← All talks

HG - Cultivating Resilience: How to Succeed in a Role that Didn’t Exist

BSides Las Vegas52:1423 viewsPublished 2024-09Watch on YouTube ↗
About this talk
Hire Ground, Tue, Aug 6, 12:30 - Tue, Aug 6, 13:20 CDT Several times in my career, I took a job that was new, and often, on a new team at a young organization. While these opportunities have their benefits, the drawbacks can subsequently challenge growth trajectory within that organization. How do you advocate for the existence of the role while also executing in it? How do you identify the truly crucial stakeholders while being new to the organization? How do you balance breaking down siloes with navigating organizational dynamics. I will draw on my own personal experiences, as well as lessons from cognitive psychology, behavioral economics, and multiparty negotiation to share actionable takeaways for progressive professionals that either are or may soon be in a newly created role. People Munish Walther-Puri
Show transcript [en]

hi everybody um I like to not stand at the podium can you all hear me okay yes okay in the back though really can you hear me okay all right all right you can give me the wobbly head if not you be like man I can't hear you all right so very excited to be here I've been thinking about giving this talk for years and you know usually I don't know if you submit talks you submit talks yeah if you don't speak into the mic ah they can't record ah okay here I am at the podium so boring we're at every other conference now um so I've been thinking about giving this talk for years

because uh I I've had some really tough times I've learned some hard lessons and I felt like if I kept those to myself other people are learning those hard lessons on their own I don't say that with you know great pride I say with a lot of humility let me try and save people some pain every time I experience one of those I think Yep this is going to go in the talk so you are getting the first unvarnished version of this talk which is as much about the title of the talk how to succeed in a role that didn't exist as it is me trying to distill some hard-earned lessons from Mostly failures this is a talk mostly about distillation

of failures and it is really about resilience besides is the place I wanted to do it because this conference is about Community is about learning from each other and an effect is very much about this kind of resilience this kind of Storytelling so the first thing is who am I um when I think about such like an existential question who are you what do you do what have you done why are you here those are all like big existential questions but I'm going to try and answer those for you I'm going to answer them in reverse order because the I don't know why I'm here really or who I am but I'll tell you what I've

done I've worked in a lot of different domains of trying to help people and organizations understand uncertainty that's what I've done done a lot of different domains terrorism fraud geopolitics cyber investigations critical infrastructure supply chain I don't say that frodio I say that like it fans a variety I've worked on nuclear policy a lot of different areas which means I've been new a lot new to an industry new to a field unproven I'm here because as I said before I really want to share these hard-earned lessons with you in a way that I hope is very actionable for you either today or someday soon so who am I I'm one of you I'm someone who is focused on community uh

which is I assume why you all are here too I'm someone who cares about people I'm a relational person thank you and I'm someone who has only succeeded because other people have helped me all those domains I talked about I'm not experts in those domains and I entered into them not as experts the only reason I was able to do those jobs the only reason I was able to do a role that didn't exist before is because the community of people around me that I kind of joke but not really I'm not smart I know smart

people uh let's see if I can do this okay all right yes maybe no okay no worries yes haha all right so here's what we're going to cover what does it mean to have a new role I want to Define that very clearly and how do you identify it if you're interviewing for it or you might be in one and not even recognize that it's a new role second what are the likely pitfalls how do you manage those that's where I want to spend the bulk of the time and then what you must do early and how to learn quickly the end of this is unless you want to go through a very painful experience

like I have multiple times that's the dot dot dot that follows this so that is those are some core things and I'm not going to hide this I'm not one of those people that puts all the beautiful stuff and wonderful stuff at the end like all this is going to be pretty much UPF front so let's talk about what it means to have a new role um this is pretty I think I mean it's always true in technology and perhaps in cyber that there's something new but doesn't not feel like we're on the cusp of another new moment where there's going to be a bunch of newly minted AI experts right there's going to be a

bunch of new roles I don't say that being glib how many of you have seen those postings how many of you have been tempted to apply for those roles yeah you're like yeah man I'm an AI security person you bet so the first is you know what is does it mean to have a new role and how to identify it so I think the big are you getting the move ahead no okay just on mind all right here we go this is my favorite photo uh so lots of times you know it's like I think about this phrase unicorn unicorn something that puts it all together HR and recruiter PE recruiter folks will sometimes call it the purple

