Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

took the memory course i think it's what's happening one after one so i think we're good to get started um yeah so everyone thanks for coming in uh as you've probably already seen i'm doing uh say hi to the new guy how how non-traditional backgrounds can mature your security program when i talked to a couple people about this uh there one thought that was one of the forefronts that i heard from people is this is exclusionary so what i want to say is that this is not exclusive to guys it just rhymes with hi that's awesome um this was kind of birthed out of my experience being somebody that came from a non-traditional background and we'll

we'll talk a bit about what that looks like from me um is that you two okay actually can i get a portal hands who came from something they would deem a non-traditional background seminar i love that i love that and the other point that i want to make and it just flows in wow well this is that by no means do i say that non-traditional backgrounds add more value it's not the argument i'm trying to make more what i want to say is that traditionally we have not really looked into non-traditional backgrounds and that can be a slew of different backgrounds it could be depends on who you talk to but we haven't really looked at them and i

think we're missing out on a lot of good quality content and a lot of good quality candidates so i just want to present and why i think there is um there are a lot of good people out there and how we can support them how we best can position them so yeah those were two um two little bits i wanted to say before i started i'm gonna talk more about me than i normally do i don't really like to talk about myself a lot but i think it's particularly relevant for this talk um my husband i put that first because uh my wife is one of the biggest drives for me getting into this field and i always

want to give her credit because she is awesome she's a going to be a fifth grade teacher she's been teaching third grade and she's switching at the fifth this year so i'm super excited for her because she won't be getting the fifth grade um i'm a hot sauce connoisseur by that i mean i loved hot sauce so much that i went and made a hot sauce company so if i'm not doing something infosec related i'm probably doing something related to making bottling sealing selling hot sauce like my company is called maestro sauce co if you guys want to talk to me about afterwards i would love to talk to you about hot sauce i claim escape room expert because i've

done 20 of them and that's more than the average person i've successfully completed 18 so i got like a 90 percent uh i don't know if that makes me an expert but i'll take it and then i'm a musician i paid a good portion of my weight at least some of my way through school playing music a couple different instruments some credentials about me um my background as you see i have a non-infrastic history but i do have a crisis counseling degree and that's really where a lot of i would say a lot of my formative time was within crisis counseling certified ethical hacker certificate of cloud security knowledge some people care about the search some people don't

but i put them up if if you are interested and then the more fun part is my non-infosec history and uh that's what people tend to find it interesting i was a dorm mom for a period which meant that i had 15 international high school students that i was responsible for 16. 15 were from china and one was from south korea so my role was to make sure they got off the bus after school they were doing their homework they you know everybody took off their shoes and everything they did what you might see as a apparent roll and then i started making dinner um made sure that they ate their dinner i helped them with

their homework afterwards make sure everybody got to bed on time and then let the next person come in so i did that for a while i spent a good period um where'd you do that at i did that in central pa and the altoona area so i started the one at saint francis of the south that was the one yeah uh there was a maybe it's the difference saint francis but it was saint francis and uh in altoona yeah no this is in hamburg okay okay that's funny yeah so same concept that was what i did i was a truck driver for moving companies for about four years throughout college and after i will put my moving numbers up against

anybody else in this room that i've done more moves than you and i will never want to do another one after that i was a logistics coordinator for a company called tough mudder and tough mudder if you're not familiar they do 10 mile mud runs and so my role was to go to site make sure that i worked with djs i worked with um the vendors made sure the event went off without a hitch so i did that for a while traveled across the country i went through to 40 states doing that and really really enjoyed my time what my actual degree was was for family counseling crisis counseling so my role was a family preservation

counselor what that means is that i would go into the home do in-home family counseling with the parents the kids any siblings we got most of our referrals from cys we got some from juvenile detention but my role was to assess the situation see if i could help the family develop boundaries and an appropriate living situation and if i couldn't do that then i made recommendations for foster care or for alternative living conditions and it was as you can imagine very emotionally taxing i saw a lot of things in that field that uh made me realize i don't want to be in that field for the long term so i did that for a while um

