. You said, "I need to be able to do this, this, and this, and I've done that. Look at this." Um, I don't think it's beyond that to do it. Um, it happens a lot when you job

hop, too. Um, and you're likely also, you're more likely to succeed in doing that again outside your silo. So that's the scenario of like if you're working on the GRC team but there and you're a supervisor there but there's a senior management position over at vulnerability that's going to be a little that's probably going to be easier than than jumping in again. And that's going to depend on your organization. Some are really really strict and silly like they actually have like every promotion is just x% blah blah blah. So not going that does that help? Okay.

go on LinkedIn. There's pretty much I will say as as somebody who creates cyber security and business content on LinkedIn, the majority of the content is focused at you. Um, most creators on LinkedIn are creating content to help people who want to get into this industry. There are a plethora of resources out there. Um, and I will admit, uh, it is the hardest thing. It's the hardest part is to get started, which is why I did a presentation on how to get promoted because that's easier. Go ahead. Yes. Question. How do we go about finding mentors maybe outside of our current organizations? I currently work for finance looking to pivot into information security. Our information

security team is in the UK don't really want to move there. Sure. How do I find some local? So there's a so there are paid sol there are people who like do paid mentorships. Um again be I would heavily vet that. The other thing I would do is I would look for individuals and again LinkedIn is really an amazing resource for this. Look for people who have done what you've done. I have I've hired in people from I hired a person who used to be a physical therapist, went and got a cyber security degree and then brought him into our organization because he has such great value. you knowing how what financial services looks like is going

to be a huge value ad because FSI is one of those areas where if I sit somebody down who's worked their whole career in healthcare at at a client site and they don't know FSI they're going to struggle especially when the client comes by and asks hey how do you done this other financial services clients and they're like I don't know I never worked with them before um so that's one thing I would say uh look that way can I add something yeah no please yes so uh that I found local.

Yeah. Find your groups.

Yeah. You're kind of in the same situation back there. like you're still you're trying to break into the industry. It's just different for you. The advantage you're going to have is that industry experience is going to be relevant. So the other part as you're looking for a role, find organizations that service financial services. So organizations that work with a lot of CPA firms do a lot of sock 2 type two stuff. That's a good entry point. There's a whole bunch of auditing firms who have whole cyber security teams that you don't even know about because they don't even need sales because the auditors go do things and then like boom more stuff happens and they just have

consultants. Yes, I have a question. So you mentioned that you got to write your own talk to me. So you want I want I like what am I interested in? I don't know how to go about that. So, that's a that's a specific conversation. We have to figure out what you want to do. Uh I will caution a couple things. Don't try to take on too much, right? Um I'm a habit of that because I like to um I don't I didn't mention this, but like in my career, I've worked in pretty much every department that exists in security. So, when I go to work for somewhere, it's like, "Oh, I know a lot about this and this and this." So, kind

of pick the things that are going to be helpful. And then again, going back to your path, what's your what's your your north star? what's the end of when you return home, what will you have achieved? And then think about, okay, what's the logical next step to get there? And what do I need? And I would probably fashion it that way. You want to make sure um I'm a big firm believer of job descriptions should be like five to 10 bullets max. And and those should all be like I'm going to when I go to work, I'm going to log into Tenable and run scans. I'm going to evaluate like don't make it oh collaborate with people. No. like put

five to 10 things down that you like every day you go to work and then what you do is you take five of those or we'll take 50% of those and be like this is stuff I can do today and then take the other 50% be like this is stuff I cannot do and I want to learn and then make that your job description once we have a mentor

so anybody anybody who signs up to mentor you should be pretty familiar with that process. Uh or maybe not. I um they should know what they're getting into. Uh and you can literally you can chat GBC Gemini. You can look and Google like again there'll be sort of frameworks. It's for me it's usually a simple onepage thing that says you know what do you want to do? What is it you're trying to do? How am I going to be able to help you? How often are we going to meet? You know are we going to have things like homework? It's really just about kind of you while I say it's formal and you need to write it down,