squirrel you ever heard that term before this is a a term that HR and recruiter folks use to describe you know all those bullets they know that they can't find somebody that has all those bullets they're not designing for that person they're designing for someone approximate that that's a purple squirrel unicorn so this to me is like oh no I I understand machine learning and models boom I'm an AI personnel and I think this isn't totally inaccurate but there is sometimes a moment where that didn't exist before so how do you genuinely figure out if it didn't exist before versus it's just an evolution of something there's three things I think about first where is that

organization in its maturity that doesn't mean the organization itself has to be mature that means where is organization in its maturity so it could be a Fortune 500 company but is finally at the place where it's recognizing the need for something it very often people think new roles are at new companies I don't think that's necessarily true at a at a startup I've worked at multiple startups at a startup there's a tendency to be like every R is new no one's ever had this before yeah well at that company sure because it's a new company but does anyone have this so the second thing is to figure out what is it at the intersection of almost always

guaranteed it's an intersection of at least two sometimes three things and the third I'll get to this a little bit more is you are going to ask the question need to ask the question and seek the answer why didn't this exist before why is it being created now what prompted that there's a lot of questions underneath that but that question over and over and over so the other title of this talk but I wasn't sure that it would make it through the review board because it was oh a too goofy was becoming a pirate unicorn cuz that's how I think about new roles uh a pirate unicorn supposes that there's a world of unicorns there's so many unicorns that

there can actually be a pirate unicorn thank you here are all the images of pirate unicorn that I love uh the middle one I think might be my favorite but I also like to be who you are uh so the the idea behind the pirate unicorn which is what I've kind of coined this new role like truly new role is it's fun it's exciting it's also a threat some people will see it the same way they viewed Pirates not cool but like they're here to steal your and they're going to use gorilla tactics to do it uh and they shouldn't trust you because you're going to take something from them and so I like the

idea of putting these two images together also at the very end of there's time tell you another kind of funny not really funny not haha funny but like what dring funny sory about pirate unicorn all right so I don't want to spend too much time on this but let's talk briefly what are the pros and cons of the pirate unicorn I would like this to be a bit interactive if we can even though I'm up here talking at you so I want you to take a minute 30 seconds just think of one thing that you think is great about being the pirate unicorn and one thing that sucks about being the pirate unicorn so just raise your hand I'm

going to call on you yell it out and I'll repeat yes you don't know what you don't know is that a pro or a con someone said yes I agree yes you don't know what you don't know okay yes you're only you're special and you're the only one pro or con only great special is pro you're the only one con there's no one to learn from I'll put a caveat on that there's no one to learn from there's no one to learn from at your organization which is why this matters this matters because there's other pirate unicorns out there all right any others yeah wide yes okay so there's wide open space in front of you but you don't really

know where the boundaries are I will cavey out a little bit or add a little bit and say it it looks wide open to you but it's claimed by everybody else they're like look at all this open space everyone's like who's that King running through our yard you're like it's me the pirate unicorn Galloping beautifully okay one more [Music]

yes okay this person could give this talk um they said you the pros you can lead the way con is you have to explain to everyone why you're there so that's my top basically there it is yay thank you all right enjoy the um so here that thank you yeah it was brief to the point okay so here's sort of distilled what's awesome what's terrible so what's awesome you're Innovative by your very existence oh my gosh you're new how Innovative like this wasn't here before so anything you do is innovative by virtue of the fact that it has not been done before I say that a little bit clip okay very good but you get my

point you're ready to partner with everybody everybody he's maybe ready to partner with you question mark but you're like yes totally I'll work with you absolutely I'd love to come learn about your team i' love to tell you what I do as soon as I figure it out like you're just none of those boundaries are really there it's impossible to fail no one knows what failure looks like no one knows what success looks like so what's terrible you know nothing and no one cares I'm being very this comes from a darker place just maybe like two days ago but the point is that you you don't know what you don't know and even including sometimes your boss

no one really is set up to be like I'm going to help you succeed because it's going to help me succeed like you're lucky if you come in with that but most times people are like okay no one knows who needs you and why this is really important this is really crucial I'll come back to this later but one of your most important tasks is to figure out who are your internal customers that's a very corporate way of saying who needs you and who do you need I would argue that in the first 90 days you should have a very clear map of that you develop hypotheses you test them you talk to people you roll out