some family family issues had me moved back from the central pa area to pittsburgh which is where i'm born and raised and i decided i wanted to go into cyber security uh somebody said hey i can get you i can get you at least a foot in the door you're gonna have to do everything else but i can get you an interview so i said cool i can do something with computers i don't know anything about them at the time i couldn't install uh minecraft on my own computer i had to have my friends install it on my computer because i couldn't figure it out but i know i'm a problem solver i know that

i'm determined and i can figure it out so i started studying for the a plus because somebody said you should study for the a plus so i studied for the a plus and i failed the a plus but putting on my resume pending was enough for somebody to take a chance on me um and they said i see you're interested so they gave me an opportunity to start installing servers and workstations at the local library system it was a very short contract i did it for three months but in that time i was able to demonstrate some of my leadership abilities from my counseling role and my coordination goals um and then i moved i had an opportunity to

do an internship in cloud security so i did that and i worked as i'm sure many of you have very long days and i didn't get paid for those days but it was something that i could put on my resume until i got into a fortune 200 and i started cutting my teeth on their iam team just learning how how does active directory work how do i administer i can't just mixing up my words administer permissions in oracle or any other application um how do i go about doing that so i did that for a while i moved into internal audit then i moved into risk management um those are some of the the highlights of my infosec history but

that's how i got where i am now and onto what i currently do if my little thing works it looks like it doesn't oh no i think the battery died that's a bummer so what i do now is i'm a manager at a consulting firm i manage our risk advisory team we have a called echelon risk and cyber based out of the pittsburgh area but we have team members all across the country we have our offensive security team who are some of the most talented pen testers i've ever worked with those guys are teaching me something new every day and i dabble a bit on that side and do some of the pen tests but really my bread and

butter is the risk assessments and compliance on a normal day you might find me doing business continuity disaster recovery plans ir tabletops a lot of my bread and butter is risk assessments or compliance assessments so we work with cmmc hipaa glba pretty much you name it we we have experience in performing assessments and then our defensive team they do a lot of the engineering of hands-on keyboard doing the engineering of whatever security solution you need really um we do a lot of assessments on firewalls active directory security assessments there's a lot there's a lot and we're always learning something now all of that frequently gets wrapped up in our vc service where we lay out a roadmap and you get the

breadth of everything we do for a year we talk through what you want to accomplish and uh move on from there so really love echelon really love my teammates there i can't say enough good things about them but we're going to move on to why you're actually here um for the uh non-traditional backgrounds and i think this is really relevant especially right now because we're seeing some unprecedented amounts of people that are making these transitions there are a ton of people like me and i sound like a lot of you that raise your hands that are coming from these non-traditional fields and they're going to keep coming we have more and more applicants that are

making a transition so we need to be prepared for that i think this also matters because we're in the infosec field i think we're underprepared for the coming years isc squared says that we have a 2.72 million person deficit in the cyber security workforce meaning that there are that many roles that we need to have filled with qualified people um and that we're going to need in that role in those roles i think this is also important because there's a lot of really great experience out there that's not being tapped right now we're looking at more traditional means there's a lot more out there than what we're looking at and we really need good people we need critical thinkers we need

leaders we need problem solvers we need troubleshooters because at the end of the day the tech the policies the processes they can all be taught but there are qualities that people have that have been developed over their time in other fields that you can't teach you know it's very difficult to teach problem solving or how to communicate with somebody those soft skills are so valuable and they can mature our programs by so much so as far as what we're going to do today we want to talk about the oh now you want to work that's cool we're going to talk about why people are switching careers what do non-traditional backgrounds offer what quality should we expect in

somebody that is coming from another field and then how do we support them excuse me so why the new blood i think there are a lot of reasons that are contributing to us getting more we'll call them new blood into the field um the first and obvious one is covet right it's been the last two and a half years that has taken over our lives two years i guess and it's changed everything remote work is now kind of the standard for a lot of organizations and if it's not we are at a place that you can go somewhere else and that's just the reality it's it's so interesting right now because i just put out a position a few weeks ago

