Addressing Non-Linear InfoSec Career Paths

and so sara submitted this talk and i thought it was great as a follow-up to chris because we keep hearing more and more about the nonlinear career paths and she had a really great idea and background on this and so i'm going to turn it over to Sarah for her career path talk ok cool can everyone hear me yeah good ok so first up totally feeling pressure because I don't have alcohol or fluffy toys to give out but I do have stickers and I have Clippy stickers so that usually goes down well with everybody so we'll go with that but I want to say thank you for coming to my talk I really appreciate it it's really cool to be in

Vegas I've never been to her some account before so this is my first time yeah and this is my talk about talking about nonlinear career paths into InfoSec I'm basically mostly going to tell you a little bit about me and how I came into InfoSec because I wanted to share the story of how that happened because mine is slightly non-standard and I hope it will encourage other people who've done the same to share theirs really quickly who am i I am an azure advanced security architecture global black belt that is genuinely my job title you can think of that as what as what you will I like obviously it means I can tell people I fight hackers

which is kind of cool I don't I'm solid blue Timur I really don't fight anybody but yep I work for a small start-up called Microsoft you may have heard of them I don't know and I'm based in Australia I'm based in Melbourne which is down here if you don't know where it is so there's a quick geography lesson I like to see if I come the furthest when I come to conferences I'm not sure I have I'm sure someone's come further than me but that was quite a long way away and I also need to apologize because my flight got till my flight got canceled and delayed by like 12 hours and so I came in very

late last night so I'm kind of dying a bit so don't mind me another really quick note of caution I have a very common first name and a very common last name you'll see seryeong the Christian author this was her I found her book when I was in Hawaii last year I didn't buy it because it was $30 and I'm cheap but I'm not religious no offense intended to anybody who is but I'm not so probably isn't worth it and yeah the other thing I can't put up on a slide if you google my name is there's also survey young the late 80s porn star it's true I'm not joking so do Google that with caution or Bing

I've got to say Bing right please Bing with caution I work for Microsoft um and really quickly I always cover this off when I'm in North America just because it's something I seem to get asked a lot which is this can kill you this Australian animal can kill you this funnel-web spider can kill you this jellyfish can kill you this crocodile will kill you this really ripped kangaroo will also kill you and I don't know cockatoos drink beer apparently a lot of people ask me about living in Australia and yes it's true everything in Australia is trying to kill you so yeah if you'd like to talk to me about that afterwards please do the

reality is if you live in one of the big cities you never see any of these things but there you go so moving on to actually what I'm going to talk about today I've probably wasted a good like four five minutes of my talk I didn't have a standard start and I T I don't have any tertiary qualifications and I T but I've been working in IT and and InfoSec for like the past ten years or so so I want to do a couple of things with this talk which was tell you my story about what I did and how I ended up in IT and then also give you an insight into root some research I've

been doing about diversity in general now I'll say right from the word go my research is not scientific in any way shape or form it would not stand up to scientific methodology it's based on me talking to people I know and colleagues and my experiences in the very different workplaces that I've worked in so don't ever come and talk to me about how scientific it is because it's definitely not but it is a snapshot and I think we work in such a big industry and there's so many different people and backgrounds that it's always good to get these different snapshots so yeah that's what we're gonna look at and I also wanted to look at is there a standard

path into information security you know lots of people come in from lots of different places and how do these diverse candidates that we have influenced the workforce and then on the other side of things there's also the side of hiring managers I don't know is anybody here a hiring manager or have hired people sweet you know these you know and you're probably well no in fact I definitely had a discussion about it with people already in here that it's really really difficult to hire diverse ly even if you try there were challenges around that as well so I just wanted to talk about that I'm just one lady who's done a bit of done a bit of research so

don't hold me to it it's just a snapshot your experience may be different and if it is that's awesome you should talk about it as well get up on stage and talk about it anyway so I love the fact that now I work for Microsoft I get to use the cute little bit raccoon drawings I'm actually not dev advocate I'm officially not allowed to use them but whatever okay this I only decided to put in my slide like 15 minutes ago but this is me when I was 10 it really is me it's such an awful picture my mum was supposed to send me a nicer picture and she didn't so I had to get

the one I had on my phone but this is me when I was younger I'm about ten in this picture I was big into video games I was big into computers I managed to fix a printer and when I was seven very proud of myself and my my dad taught me to change config sis and autoexec.bat in ms-dos so I could change the processor interrupts on a game so I could actually get the sound card to work didn't really understand what I was doing but I was copying him and I was smart oh I thought I was smart what I used to do when I was when it became obvious I was quite interested in video