different products ideas you float things you see ah yes that person needed it oh no that person it didn't change anything that person is saying things that I know that I'm going to do without me having asked them prompted them they need and why so the good thing here is that I would argue that the second bullet is really crucial for security and risk folks generally you should generally be doing this but in this role you have to otherwise you're just going to float you're not going to fail it's going to be worse you're going to float and it's impossible to succeed because no one has done it before so class half full half empty

some people are going to be like sky's the limit try anything and other people are going to be like yeah no one succeeded in that before uh can you remind me this talk is being recorded yes okay so uh I want to share some stories but I need to San them appropriately I worked at a large organization and at that large organization um it had been around for a couple hundred years and the group that I was in had been around for this many it was this many years old when I showed up and my organization within that large structure was already the pirate unicorn and I was I don't know the pirate unicorn on the pirate unicorn I

don't know the metaphor breaks down it it was really challenging to come in because that was new I was doing cyber risk and cyber defense for a city government this was at a time when people are like huh like what Municipal cyber security why would you why would you be doing that like are we paying for that aren taxes paying for that like shouldn't we be spending more on the fire department or whatever else so there is a lot more in the what's awesome and what's terrible and I don't mean to be I do mean to be why am I even saying that I do mean to be a little glib about the what's awesome

because it's going to be shiny and it's going to draw you to it so here I'm trying to pun intended ground you on the things that you might not realize later okay next piece is in nature generally speaking there are some exceptions I am not a biologist but I did read about this a little bit out of curiosity and then in preparation for this talk about how environments in nature respond to a new species and there's three General ways first is is some kind of threat predatory second is not predatory but displacement and the third is additive in my totally non-scientific review of like you know some of the research around this I didn't read

papers I read like case studies things that I could access with a little bit of generative AI to help a majority were the first two predatory threat or displacement read invasive invasive species so maybe they didn't you know uh take away something on the food chain but they displaced a bunch of space or something else so most environments view new as threats like we kind of valorize the pirate but if you're a shipping person like piracy is a huge huge problem for you they're taking away your hard-earned goods and currency right there's nothing sexy about it and so I say that with the calibration that you might be brought into a new role wait for it right after

that company has done layoffs right when someone was told we don't have a budget for that right after the initiative that they've been trying to put forward as a new evolutionary initiative not even revolutionary new evolutionary initiatives they were told yeah we just we don't have the support the real appetite to do something new right now and then the pirate unicorn shows up without knowing or needing to know anything about you or caring about you that person you can understand from a place of empathy is going to view you either as a threat or as an invasive species so personally the way I've dealt with this is two ways the first I call it out and I will talk to you in a little

bit about how to get the information so that you can put it forward in a way that is acceptable because I also tell you from a place of learning that I've tried to be self-effacing and people are like look at this dude thinking he's like the best and thinking that he knows our organization he just showed up so I'll give you kind of that more but the second way always always always with humor always always always for me with humor so I make light of the fact that my title is new and didn't exist or is really long or what is it before uh that no one did this before and I used to make jokes about AI now I can't because

it's actually happening um I would make jokes that I was like half a robot I was like a prototype like I would just stupid stuff but to let people know that I knew that I was new pun intended um at one of the organizations I was at not only so here's the the question that you need to keep in mind when you're having conversations meeting people we didn't need you before why do we need you now we didn't need you before why do we need you now by the way that loaded statement is not limited to roles I'm going to digress a little bit here most recently I've worked in software supply chain security software supply chain

security we didn't need that before why do we need it now don't we just like secure what developers do right like you can take almost anything zero trust like what AI security we didn't need it before like what you could take any relatively new thing that's been there in cyber security and then you're kind of caught on the back foot because you're explaining what is the consequence of not having it which is very difficult place to be counterfactual so I'm queuing something up here which is like all right well what do we say come back around to that but the most important orienting thing even if you get introduced with a bunch of fanfare and a press release and I

have gotten the introduction from the CEO to the executive team check out this new role Tada there still is most of the time it's going to be one of those two predatory invasive and it's unconscious and oh by the way it does not help if you're an underrepresented group there have been zero out of five times that I've done this where people like cool a person of color in this role to go back to the pirate unicorn like if we somehow figured out that the pirate unicorn was gay someone would be like oh man the gays are everywhere you know like it's like that comes in unconsciously that I got the role because I'm underrepresented because I'm