for a consultant role i had 150 resumes in the first i think two days i can't tell you how many of them were one from a field outside of what i'm doing right now or outside of this but also how many of them when you start talking to them or you email them like i already accept another position people are moving quickly right now and it's it's hard to find people but from the other side you might find yourself in a position where i'm one of those 150 and i'm not getting a call back but why am i not getting it how can i be at the the top of that resume stack it's a

really weird place right now where it's not really anybody's market it's just kind of we're missing each other where there's a need we're not the person who needs it is not finding the right person and for that i don't have the one and only answer but i do think that we can uh we can start looking elsewhere um but the integration of work and life is another thing that i think is causing uh career transitions um people are seeing that we as an infosec i'd see wherever you define yourself you're working from home and there's good and bad to that a lot of people are working from home if you're not working from home you probably still have some

level of work you're taking home with you you're thinking about work you take your laptop your laptop home it's just becoming more normal that work and life are less divorced from each other and we just kind of have associated our lives as this is a portion of it good and bad to that um it makes a work-life balance much tougher for sure some of the societal changes that i've seen obviously they're calling it the great resignation um there were four million people that quit their jobs in november of last year just in november when when polled 50 of them said that they were going to be going to another field and that's why they were leaving

others some of them said it was they didn't feel respected at their jobs others said it was salary but 50 said they're going to another field and there's something about our field that is very attractive and we're going to talk about that so um yeah i think there are definitely things that are contributing um the biggest thing why are people coming to this field over other ones the obvious answer is because it's the best job in the world right at least according to google they googled this and i'm not kidding this is the screenshot it was number one information security analyst and i couldn't believe it not because i don't love my job but just how

uh how funny it was because i'm sure if you talk to some people they wouldn't feel that way but i think there are a lot of things that attract people to this field specifically one is just the accessibility of information you can go onto youtube you can sign up for udemy pluralsight try hack me security blue team there are so many ways for you to learn right now and it's not like that in other fields if you want to learn coding if you want to work if you want to learn any type of dev if you want to learn red team blue team there's opportunities out there um for me it was professor messer on youtube and that was

like my first i watched a bunch of his courses while trying to get him to get through the comptia a plus and when i went on study for my my ceh i was going through i think i went through some udemy courses for that one but there's just so many opportunities and so many ways to learn where for someone like me if i was still in counseling my next role is i have to get my licensure i have to get a master's um there are many more steps that are a lot more financially impactful to me that are not going to produce the same results so i think the accessibility of information and the ability to be in some sense

credentialed showing hey look i might have this counseling degree but i also got my ceh or i got my oscp some people care like i said about research in the beginning others don't i think regardless you have to have a level of respect for somebody that has gone the extra distance to put themselves out there and do something there's this perceived stability in this field which people keep hearing cyber they hear about ransomware on the news so they're like i want to get in on that because everyone's talking about it must be the next big thing and it kind of is uh maybe not the next big thing but it's not going anywhere i feel it's not going

anywhere so people think maybe uh maybe i can move into that field there's stability there's the projected growth we have a i think 28 projection projected growth through 2026. one of the things that i have found and you you might have seen the same is that this field is so interdisciplinary now where it's no longer just uh just firewalls or just your your sim or you know your soft team it's now touching risk risk management and your legal and compliance and your vendor relations touches everything so um some people come through associated work i've worked with a lot of people that said i worked in uh supply chain and then somebody came in and did an audit and talked to me

about all these third-party risks that i felt i never thought of and thought were awesome and then i started looking into them and now it turned into a grc love so i think people are seeing it from other fields and then of course it just sounds cool because it is cool and there are so many options there's just so much to choose from how can you ever be bored in this field when you can go into any of these buildings and this this map if you haven't seen it before continues to grow um every in every couple years henry zhang at uh diligent puts this out and it's just bigger every time and i look at this sometime and