games I'm in when the internet was in its infancy I used to download some totally legitimate copies of Pokemon games onto an emulator and I learned hexadecimal from hacking the from altering the codes and using the built-in gameshark that's how I learned hexadecimal as we know hexadecimal goes to 256 at that time we're on the second generation of Pokemon so we could go to two hundred fifty one so all the variables were just in one line of code and that's really cool that I actually know that and I can tell you for a fact if you look at pokemon gold silver or crystal that all the pokemon are filled up unsurprisingly till slot 251 and then the next ones are

empty and full of glitches that's cool I know but that was kind of how I started messing around with hacking things and changing things etc and when I went to a high school or secondary school in the UK here's a picture of me I literally couldn't find one again so that's me was a vending machine which is terrible I know like it was a big I used to fill up the vending machine it was my job when I was in the last two years of school so that's why that picture exists one other school I actually didn't do IT I was supposed to do IT but I fell out with my IT teacher because I wrote some we were

right learning how to write websites and we were writing HTML really really good HTML very basic but I wrote a website that said we hate my my neighbor we were doing the other joke we both wrote the same website my IT teacher got to me saw it dragged me out of the room and told me that was the terrible thing about the internet and that I should and she was gonna kick me out of IT if I ever did something as terrible again by the time we got back into the room my friend who had twigged on to what was going on and changed hers to the wheel of Sarah website cow and and so uh so yeah so I

didn't do it I didn't do IT it for a couple of years that's called purely because I fell out with my IT teacher and she threatened to kick me out yeah but I didn't want to commit to editor degree level so we didn't go to university here's me graduating when I was 21 and I don't know if you can read that on the screen but I actually graduated with a history degree because that was the obvious choice for someone who was very technical the reason I did history my my my logic for doing history was that I didn't have to commit to anything and it was general and it was solid academic and it would be great and I wasn't

really committing which was my main thing however it did become apparent in the first year of my degree that I really really couldn't stand history and I really didn't like my course mate so we didn't have a lot in common and I basically spent most my time messing around on the Internet I mean that's not different to any student ever I know but like I spent a lot of time messing around with IT stuff anyway I was gonna quit my degree and start again but in the UK at this time they just changed the rules I know this is very different to other places in the world but it used to be in the UK that

you would pay a thousand pounds a year for tuition fees again and they changed it the first year I was in university two three thousand pounds a year and if I de quit and started again I would have had to pay three thousand pounds a year and I didn't want to so I just finished my history degree yeah so that's why I ended up with one I wasn't failing it and you know I mean my dad always said that if I'd actually turned up to any lessons I probably would have done better and he's probably right but there you go then next I did a gap year so this is me in New Zealand I went and

worked in a school a gap here I know in North America is not so common but if you're not familiar with the concept essentially you're taking year off either before you go to university or afterwards and go and work or do something or just travel and it's really fun again I'm basically not committing to doing anything I actually signed up to do law degree as well a law course when I got back so I could be a lawyer because I thought I've done history law sounds good but when I was in New Zealand cuz I realized we're getting to her why did you end up an IT Sarah I actually ended up doing a lot of IT work an awful lot

of IT work for the school and when I came back from New Zealand I really missed it wanted to go back and the only way I could go back was to get skills so I was told because my visa had run out and I was told that if I did law because law is very specific to country I wouldn't be able to move with it so I decided I would go back to IT and that's literally the reason I ended up back in IT because we can see here how the heck did you end up in IT Sara because so far I've done nothing technical I didn't do an internship I want to stress as well by the way I'm

not saying this is like a recommended path but I haven't done it I haven't done an internship I have no tertiary qualifications I've done any work experience I did work experience in a cake shop I really like cake and genuinely I told them I was interested in hospitality but really I just wanted to eat free cake for two weeks and I did it was great and you can see I've been very career-focused my entire life but I decided that I really wanted to go back to New Zealand and to go back to New Zealand I needed to get a job in IT so I got my first IT job um I worked on the service desk I actually

found a picture of me and my team from like a long time ago now that's me and my team on the service desk all they did was pick up the phone I didn't know what I was doing I remember a lady rung up and was like yeah I want you I need you to help me with my MPLS phone and I was like what no idea what that is I'm sure and also now I actually know more about that I'm like what the is an MPLS phone it was void but I've never heard anyone legit refer to it as an MPLS phone so there you go anyway I worked at this local IT company around the corner from