different or and I've had people intimate this like be explicit about it oh they had to create a role for you and I always respond one way yeah the other ones weren't hard enough that's why they had to create a new one remember I said at the beginning it's going to be the Nexus of two maybe three things so now let's talk about really a new role why are new roles created who creates them this is crucial I would argue again that security and risos should be doing this thinking about the organization Dynamics politics and organizational Capital so why are new worlds created a couple different reasons lots of times somebody's like yeah let's bring that

person in they're creating an around person which you would think is pretty cool and it is it can be but the challenge is the scaffolding is built around that individual or go when they step away it sort of collapses around them or people don't see the architectural design they just see it as like built around the profile of who that is so who creates them this is important I'm going to jump around a little bit these questions aren't totally linear so what prompted it why now who sponsored has the organization done this before there's a few slides in here I think I'm just going to be put a few slides in here that if you either have this role or you

think you might be looking at this role this is one of them take this these questions are ones that you need to figure out if you want to go into that role eyes wide open if you want to jump in figure it out as you you go cool good luck pirate unicorn but if you try and search some of the answers to these and this can happen in interviews it can happen in uh talking with people who have left the organization talking people at similar organizations so the one question I ask in interview it's kind of like a two-part question and this is early on when I get like the screening call Opportunity or that's the official

pathway unofficial pathway someone's like Hey we're thinking about doing this do you want to like I think you might be right for this I ask two questions join together it's that middle one what prompted this and why now so that reveals a lot it tells you how much they've thought about it it tells you what are the pain points that are coming in in advance and why now what is this moment what has happened because guaranteed how many of you have tried to hire someone before tried to get headcount right try and get headcount to hire someone you got to line everything up right and it's like now now it didn't work now no now and so

at large organizations this is the last one who sponsored it someone likely multiple people have spent organizational and political Capital to get that role to get that role created to create space for it to justify it if there's a job description to put it out there all of that figuring out who that is and why they did it is critical to your early success first go find them and introduce yourself I know that sounds silly because you're like of course I'm going to know them of course I'm going to know that you're there no hard lesson I learned here I assumed that everybody that I had interacted with had already had the introduction as to why I'm here

or that senior person had design designed or decided this so in the next role that I did that in I again with humility it's one of the key things I'm going to say humility and humor are going to get you a long way as a pirate unicorn so with humility I went to people and said oh so I I was talking to and I understood this is why they and sometimes they just say it they needed to build a threat intelligence capability that had this functioning and that's the experience that I have in one role um it was I didn't have as much cyber experience as I knew that as I assumed that they would

need in that particular domain I was up front with that all the way across I was like I not done 10 years of cloud security implementation or like managed hundreds of thousands of end points I not done that and this is one of those times that it reinforced I'm saying this to you with humility that being very open about my experience was crucial because they're like good yeah we're not looking for that I said okay well here's how I would approach this role I'm veering a little bit here into the interview process but it comes back around this because that's how I learn learned how the role came to be said here's how I had approached this role that was that

was basically the interview how would you do this well I think about it this way and I think I would do this first um these are the Frameworks that I would be drawing from these are the disciplines that I'm coming from and then okay fast forward got the job yay I learned that the person who had really pushed for that role was not in these conversations not in the interview process and had a completely different reason very valid one completely different reason for advocating for this so going to them when I found out who it was and I went to them I was going to be like I'm here like the person you were thinking

of it's me thank you so much and they were like you were not what I was expecting that's what they said uh the pause was a little longer um and I said oh tell me more well I'm here now like tell me why and I basically got the story of why they push for the creation of this role and it was very different than what I was told and sold so a little bit of a orange flag went off not yellow flag not red flag orange flag like under construction and I got to explore that a little bit and then more informed as I went there so what prompted it why now who sponsored it has the organization done this before

that's the other thing does the organization do this a lot do they create roles a lot do they create new roles are they spawning pirate unicorns all the time that's not a good thing or a bad thing but it is a telling thing if they do it a lot they better be good at it helping you succeed helping you figure out who talk to giving you some sort of here's what's new here's what's not okay our uh vaunted audience member over here talked about something needing to explain what you do here is a tenant I try and basically live by tell your story or someone else will why are you here remember invasive species that's the