think oh man i know these parts really well and i have no idea what the heck that is and it humbles me because because uh this this field if it's not humbling enough yeah i get humbled by this so i want to talk about what these non-traditional backgrounds can offer i will not make the argument that you should go out and hire a salesperson as your ciso that doesn't make sense what i will say is if you're looking for somebody that you want to invest in if you're looking for somebody that has shown drive that has shown these qualities we're going to talk about maybe hire a salesperson as an iim specialist

cool so what do they offer i think they offer a perspective a different view on things i think they offer a cultural impact which is not just are they going to fit in with the culture i think it's more than that and then there are certain qualities that i think you have to have i'm not going to say everybody is going to be a great speaker not everybody's going to be a a big problem solver the things we look for but i think there are certain qualities that they have to have to even get into this field and if they've shown an interest in their field they're going to have them so as far as perspective goes

i think the new blood brings valuable perspective to our efforts through as i said the problem solving their empathy for how others think and just new ways to tackle our problems now if if we are coming at issues with very traditional means and they're not working new blood is going to be able to help us look outside of ourselves help us think about things differently and look outside the box i love the uh if the only tool you have is a hammer it's tempting to treat everything as if it were a nail because i think that's what we do sometimes we just take these uh sops and this is how we've always done it and if somebody comes in and

shakes that up a bit it's not a bad thing um and i think they're able to have the perspective of the business we have this idea frequently i'm hurt sure you've heard it of it versus the business we need to stop thinking like that because we we're very much one organization whatever organization you're a part of uh it's one organization and it's too big anymore to think of it as just it versus the business but they they do they bring they can bring the end user mentality maybe a project manager whatever their prior role was they're going to bring a different perspective from that and be able to speak to that if your tensions with your end user are

over why do you keep clicking this email they're gonna be able to say well because you haven't backed this up with a threat nobody has no for when i was an end user nobody really told us why this matters nobody told us there was a repercussion and if you can get inside their head now they're able to add some insight and they're able to add some background and context to what your efforts are i think culturally as i said before we can't just look at do they fit the culture because i think culture is one of the most important parts of a thriving organization when i'm hiring it's one of the things that i look for the absolute most is

this person going to fit but not only are they going to fit i want them to improve my culture because my culture is great as it is but i know there's room for improvements so i'm looking for somebody that is going to be able to come in and not be afraid to tell me i don't like that this is run this way or i think we can run this a different way so i think somebody that comes from outside is going to be able to we should be looking for them to improve our culture as we said they're going to have a culture impact on their perspective i think the learning culture it's easy to get stagnant sometimes

when you bring someone in that was so excited last night because they got their first uh their first wireless card they could they could go into promiscuous mode and they tried hacking their own wi-fi like that kind of excitement is so hard to not get other people excited about right i get excited when someone else is telling me about whatever new tool they're they're learning whatever ocean technology it was or ocean technique i get thrilled and so it sparks a fire in me it still sparks a spark some emotion to me to get to get my butt in gear and keep learning because we need to stay up to date i think it's also easy

to not be proving ourselves in a more traditional sense so like taking classes going through courses which somebody that is coming from the outside without a lot of experience is going to be naturally doing this because i promise you they're going to have imposter syndrome and they're going to want to do everything they can to prove that they're not a liability because that's how i felt and that's how almost everybody i've spoken to that has moved to this field has felt at some point i don't want to be a liability to the company i want to be a value add i want to be able to support the team and i'm going to go above and

beyond to show them that i can do that so um by doing that they're taking courses they're going through like i said youtube videos whatever it may be and um yeah they're uh they are they are encouraging us to do it alongside them and then uh some of their methods are going to be cool one of the they're going to bring good and bad habits that was something i want to call out on here we can't be afraid to tell somebody just because you're new or we want to be sensitive to um to your experience we also can't just stop operations right so um we ought to be willing to have uncomfortable conversations and say this

