BSides CT 2017 - Alvin Fong / James McGovern Accelerating and Pivoting Your Security Career

let's get started with our next talk I want to welcome elven Fung and James McGovern over here from both I think are running a wasp right now and let's welcome them and listen to their talk accelerating and pivoting from your security career oh not from glad to be here Becca besides Connecticut a few years here on honey pots and so a little bit of a different topic James and I are here to chat a little bit more about so just start out with the general disclaimer if you guys are easily offended or have you know hey this may not be to talk for you but with that introduction James do you wanna introduce yourself also practicing

Enterprise Architect and the one thing I wanted to kind of say about that is is that information security people need to start shifting some of the blame to the enterprise architects in your organization right we can make fun of the latest breach we all know about struts right I'm not sure that security people knew about that particular outlaw mobility but I'm 100% enterprise architects know about that particular vulnerability chose to do nothing about it so let's try to figure out well I'm Alvin Fung I'm a principal security architect at lodestone security in the breaker builder defender world of a wasp I consider myself a breaker got my start in the federal sector doing vulnerability assessments and helping to

build out and do some research in the security operation center moved over to have a healthcare space for a bit where I got sunk into the risk and compliance side said bump that then we've no fur to working at large enterprise organization to help build up an app SEC team there and now back out lodestone doing app SEC and penetration test and ro ability assessments battles lost 501c3 the goal is to make software security many people are not aware necessarily of how to make informed decisions because a lot of security is not visible to the naked eye we have a challenge with their IDs specifically with executives who have attention deficit disorder and we come

across a lot of the I don't understand and therefore it's not important right and Olas is just one of the organizations trying to help make security visible especially as an application lair we're not-for-profit and do a lot of things to make things open source such that people can consume my work

alright so I've got a putting this talk together you know there are a few things we want to hit on for folks give a little bit of a lay of the land for the state of computer security employment talk about kind of the pipeline problems and potential solutions and then we kind of shift over to visualizing some career paths talk about some common paths technical and non-technical skills in those fields a little bit about good industry type fits for those folks that are maybe looking to explore different industries in the secure profession and then we take kind of this approach to it where we look at some of the career pipeline past present and future I mean

hopefully we'll leave you guys with some of the learning resources and talk a little bit about the mentorship back initiative we would love to kick off here in the Connecticut area so you know like I said I think there's a little bit of everything for different folks in the room you know I'm not gonna read through everything here but you know we have some kind of hopefully things folks will take away whether they're in a hiring manager capacity or a manager that's in a hiring capacity and if you are in that role you know the distinction you know some tidbits for recruiters and HR areas academic institutions that are looking to develop and enhance some of their

curriculums and obviously for folks in the room for neo and also experienced professionals all right so jeans you want to talk a little bit about the state of cyber computer security that we started with a few quotes which will help set the context of what we are looking at in terms of computer security going forward so the first quote is just 33 percent of Millennials use secure passwords for all of their company their accounts compared to 53 percent of baby boomers right so what does this signal to us right we think about II's and passwords a lot right and we worry about whether their cache using sha-1 or md5 or whatever but we never really think

about eliminating passwords and their entire when we think about specifications such as the sample specification that specification for single sign-on has been in existence for 15 years but we are still doing IDs and passwords that's a marketplace reality breaches are becoming commonplace 32% of the companies say they were victims of cyber crime in 2016 we're not necessarily approving we're not staying up to date right because we might be a breaker but not understanding building we're not necessarily working on that in terms of an ecosystem where we're procuring secure software we'd allow people to come into our organizations called outsourcing and allow them to put in all sorts of testing backdoors right you got a problem here we got to look at this

through a couple different lenses another quote 87% of CIOs believe their security controls are failing to protect their business right surprise the numbers not but we can talk about that a little bit later the creek question that we have to ask ourselves what are we doing to build we are really good about forgetting out how to play with technology right but if people don't fundamentally trust that we are competent to secure the enterprise are we really a profession the human attack surface to reach 4 billion people by 2020 okay very simple Microsoft estimating set by 2020 four billion people will be online twice the number that are on the line now the hackers smell blood now not so loud