my parents house we did manage dear cells manage backups and hosted things in the data center which is where I learned to do hands and eyes my Cisco CCNA I did I told good old ITIL foundation Version three and something called an SD a certificate which is Service Desk I'm most difficult I have no idea what it is it's probably expired now but that's where I started off and I talked to a lot of people who say and even graduates I mean I was a graduate remember you know we'll say ah you know I I need to do something more than a than an IT job I I shouldn't be on Service Desk I should be doing more than

that but hey that was where I started and I really don't think there's any shame in starting on Service Desk you learn so much stuff from working there and you also learn how Incident Response works etc I worked there for a couple of years and then I got a place on the Accenture graduate scheme in London which I was very lucky and I'll point out to everybody here so pretty much every company I've worked for I have been rejected from at some point in the past essentially rejected me as a young rejected me yeah pretty much every company I work for well maybe 60% Microsoft have rejected me before for a job so the other thing I

really want to stress is that if you get rejected at some point it doesn't mean you're rejected in the future so do you remember that it's it's really really important anyway so I work for extension in London this is me at our training in Chicago this was the first time I'd ever been abroad for work and I'm like 22 23 there and I was super excited because I thought this is very glam nowadays I travel for work literally all the time and have realized it's significantly less glamorous but the time I was very excited yeah when I worked for Accenture I used to do a lot of infrastructure transformation I got flown all around Europe it was very very hard work I'm

really difficult but I did learn a lot it was great and that's when I got a lot more technical and finally I had enough skills to go back to New Zealand after about three years of doing that so I went back to New Zealand I got a job with Ernst & Young they told me that I would be doing exactly the same things in New Zealand but no that was not true and when I got to New Zealand they were like hey we don't actually do what we employ we said that you will do and and we don't really do that infrastructure stuff but your technical right and I was like yeah and they're like go work with

security and that's how I got into security completely by accident very lucky because I realized in fact security was then just this was 2014 so it was really really picking up it was starting to just go on the upward curve in terms of awareness etc and yeah that's how I ended up in InfoSec and then I work for a bank I work for an AWS partner hello I do yes and I work for Microsoft I probably shouldn't hi Microsoft even though you're not in the room I should probably like wave at my current employer as well yeah so that is how I got into bitey and how I got into security it's not III I

don't want to like I realized I want to say I get overcame so much adversity it isn't really true I kind of stumbled around and was a little bit lucky I did work really hard particularly when I was doing the Service Desk job because I had a massive gap in my knowledge so I did a lot of technical certifications in my own time so I realized like me kind of gliding career that this makes it a little bit more glamorous I mean I did spend my life I had my own lab which I had my own lab in my bedroom doing my CCNA and stuff so you know I don't want to make it sound super easy because it's

not and as we all know that this is a continually learning thing went to remain relevant NIT I mean now I do cloud and Azure you know the stuff I did ten years ago was almost completely irrelevant now it's good for a background of knowledge but one of the things that really strikes me about being in this industry is just how much we have to keep evolving and in a way that's really really great because it means you're continually learning etc but particularly for people who are trying to enter the industry like the stuff that we know now that we're dealing with now in a few years will probably be obsolete so it's always if

you can get ride the right wave at the right time it's a really good way to get in to the industry in my opinion anyway again one woman's opinion it's all good so that's my story and then I wanted to talk a little bit about some other person to Infotech know I see this is the kind of four main routes in which is tertiary training and information security computer science or something similar in some kind of tertiary I always say tertiary rather than university because I know there's a lot of different university things there's a lot of different other things that aren't necessarily university or college out there so I'm trying to kind of encompass all of them because I don't

discriminate I don't mind a lot of is of course traditionally would transition from another part of IT which is what I did and then there's on-the-job training like apprenticeships I think these are still really the main routes into information security they're not exclusive but I think the proportions of where people are coming from a change again you may have seen different to me I think this tertiary training in information security is very very new I mean universities and higher education institutions I've only really started offering them in maybe the last three or four years definitely in my part of the world they're definitely the only the last couple of years we're just seeing InfoSec graduates coming now so