isn't how we do this or this is why we do this rather not so much this isn't what we do but this is why we do this and have an explanation um but as far as like tools and tactics there was a guy that i worked with in audit and he uh he came from i wanna say he came from supply chain and i was working in internal audit and i was doing a active user review so i wanted to see or terminate user review i want to see when these users were terminated if it wasn't within you know 24 hours of their hr termination date all that fun stuff for sucks and the uh

he came and showed me a vlookup that i had never seen in an excel spreadsheet that he had used in his supply chain roll and that thing just made my life so much easier like i was familiar with vlookup but he brought this over i was like this just makes everything so much quicker i got hours of my day back testing these uh terminated users because this guy who came from a totally unrelated field brought something really valuable so i think they're going to have the ability to bring those types of tools or any other tools we may not be may not think of we talked a bit earlier about qualities um i can't say that every person is going

to be a good speaker i can't say that every person is going to be the the leader but i think there are certain qualities that anybody that's going to try to come into this field has to have and i'll show you why i think perseverance is a must if they have gotten to this point having heard no i guarantee they've heard no before and they've still continued they're gonna have to have perseverance they're gonna have to have discipline the majority of these people are working nine to five somewhere else they or they're working part-time somewhere else you have to have a level of commitment and discipline to be able to do any type of learning outside of

your already nine to five life not even including kids or families or anything else i have immense respect for somebody that is willing to learn outside of their their normal jobs it also costs self-investment you're probably paying for courses like you to me or i i paid for my first ceh course or whenever i took the cdh course i paid for that as a show of self-investment on myself and i was already in the company they just wouldn't pay for it um but yeah i mean i saved up for it and paid for it because i wanted to show myself that i'm really in it and i'm in this field for the long haul um

so last year you may have seen it there was a song that came out called face off with the rock and um tech nine and i can't remember who else was on but the rock's whole verse it was the first time we've been on on a rap song and it became this big meme so he starts it off with it's about drive it's about power and that's why i put the picture of the rock there because it's iconic but they have to have drive right continually motivating themselves because motivation is not always going to come extrinsically they have to have something that motivates them something that is going to keep them driving even if they have heard like i said no before

and then humility because imposter syndrome is already rampant in this field and they are say we are some of the biggest offenders i talk to people that are industry vets 20 plus years 30 years and they came from something on the lake they still feel like they don't know anything what i was saying wrong way before this gives me imposter syndrome like nothing else like i already feel like i don't i frequently feel like i know my things very well and i know other things pretty well this just makes me think i know nothing no wrong way wrong way um so some questions whether you're if you're interviewing if you're talking to people that might be

interested in this field i think there are some questions we need to ask ourselves and we need to ask uh prospects things to ask them is what drew you to the field why are you interested in this for me i mentioned a bit before it was wi-fi hacking was the first thing that really drew me into cyber security specifically or infosec specifically i knew i wanted to be on on this end but i didn't really have a driving interest until i had heard that wi-fi could be hacked i was like i don't know how that works but let me google it and they said well you need to use aircrack and i said okay how

do i install aircraft on windows as the chuckles say you don't do that um so i learned about this thing called linux and i had no idea what linux was but piece by piece i started and when i learned a term that i didn't know i started looking at the next term and looking at the next term and slowly things started to make sense um i think people that are moving from other fields are going to have something to do with them here so talk to them about it ask them why they want to come here what do they do outside of work we talked a bit about um i think these are pretty correlated what's your personal

investment i mean what do you do outside if you're somebody that's out that's trying to get into the field now are you invested in a community are you going to your local meetups do you have a local eye soccer chapter are you coming to events like b-sides um this type of networking is so valuable to this field uh i've made friends today that you know i think we're going to connect other times um we're going to uh kathy knight talked about defcon you know we're going to connect to defcon and these are so important um if you're trying to get into this field go out and make friends go out and meet people i think it's it's one of the things that