right so we're gonna have a big problem not necessarily worried about cross-site scripting sequel injection firewalls SSO under 20 bit cushion shot want those types of things right we're gonna have a major social engineering problem coming up how many people need to think in terms of local area and universities teach social engineering right you think you got a problem here right just BCC marketplace realities that we are not as professionals dealing with next let's look at this this is an interesting slide that I came across it's an economic slide it came from Berkeley right and it's about an in a survey the victims of various regions right we try to get the 31 percent of people are

making you know changes security plan look at that 52% what does that what does that signal to us right maybe that particular change might be due to something that happened right we are as a profession making ourselves too expensive we've seen what happened to COBOL programmers throughout your lives or anything we're building up more and more security people right only to watch us be deflated we have to deal with this particular problem aligned with the marketplace reality so just to get everyone on the same page about security jobs so according to cyber seek this was a project that was funded by the National Institute of Standards and Technology so according to them there's almost 300,000 computer security job

openings across the country and about 3/4 million folks employed as security professionals so the neat thing kind of that I thought about this visual is so when you click down on Connecticut you know you can kind of drill down on some of the state-by-state details and I think Connecticut's pretty reflective of what we're seeing at the national level you know and you know we're kind of going down that kind of peak on the the security side in terms of you know the demand is so high nowadays you know there's a study here by dice calm where lead software security engineers or actually seeking some higher average salaries that assists us so it's interesting to kind of see the variation

here of the different security professions you know with a saps a core computer security or you know those type of leadership roles so how do we meet that demand right and so you listen to the National Center of Education Statistics they talk about how you know there's only about a hundred and seventy thousand stem graduates that come out of you know Cal you know college degrees and get jobs in the stem area from the over four million high school students that kind of enter this pipeline if we look at these particular drugs or we allowing at this particular level arts our our superintendents where people go to school to become art majors and ultimately end up working at

Starbucks when instead they should be following the pipeline in current and adding value to a society in a way that allows your kids to make the money that we were talking about on future slides of prior slides many security professionals understand the growth of security within their organization and within the ecosystem at large but as parents are we bringing our kids to the events like these so if there's any moms or dads in the room that left their kids at home and they could have came here shame on you another trip right so in other words when we think about this particular thing we have to figure out what the aptitude is that's going to call out the

people who make good security give you an example just to kind of close this up right you probably hear a lot of people talking about school climate let's all play nice imagine if we found the way for people to not play nice in the sandbox and we can leverage them to solve those social engineering challenges that we know are going to come up because we got forbidden to keep depending on law right we're allowing our school systems through various types of policies to destroy our ability to be secure think about that for a minute

so kind of you know as James kind of mentioned when we look at Millennials overall you know this was a study done by Raytheon back in 2013 over 80% of the students there said they had no teacher or guidance counselor mention anything about a potential career in cybersecurity that's actually one of the things as we had got a chance to interview folks to develop this presentation found out that you know folks weren't even know where you could get paid to do to hack into stuff from the security side so you know that same population that was surveyed only a quarter expressed a desire to pursue a computer science related field here's the interesting las vegas at in

the elected official of the understood Bob's presentation on threat bomb and we could have made something secure or we thought about this in terms of Connecticut how many people do you think in Connecticut understand threat modeling or either come from an IT background that are elected right how many state centers how many state reps zero right so how do you think if we're going to an ecosystem that's based on i.t we got 18 percent of being elected and we've never communicated anything to them that makes any level of sense right this is why we have problems with voting right we can't even secure our voting systems right which is an issue that's bipartisan by Hawaii and so it's not

about being democrat or republican yes they argue it through different lenses right but fundamentally has anyone ever elected official the person in the state of Connecticut that's responsible for buying certifying voting machines a threat model right you got some things that we have to connect up here right so let's try to figure out how to kind of not only think about it in terms of current state but to figure out how we can help our children Millennials right so that when we're leaving this in a future generation that they can take over and make our world a better place let's make that a 15% security yeah you know we look at kind of the the last

couple of years in mention the first surgery was done in 2013 and you know some of the you know awareness is starting to increase right so you know teachers mentioned security being a career option you know this past year it seems like 54% of the Millennials were surveyed were were aware of computer security as a profession kind of that same survey about 40% reported that they knew what the job tasks of security professionals actually were have been in this industry for 10 years and I still don't know what those job tasks are but maybe I should have surveyed the same folks Raytheon did in the hotel helped us put together this presentation so you know one of the things to kind of poke