default you need to show and explain and demonstrate probably repeatedly that you are there as an additive part of the ecosystem you're going to help the ecosystem flourish by your existence not threatening and so telling your story is not actually your story and the other thing I should put in here but it was too many words I thought for this have other people tell your story so hopefully you know some people coming to that organization but if not find some quick allies and give them a story that they can tell it's most impactful not when you tell it but when someone tells it when you're not in the room you're not going to be in a lot of

rooms in the beginning oh who's that that's the new director of X andx that's a new role to do Innovation and this they're going to do this this person hired them just a real quick and easy because what are people trying to do what are you trying to do when someone new comes in where do you fit in what are you whose team are you on are you going to help me should I be working with you are you going to be working for me are we going competing for the same things those are all the questions people are tilting around in their head so if you give them a quick like you are here

dot that's very helpful two other things about telling your story again hard lessons it's very very difficult to explain from a security perspective why absence of something is a problem or an intelligence perspective I've worked in organizations in one organization I was there to help thread together strands in geopolitical Risk terrorism fraud cyber investigations and this organization had whole teams dedicated to fraud and whole teams dedicated to investigations of which there were cyber investigations and terrorism was everywhere in the headlines the board was talking about it Executives were concerned about it and geopolitical risk is very hard for people to get their heads around but people were making decisions based on all of those things so when I say tell a story I

don't mean make some up I mean figure out what you're there to do so in that case adversaries our adversaries were exploiting each of those seams and this organization was dealing with them as they came in and in dealing with those silos there were seams my team's job was to close those find the blind spots because the way you look at analyze mitigate fraud very different than the way you think about cyber crime investigations know large financial institution they shouldn't be all of you were like what yep but they are and terrorism people didn't really care about fraud it's not particularly sexy terrorism oh my goodness okay what yes what do we need to do we have to connect

those two because the adversaries definitely work you're using credit card fraud to fund this it's really fast and guess where they were doing it on the dark web cyber crime like there was the there was the arc and it felt very clear but being able to tell that people were like oh okay got it and it it's not like that popped up immediately I took time to earn towards that so I'm going to talk about two or three other things and then I really want to get some questions and conversation going here and another one of my roles I knew that it didn't exist before and I knew that I was going to be met with

resistance this is another tenant everybody can and will tell you what wrong looks like but nobody can tell you what right looks like everybody's GNA like that doesn't work try that that's not going to work we tried that before that doesn't work here and so then your natural thing would be like oh cool what does work then like I don't know isn't that why you're here pirate unicorn so it took me the fifth time to figure out how to deal with this because I dealt with this like defensively I tried to persuade people um I try to convince them early on but look at my plan look at this beautiful PowerPoint I've built how about I come in and tell you

about what this thing is I started an organization I was working on critical infrastructure most people at the organization did not know what critical infrastructure does I was like well I'm gonna go on a like tour I'll come in and talk to you about critical infrastructure here's critical infrastructure and they were like that seems like a waste of time like I don't know what it is why is it important so my sincere advice is when you find yourself in a place where you think you're going to hear or you start to hear nope that's not going to work can't do that we've tried that before get aggressively curious ask people okay tell me why what

have you tried when did you try it and how did that work what did you learn push them two things are going to happen one a lot of people aren't going to actually have things that they tried it's just a feeling a perception and now you get to press that two you're going to find some people you know this most of the people who are the doers they're not the ones who are naysayers they're like yeah I tried that didn't work so eventually I find the like doer who actually tried the thing oh yeah we couldn't do it because um this thing the sort of budgetary thing was there this thing we had this technical hang up oh well is

that still here because we moved this I don't know I moved on to other projects wait a minute what it might actually work so you can build on other people's I won't even say failures previous tries that's how I found success and I did y'all I did I found success and I was always very open that it was like oh no I didn't come up with all this this was built on what that person did five years ago before this whole thing was even conceived of this was built on this they tried this two quarters ago but the budget wasn't there or I wasn't here or we just had that incident now we know how that's actually

going to go so when everyone tells you what wrong looks like and no one can tell you what right looks like get aggressively curious ask them what did you try how did you try it what did you learn figure out what assumptions they made see if you can take on those assumptions or test them again like seriously get scientific and then you can figure out if their experience their anecdotes their Insight their case studies their proof of concept can be used again there's a really good chance that it can there's a really good chance that it can so last couple things before I close with you know hopefully giving you something to really really sink into so