will be the best thing you can do in your career and then if you're interviewing somebody um you should look for that you should look for how are they staying engaged look for what do they do on their own have they set up a raspberry pi cloud at their home or have they taken any a coding boot course bootcamp and then internally some things we can be asking ourselves are what sets them apart from other people from other candidates are they the excellent speaker i know one of the one of the transitions that's big right now is people coming from journalism into infosec because they're killer writers and they can if they know the concepts of bcdr they can write great

plans and they can write great policies and it just makes sense like i get that um so ask them like what's what's your bread and butter what do you feel like um you can ask them or yourself what sets them apart if you ask me what sets me apart is my ability to create trust with people from my counseling role uh i have some great conflict de-escalation um i can't tell you a more awkward conversation than telling a parent that i'm gonna recommend their child be removed from their house so now nothing makes me feel awkward ever dead silence nothing um yeah there's there's just nothing that has made me feel more awkward and so my

ability to speak with people my ability to build trust with people those are some of my i like to think shining qualities so um ask you can ask them you can ask uh look through while you're talking to them what sets them apart um see how they communicate even though that might not be their absolute strength you need a good communicator if you don't have somebody that can take constructive criticism that's something that you're going to end up having is you have to teach them you have to guide them so you need somebody that is willing to take constructive criticism and then again how are they going to affect the culture are they going to fit it um

improve it or what's the word for not improve detract yeah i like that oh it's not bee proof but that would be a good one uh improve it detract from it or just fit it [Applause] i had to google how to pronounce this but this is a phalanx formation and i grabbed this from 300. the point i want to make here is we don't need to change everything that we're doing to accommodate new new people i think that it is easy to hear what i'm saying and think well we got to baby them and we gotta you know make sure that everything's catered to them and that's not at all what i'm saying what i am saying is we need to work with

them strategically to help them fill gaps that we may not even know about and in this phalanx um formation all of the spartans hold the um shield i think it's the left and they're covering their their the next person over their weak side and i think that's what we can do if we strategically position these people we're going to find gaps we didn't even know about that these people are going to fill so let them play to their strengths figure out what their strengths are and put them in that role encourage them because they're going to have imposter syndrome like i said they're they're going to be working those extra hours trying to prove that

they should be here that they have a seat at the table so encourage them when they do something well and be honest with your constructive criticism give them honest feedback and let them know this was a miss and that's okay we're gonna work through it yeah um and then opportunities to learn are are a big one too they're already active learners give them any opportunity to learn let them run with something a couple practical examples uh me this one what's up how do you weed out quickly if they're coming in from money or important actually learn and just change that's a great question so the question was how do you weed out if they're coming in for money or because

they want to actually change careers i wish there was a hard fast answer to that i think if you can look for some of those things like i said um personal investment and interest outside of their normal jobs so you know for one example if you have somebody that is coming from a law background which seeing more people come from law into this no that might not be for money if you see somebody coming from another field then like i said ask them what are what's their interest why are they coming to it what have you done to show that you're interested in it um what have you done to show self-investment in it i think those are

pretty key questions i've worked for large corporations sometimes i see people in the field over different companies and i really question why they're in that role and what they're doing to me they don't seem to be uh contributing yeah it's a good part but i know they're getting paid i yep that there is some there's some absolute truth to that there are a lot of people in the field that treat this as a nine to five and there's um there is no real interest in it it's just just they went to school for it and now this is what they're doing and it starts at nine it ends at five i think that's fine i i'm not going to

be somebody that says you have to go do more if you work so that you can do the things you want when you're not working more power to you i think that's great i think there are other people that this is a big interest for them this is something they do outside of their nine to five and they really enjoy it and they're gonna thrive in the field because of that i think you are doing yourself a disservice if you're not at least sometimes going outside your comfort comfort zone go to a conference or two a year do something even if you don't love this field you should be trying to do something to make yourself uh at least stay current