like three or four years down the line from those original those original courses of course computer science that's been around a long time a long time and so I still think a lot of people come in from there people are still transitioning from another part of IT and that on-the-job training the apprenticeships that's again quite new but I think this trend was apprenticeships has been coming from really a lot of kind of a backlash from that everybody needs to go to university and I don't think it's an IT specific thing but I think apprenticeships are really really useful and they do learn themselves to certain careers I think IT is one of them so it's definitely

something we should be looking at but is there a standard pattern well based on again my entirely non-scientific research I would say maybe I think in general the older you are the longer you've been I don't say the older you are I mean the longer you've been in industry the more experience you have I just realized what I've written on a slide oh my god I'm the less likely you are to have formal training in Infotech and that's just because it's only become really a specific focal point very recently in terms of training we know now in if we remove the tertiary things we've also got things like security a plus CCNA cyber ops there's loads of brand new security

qualifications popping up loads of them and that's only really recent I think like and as I said it's only become very formalized in the last few years and I reckon the again based on the people I talk to you the things I've looked at 50% of people in InfoSec cover comps I'd agree that seems to be my completely non scientific research so take it for what you will but then let's look at the WHO and the walk of diversity so who in here considers to have had a nonlinear path into InfoSec pretty much everyone this is why it's so difficult to try and standardize this that's great loads of people do I think we don't

really truly have that but kind of linear standard way in and that's good because it means we get lots of diverse people there are so many real-life stories I can't talk about any of them in detail just because of time but these are some people I personally know like a lady came from business continuity planning which is kind of a decent segue and lady who was a nurse and retrained and there's also counters now accountants I always think of the funniest ones to go into InfoSec now largely they go into GRC but I know an accountant who went in as a pen tester which is very different yeah I know I know I got surprised faces that there's

all kinds of things you can do I just wanted to put up an accountant picture cuz it amuses me because I work for a big for these are just a few of them like I said don't have time to go into them and the load of detail but I'm sure but they're all great people I know them personally they're great people they're great InfoSec people and they got there they got into InfoSec because someone gave them a chance they done there they you know done their own things they'd they've done things online and in the community but essentially still they needed someone to give them a chance to get their first foot in the door and

they're great people so we need to do more of this and it's but it's hard and looking at the influences of these people again I don't know I could go into this forever but generally people and managers and teams would say that engagements hire this is stuff you probably already know though those teams make for diverse opinions and that's a good thing and it's a bit of a domino effect as well as in when you start having more diverse teams those teams become more attractive and then you get even more diversity I'll just say as a quick note when I talk about diversity I often talk about gender diversity just because that's Mike's my personal experience of

that in IT I realize that diversity have many facets and so when I am trying to be inclusive but I might keep saying gender so apologies but that's just my personal experience I mean talking about my personal experience having more ladies in the teams in teams that I was working in is definitely a really good way to encourage more people to come in because it takes a particular character of person to be the only woman or gender-fluid or whatever person in a team and not everyone's got that personality and that means that you might miss out on some really great people because that shouldn't be a deciding factor on whether you take people in I'm not

saying I've got an answer for how to deal with this I'm just kind of talking about it because I just think we need to talk about it as much as we can so we actually start to formalize some of this thinking on the other side of things though it's not always positive I've had bad experiences I'm sure plenty of people in here have as well like the journey to diversity is not easy or straightforward you can still have even if you start introducing ladies there's um I'm gonna sip like I said I'm gonna say ladies but again we're just talking about my experience if you become the token female that can make you not feel

good as well like no one wants to be the token diversity higher so it's a really difficult thing to manage and you can also end up with cliques I mean I have to put mean girls up there cuz you know yeah I know it's totally appropriate um and again so it's not just a case of all that we've hired someone for diversity now we have to leave it this is a constantly evolving thing you need to be working on it managers need to be working on it and it's very slow and you might take two steps back at some point I know it's even if you hire like say a couple of women if you've got kind of a

strong for one of a better word bro dude culture that's not just gonna be get got rid of by hiring a couple of ladies so it's a bigger so we don't I think that sometimes there's a danger particularly maybe in larger organizations that we're just doing a tech box oh look we've hired a lady we've hired someone from some other kind of background it's not good but to give them their due looking at the hiring manager's perspective like where do you start to create more diverse teams how do you start and it's difficult and hiring processes traditional hiring processes in in particularly big organizations lend themselves to accessing people through more traditional pathways which aren't necessarily where you'll get