find the sponsor identify recruit bles I think I talked about the sponsor before who brought it in in multi-party negotiation um you will hear the term in business stakeholder stakeholder management stakeholder is really generic it's lots of different kinds of stakeholders so when you're designing top multiparty negotiation that strategy you map out the players you put them in three categories allies adversaries recruit bles it's funny because in cyber we just think adversaries we don't often think about allies think about our team maybe not like allies allies adversaries recruit bles so adversaries I don't need to tell you who those are how to I identify them allies I'm not going to spend time on them so I think you probably have a

sense recruiters so in one of my rules I did my best in all the early listening you got to know this team this team this team who did people whine about out on my team and who did I think wh about our team or didn't like our team and who did we need that intersection are the recres who can you bring over so this is delicate it's why it's later here I would argue if you aren't like a seasoned Navigator of organizational politics this is a good time to lean on your mentors and advisers but in that new role you're going to need to learn how to do this and this is to go talk to

the recruit and potentially recruit them there is one organization I was at I came up with the Stak holder map and without labeling them recruit bles I just put a question mark in that column I showed it to my boss and like that whole column he had the same reaction he was like they don't like it yes it's like hm do you think they talk to me I don't know you're new cool are you okay if I go talk to them can't hurt so I did and you know what I said hey I'm new here it's the best opener you ever mve to a new town New City new place come to a new conference how many of you is first time

at bsides cool oh my gosh amazing welcome you're sitting standing next to somebody easy it's my first conference have you been here before what are they going to say yes cool me too no great what should I know I did the same thing I'm new here surprise surprise sometimes people be like me too oh good so you don't have the world organizational and neither do I and if they weren't I would say tell me what I should know about my team most people were surprised by that they thought I was coming over to like prove something I'm part of the new team and the new role too I said no I have a new role remember I told you I

was very open about it new role just created and on that team what should I know about it what's the history between our teams woo now it's your turn can you be candid because if you person who I'm talking to don't take the opportunity to try and repair and mend these relationships that is now on you so that you don't know what you don't know I put that back on them I don't know what I should know help me understand it's us against the adversaries so what should I know so this goes back to the customers and stakeholders who's going to gain from this new role you might be surprised it's not going to be people

necessarily in the immediate orbit for example there's one role I came in and I was going to be speaking to the media and Industry and whatever else and no one had linked me up with the marketing people but I wonder the marketing people they're like what you're here great awesome can we talk to you can you help us and I was like yes help me understand this and but no one had thought to make that link no indictment of the organization but it just no one knew really what this role was going to be so they didn't know who was going to gain from it and then occasionally and it's a really wonderful thing you will find people who have been

waiting for you and sometimes you might be that person and a new rule comes in and you'll be like we've been waiting for you here's a stack of work and also can you help with this and oh you have that skill set oh great we've been waiting for you and then the last one ask this question and listen with empathy CU if you listen with your hackles right Ed then you will become an invasive species who wants and needs you to fail who needs you to fail in this new role it does not mean they're going to try and get you to fail but understanding that that's a potential recruitable and as well it will tell you

a ton about organizational Dynamics maybe that person used to be a pirate unicorn and they got this has happened I don't know why I'm saying maybe I sensed some part of the environment just like focus on me kind of like this I was like hey hey like that's how I felt like I was greeted all the time or people would say their name be like this person oh and I learned again aggressive curiosity empathy humility that that person used to be a pirate unicorn and it didn't work so they got put into this box man so they didn't want me to succeed because if I succeeded then what did that mean about them not about the

organization and the existence of at unicorns man what a humbling moment that was when I had that realization and it was months and I say months because maybe months isn't a long time but in this case it was a long time before I could talk to them about it because it was disclosed to me not in the best way finally had the opportunity and then that person became such a huge supporter guest who opened up their book of lessons and anecdotes and proof of Concepts and relationships and we became like a great teammate so I asked that question not to say spot the snipers who wants and needs you to fail but it will tell you a lot about

organizational dynamics that had nothing to do with that individual and everything to do about the environment that we were in okay so last thing I've heaped a bunch of things on you some questions thanks Manish kind of helpful I give you some very tactical advice and I have given this to many many people I take it myself one of the most crucial things in the new rule is figuring out what success is going to look like some organizations are terrible at defining success I don't mean just having kpis I mean measuring progress and again if it hasn't been done before how do we figure that out so here's the good news there's a lot of pirate unicorns out there awesome