we don't have the luxury of sitting back and waiting for answers to come for us come to us this field is ever changing so i think you're doing yourself a disservice if you don't at least go to a couple conferences or stay up to date but like i said if you just want to do this field to um to do what you want outside of work go for it i i will say you would not be my first choice because i want people that are very interested in this and i want people that are going to be up at 2 a.m trying to figure out what's happening you know not all the time but they have

that insatiable need to fix something or troubleshoot or they love a challenge so that's what i would say there are some people there again it's just gonna be a nine to five there are others that they they love this stuff and so trying to find somebody that is on the ladder it's a big ask but i think some of those questions could lead you down that path so if you have a candidate who has that intrinsic motivation and staying up until 2am and whatnot and solving problems in that way do you find ways to effectively mentor them to bring in the entire onion of the soft skills they may lack or the things that make atrophy because of their focus

on the main mission yeah that's so a way to make sure that they are holistically still still um kind of learning on both fronts like their soft skill flexing those skills and learning the the uh technical skills like not pigeonholing themselves is that kind of what you're saying exciting yeah i think that's um that comes down to a management style for me i really look for people that want to like i said want to learn and somebody that is willing to take some guidance so if i see somebody that has put in the effort that they're showing they really love this i'm going to go out of my way because i value people that's part of my

counseling background is that i i really even more than i love this field i love people so i'm looking for ways to help others um what that looks like changes all the time when i was at my former role that i kept my counselor business card because people would come and talk to me and like shut my office door and we'd talk for a while and i was the the the counselor there you know so i still look for opportunities to help people however i can and a lot of times that's just kind of guiding and mentoring so i hope that answers what you were asking yeah cool um some practical examples of people that have made the transition like of

course i'm talking about me a lot i don't like talking about myself but uh i am the easiest one for me to talk about there are some others in my life and when i've presented this elsewhere people have stopped me afterwards and said hey i have a story for you i have a story for you here's my background besides knoxville a couple weeks ago a gentleman told me that he was a hard rock geologist before he came into this field and now he is a ic infrastructure manager somebody else told me he was a professional trombone player and now he leads a sock um i have a friend who personal friend that we met at uh in a prior role

and he owned and operated a preschool and so in the evenings after he was all the kids went home he would get on uh try acme and he would just work for hours and then in the morning he would get up and get ready and have kids at his preschool all day um but he knows how to run a business he knows uh the things that are the greater the greater uh picture in an organization now he just got moved to another company and he sees he's actually doing sales now because he sees the value and where his portion fits into the overall picture of the organization i went to a certification course a few

years ago and there were a couple other people that were coming from like tangentially associated fields but one was completely unrelated like what i would have said and he was a correctional officer at the county sheriff's office and somebody said know he worked his way up through the sheriff's office through via us he was the program director at the the prison or the sheriff's office and so he somebody said to him you probably know how the jail system works right i was like yeah i know that and you probably know what you need to put outside to make sure that nobody escapes yeah i know that they said you know there's a big field in compliance for physical

security it's like well what does that mean and so he went did this course um this course that we did was specific to isa 27001 so we were like just hammering down on that and he started seeing the value and all of his physical security background things that were second nature to him were so foreign to everyone else and so now um he is a consultant he's a lead physical security consultant um and i think that's a really really cool one i one that i never would have thought of before we have somebody on my team that has uh a marketing and branding background and she's done a ton of um ton of the marketing from the social

media side and now she has used that in in our field she used that to communicate with other other people in infosec and she's built a following and through that following she's had great opportunities to talk to other people that are leaders in the field and she learns from them she's constantly i would say the cutting edge of new technology because she's learned the right way to talk to people one of the most valuable things i think you can have like i said is just how do you talk to people how do you build that trust quickly i think i've spoken about myself enough for you to see why i think my counseling background has been