these diverse candidates from and these nonlinear candidates who've come from other places and then as I said before you've got this danger of this token higher perspective and so what do you do to access the right candidates what do you do when they don't apply I think sometimes positive discrimination isn't always effective there's a couple of organizations I've worked for where they were you have to shortlist at least one female for a job and if you're a manager and no female applies for the job how can you do that and also I knew again in a previous role I know a manager had to shortlist a lady purely to tick the box that he'd shortlist as a lady who didn't

actually have the skills required and you know that's not fair on it's a waste of time for both the organization and and the actual individual so again I'm not saying I have answers to this because in some ways positive discrimination is a good thing but there are there are downsides to it so I'm more just encouraging you to think about it and job descriptions still discriminate against normal any account alerts so we know I spent like an hour trying to find some of these examples which clearly I couldn't find when I was writing these slides but we know that you can have things like junior InfoSec analyst requires 10 years worth of experience I mean come on so really

think hard about your job descriptions and how you write them I know that often if your hiring manager you're either getting a standard template or you're just doing a brain dump of everything you want but and we know that particularly ladies the loads of research around women will only apply for jobs if they've got 90 to 95 percent the qualifications and dudes will do it at about 30 but I think we need to I think there's two things we need to encourage people coming from different backgrounds to be more confident we're also I think we need to be more mindful when we're writing these job descriptions because we're kind of excluding people without even realizing

it sometimes um I think I'm nearly done for time so again my conclusions just a couple of things celebrate your nonlinear path to InfoSec if you didn't come in in a standard way which basically none of us did make sure that you celebrate that there's no shame I have no computer degree everyone laughs when they when I tell them that but I really don't there isn't a standard path I don't think I think it will become more standardized but you know and of course it you know there's the obvious places to look looking at universities look at colleges but this cannot maybe trying to find some other people and it might take more effort to find them hopefully that's

going to change as we kind of progress this diversity thinking but I don't think we're there yet and diversity and breadth of experience makes teams more engaged I haven't got to talk about this nearly as much as I wanted to but hey and don't forget but hiring in a diverse manner is hard and can take time it really can like this this diversity thing is not going to fix itself really really quickly it's a it's a journey for everybody and I don't think anybody's got it right yet so I think we're kind of all muddling through it together it's a bit like DevOps like same thing no one really understands how to do it properly yeah I

don't think so don't beat yourself up keep going with it I really encourage that particularly for a manager who's how to load a diversity targets just thrown on them by upper management because I think that's kind of a bit of a I think it's a difficult thing and that's me done did I click yes I did I've put up a couple of things Microsoft is big on diversity in tech it's not a plug for Microsoft there's plenty of other things out there but I put a couple of links up over ton of stickers and leaflets feel free to come and get them and thank you ever so much for listening to me I've never done this

talk before and I'm horrific ly jet-lagged so I really appreciate you listening and thank you very much [Applause]

for the rest of ground I'm one of those older workers that you referred to I took my gap year after about 30 years in ITA so now you know when I saw the title nonlinear that seemed to fit kind of where I'm at and I wondered if you had any thoughts on people who are looking for not necessarily a hundred percent full time career positions and it seems like your talk was more about the getting into the InfoSec space from different starting points but for someone who has been in IT for a while has gone out now you know a you know is looking for something to to some way to contribute still that's a good question

I think there's a lot more focus in at least in larger organizations but I think even smaller ones I just like flexible working and part-time stuff I guess it would depend precisely on what you were looking for like I know a lot of companies are big on at least in town in Australia and New Zealand they're really big on job shares and stuff it's so if it's a job because we know there are some jobs that don't really lend themselves to being part-time I would say actually security possibly is one of them depending on precisely the role and a lot of companies are big on doing job shares now one of the companies I used

to work for they and their head of security awareness so a pretty senior role is now a job share as well so two ladies do it part-time yes they both do it part-time but it's the same role so this stuff like that I think there's also if it's a small I say that big companies have more flexibility with that but I also know that if you look at more boutique firms as well they make it they would probably actually if you if you could connect with them they'd probably be able to have a discussion and see if there was something you could do again I'm very much focused on them my side of the world I know kind of the states here is

a little bit different but and the way employment laws are super different over here like you guys didn't get two weeks holiday oh my god paid leave crazy but I think that I think the there's such a shortage of workers that if you're qualified and you know what you're doing and you've got something to offer I think as long as you present that in the right way there's definitely like a discussion you can help with people but again that probably comes out down to like more networking and stuff as well to like get yourself in front of the right people

[Applause]