you don't need to show up with a sheet to fill out, have a meeting for an hour and take a bunch of notes and then both agree, yeah, this is going to work and then put it together. Yes, sir. So, going back to your slide of labor, what is your forecast of those divisions as it relates to the evolution of So as we go into So here's what AI what AI does is it makes us more efficient. It allows us to do the things we don't want to do. So if you think about the sock, the more we can let AI do the tier one boring stuff, the more we get to focus on the cool things and

do threat hunting and detection and engineering and all that stuff. So blanket statement, that's kind of where it's going to happen. um within GRC it's helping with thirdparty risk managing you know dealing with all of the different um the question answer response all that it's kind of again managing the paperwork side of that you still need people in there to validate it and that's kind of generally where I see things going is we need we still need human in the loop for almost everything that we do um we are not at a stage where um look when we had sore when I did sore like a decade ago or maybe even longer like 15 years ago like we would write

code uh when the Sims like hey this is happening go ahead and change this rule in the firewall the number of clients that would actually do that was very low because at the end of the day when you automate things you have to know your business processes are right you have to have a high level of confidence in your detection machine learning whatever is going on that if you're going to make changes to the environment that are going to impact the end user it better be right so I Um, that's kind of where I see it. I don't know if that answers your question or not. Go ahead.

facilitate right.

Yeah. So, two things uh because you reminded me of something else that I think will answer his other question. My fear with AI is is it does some really cool things and it t it go back to the the the critical thinking and the problem solving. I can go to AI now and be like, "Hey, find this IOC in my environment." Like that's all I have to do. I just type those words in and it'll create the script. It knows I have these systems and blah blah blah and it will come back and find stuff and then yes, I can validate it. So, as a analyst, well, look man, I found the problem. I figured

out, but like do I understand what it just did? And could I do that without it? So, I think that's one of the risks we see. So, I'd say don't ever stop being curious. From the entry level standpoint, the foundational things are always going to matter. And I do see this as a we I see a lot of people who want to get into our industry, but don't want to learn the fundamentals. You need to understand networking and it, you know, basic, you know, computerized stuff that we used uh foundationally, right? You need to have those foundations. Um, I think AI, we're still going to need those human in the loops. What's pro, and I'm just guessing, you

kind of put me on the spot. What's probably going to happen is those entry- level positions are going to make less money, but you're going to get the skill. So, you will probably have a more of an opportunity because there's less risk in hiring somebody who doesn't have the skills because we have AI. And I've seen some AIs, at least on the GRC side, that are pretty much one for one, like 99% it's going to do just as good of a job of routing out an assessment, but you got to get the data first, right? So, there's still always going to be, at least for now, until we're all in the matrix or the singularity. Um, there's

still going to be some human element needed to get the things in there. Oh, go ahead. Yes.

Are you at a financial ceiling or at a like is there is there a role above you that that exists

within your because of the organization you're in. Yeah, that's look um nobody works at the same place for 20 years. Nobody's getting a gold watch anymore. Like so

yeah. So, again, you're going to look at So, you want the the the good news is you're in the best position possible. You don't.

Um, so yeah, the good job, the the point being is um you're in the best position possible because you don't need that job. So that's the best time to find a job. So basically, you would look for that similar role or the next level. So if you're a director and you're looking for a VP role, then you have to start looking around. Again, your network is going to make that happen. I will somebody who's like going from director to VP is one of the hardest thing, let's just say this. Getting a VP title is one of the hardest things to do. without having a VP title. Getting a C title is very hard to do without having a C

title. Like at a certain point, that progression almost always happens naturally in the organization you're in or because you know other people who work at other places who know what your value is, what you can do. With that said, I have gone from sea level to director and got a very large pay raise. So titles are subjective. Does that help? And if you guys have specific questions, like seriously, like I'm happy to chat with you in the thing. Are you guys pissed off? Should we leave now? Okay. [Applause]