if you're just walking this talk and hearing about pirate unicorns come on in there's a lot of pirate unicorns out there and you don't have to reinvent that so there's a book that I recommend to just about everybody I read it myself when I start a new job it's called The First 90 days and the focus of this is there's different models of what kind of role you're coming into startup a turnaround accelerator realignment sustaining success it's about diagnosing what you're coming into and building a learning agenda for your first 90 days now this book one caveat don't read it cover to cover it's a guide book it's a Choose Your Own Adventure sometimes you're going to come

up it's going to be one kind of thing you're going to focus on that another time I have reread reread this book every time I started new role and if you're a mentor by the way and you have proteges this is a great gift when they get that job here read this book A lot of the things I've talked about are captured in here not everything because it's not all the Nuance of the new role the stuff I was sharing with you but a lot of is captured in here otherwise I would have had to come up with this whole rubric but a lot of what I figured out and how to put together when I found

this book I was like oh yes I tried that but that's way better oh I did that but that's backed by research oh I did that but here's a proven example in business business not just security so I realize I am right up on time I didn't leave room for any questions we have a few minutes right for questions two three great sorry I meant to leave so much more time thank you pirate [Applause] unicorns okay cool if you have questions put your hands up I'm going to take a few at a time maybe we can put them together yes question say that again got it what if you're not new to the role and trying to restart things

other question

yeah oh good okay so you're hiring a pirate unicorn all right so restart and then hiring a pirate unicorn one other question

yeah like a new initiative kind

of yeah I'm going to repeat back the question that's I'm doing say it again if you want to you see yes got it okay got it okay so trying to create trying to create space for a pirate unicorn you've hired a pirate unicorn now how do you have them succeed and you're trying to restart something that's not necessarily a new role I would say okay I would say treat it like a new role you're going to find some people who are there but that same skepticism is going to be there I mean tilt heavier on the CU as an invasive species and a predator that's what I would say but all the things I put up there in terms of

talk about in terms of like curiosity and humility I think are really important um I would share the knowledge that you have that this is not new I understood that someone has tried to do this before what do you think are some of the key lessons that they learned or they should have learned or what do you wish they did earlier you know like come to the organization come to people with that in terms of yourself try and get all the materials anything what list were they on whose team were they on what function did they report to CU as much as you can understand about that previous role you can then calibrate the lessons that you

get from that that makes sense um these two so how do you set up someone for Success when you come in and how do you what are the next steps if you identified there's a Nexus of those needs so these two are connected figure out what the story is timing timing timing timing is key figure out what the story is and find people who are going to be there advocating for that person when they come in so it's the sponsor 100% someone's going to need to put down we're in Vegas someone's got to bankroll you someone's got to put down that political capital and that organizational Capital but then you need a bunch of people around who are going

to advocate for them get them into rooms be prepared to partner with them and be ready to to hear the the kind of story so that when they come in they don't have to do a lot of that communication oh yeah I heard about your rule you're going to be doing this you're on this team so it sounds weird but minimize as much of the newness as possible cuz then people are like okay the rule is new but that idea has been here or oh geez the senior person said that they from their standpoint they see a real pain point or we had this incident this thing happen people don't know that people don't know that's what

triggered this we had an audit we're under consent decree crowd strike whatever it is cool I want to be respectful of time I'm happy to answer some more questions I'm gonna I one more okay I can take one more question you got a burning one otherwise oh yeah right

here

r so many

of thank you I I'll just repeat briefly although it's a compliment I that means a lot uh person here as a consultant and said I do this kind of stuff every six months nine months and it could be used not just in a new role a new initiative just asking those questions and coming to the organization are very fruitful um I'm going to grab a mask and then Christen should I I'll I'll just step right outside over there happy to answer any questions quick plug at 3:00 today I'm going to be doing a workshop on how to read organizational culture from the outside in and I'd love for you to be there thank you so much

[Applause]

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
How to Start a Cyber War: Lessons from Brussels – EU Cyber Warfare Exercises
BSides Las Vegas · 2018
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
From Email Address to Phone Number: A New OSINT Approach
BSides Las Vegas · 2019
20:51
One OSINT Tool to Rule Them All
BSides Las Vegas · 2017