beneficial but i could go on and on there are a lot of examples of people that have done this you guys are examples of people that have done this um i just think it's the coolest thing and i'm really excited to talk about it but in conclusion a couple things i just want to leave you with we really need well-rounded information security professionals we need people that are and i keep saying it the lifelong learners the critical thinkers the troubleshooters um we need them because the current workforce cannot match the need and we just don't have it right now we can bring these these people can bring really solid qualities things that you are going to look for in any candidate

you might have to invest in them a bit more early on but it's going to pay off in the long run i will tell you personally i remember the name of the person that took a chance on me at my uh my first security role and i text her or i will call her whenever i get a new promotion just say i want to thank you for taking a chance on me i have other friends in my life that i do that that with as well that were very influential um in my walk so whenever something big happens to me uh i i let them know because i'm eternally grateful for that um and i think that if you bring if you

take a chance on somebody that is in that boat you're going to have that same relationship and then the other thing is just we need to find the right candidates i don't want to leave you with every person coming from another field is going to be a great candidate because i don't think that's true i think there are ways to weed people out unfortunately not everybody is a gem but i think if we're asking the right questions we go into the right mindset then what we're looking for um we're going to set ourselves up for success any other questions

no oh what's up um i just had a question for motivating to like senior management so for like looking to hire someone or anything like that trying to convince them to say hey maybe we should develop this person internally that we already have or get someone kind of more green and get them into this role rather than what we're actually looking for what would you what types of conversations would you be looking for especially with managers to try and convince them or if i am that this is a better approach especially with the marketplace yeah these employees so the question was um what how would you go about convincing management to invest in somebody that's already in the

organization rather than looking outside and i think that's that's tough uh there are times when the need is so great in the moment that you're not gonna win that battle you know they want somebody experienced to come in immediately just jump right in and start running whether it's assessments or they want you to run whatever it may be they want someone right away my thought on that would be plan ahead start talking about what do we see the forecast for the rest of the year or the coming years and what roles do we think might need to be filled if we only have one senior engineer and they know everything a lot of smaller organizations has that one

guy that knows everything there's no redundancy for that we don't know if that person quits something happens to them we are screwed start having those conversations early and start investing i'm talking to them about the value of bringing that person in to get them to that point um another thing is people are leaving we talk about this like people are leaving left and right positions because it's tough to get a a raise right now unless you go somewhere else so if as hiring managers as people in management if you have the conversation of maybe we should bring somebody from this already on the team and bring them up to this this pay grade or this pay

rate i can tell you one that's a massive morale boost because that person is going to feel very appreciated and i think there's no greater currency in business than appreciation and gratitude if you can make somebody feel appreciated and valued then you'll give a friend for a very long time so um having that kind of mindset will be another thing i bring up to somebody in a management role did you have a question yeah first of all i like the questions that you brought out of how what questions should be asked of the interviewing of yourself um going past that if they choose to give someone a chance how can they support that person during

the onboarding process because they came from a different field everyone's going to be unique everyone's going to have different needs is there any kind of general approach that people can use to easily incorporate people into their organizations have you heard of a good onboarding process basically yeah so is there a question was is there an on good tips or good practices for bringing somebody from another field and encouraging them and supporting them uh while they're being onboarded i'm a fan of the buddy system um you know this person for me like i said i came into an iam role which uh there's a lot of nuance there i wasn't a specialist that was a you know

uh essentially a help desk level but specifically for iam and i did the buddy system i watched somebody else and i asked questions and if my my colleague didn't know the the right answer i'd ask of the uh the manager so if you are in a role where you have the ability to bring somebody in i would say utilize the buddy system um use the knowledge that's already there and have them learn from that and then i don't think it's a massive ask some of you may disagree to set up half an hour a week to talk with this person and see how are they do they have any questions about anything that's going just show a

level of investment if i haven't made it very clear i'm very people-centric so the more that you can uh you can focus on the person and how they fit into the organization and value them i think that's where you're going to get the best result thank you anything else cool well i am ross flynn like i said um you can email me there you can hit me up on twitter or you can introduce yourself with a firm handshake i like any of those but thank you so much for coming i really appreciate your time [Applause]