out here and I know the text is a little bit hard to read here but on the left side you have yeah so this is a graph of all folks awarded bachelor degrees from institutions between 2009 and 2010 and if you look at kind of that left side of the graph there's a section on computers and it's less than 4% of all bachelor degrees that are coming out and so if we limit computer security to only those computer related majors you know we're not getting that that real diversity of perspectives and awareness at the collegiate level absolutely so for example right here is a mention of law enforcement let's take medical devices whether it's insulin pumps blood pressure monitors

pacemakers right have all had security breaches how many people have confidence in their local police department or a state of Connecticut law enforcement in being able to detect that one someone does an injection attack right we got a problem here right so there's other things that we can do to start connecting the dots in terms of the different majors on this particular side right whether it's public administration we have to understand how to connect security principles into the FDA right because we got the FDA approving medical devices right without any security awareness right we can understand things like visual arts right maybe if you start coming up with visualization to reports and the new ways to visualize

information we could start seeing certain threats and vulnerabilities to our ecosystem yeah you know one again one of the things as we were interviewing different folks leading up to this talk was I had a great conversation with an individual that was leading the threat and malware organization and he shared a story about actually one of the folks he just hired non-technical background came out of communications well you know what do you need for you know from the communications domain related to security well it turns out folks that are good at communicating and can speak multiple languages can't you know tend to have certain skill sets that are highly divided desired by certain government organizations that are

looking for potential threats and languages that you know as a kind of a primarily english-speaking country you know we may not necessarily be exposed to so I think that's just kind of one example where you know if we get some of this awareness out into these different kind of majors at our last one of our recent UConn sessions we challenged some of the students at the cybersecurity Club there to pull in folks from the business school the medical school the law school so that we can kind of get those security conversations going for some of those future business leaders and medical professionals alright James how do we fix this waiting to start a computing security career at a later age is the

wrong thing I've already pointed out why I think school systems need to particularly change in terms of their thought processes how many people are familiar at roots asylum it's kind of important to know that if you've ever heard of the DEF CON as a hacking convention they have what's called routes Asylum and it's the DEF CON for kids it's held in parallel so if the opportunity learn from from adults and they're guided through learning crystals or learned that they understand social engineering those types of things great vacation to take your kids on if you truly want to expose them through the real world these are my two sons they both went a couple of years ago

participated in routes Asylum and one of the really cool things that they do there is is that they actually teach them how to break things these guys found the bug in a Samsung TV and they give out scholarships and things like that for the kids so a great way to kind of connect that at a very early age this year the United States are under realizes that they need to start teaching kids as well and started sponsoring many of the events there there's a lot of events like that that are kind of occurring and we have to figure out how to bring the same thing to children in Connecticut in terms of academic institutions right

I think you've got the sense that we need interdisciplinary programs right if we are going to procure secure software right we need to make sure that people that understand finance people understand law right it's not just about us coding it anymore but making sure that the ecosystem is secure and that we can spread our goodness our standards our practices in a legally sound framework we need to include computer security courses and non-homicide degrees and we need to have an environment where classes are taught by practitioners that action is right security is one of those things that we can teach a lot of around but the best way to learn to for example great software is my freaking solved one so

let's make sure that we set up environments where we bring in the thrust and brightest of operations and learner from them right we need to move beyond theory and get this into modern corporate environments we need to revisit a charm okay a charge is fundamentally propably a lot of different reasons in terms of their way of thinking all right got a drop the calm side degree requirement we got to drop some of those certifications right and get like true talent skills that are there right we have got people who can think like attackers we need to establish non technical security career cracks yeah you talk about things like visualization but we can do that connecting the enterprise architecture

might be another track that we figure out how to connect those knives there right ability to shift some of the more rudimentary testing like business logic flaws and holes to a quality assurance track those types of things right because if we're not all doing security right none of us are doing security so let's hopefully think about how we might cool you know so as James mentioned you know let's try to open some of those doors up in our community and our ecosystem so that we can kind of start getting that more diverse pipeline into the the security space so you know for those folks in the room kind of either looking for a security job or looking to pivot

to some different domains let's talk about some of those tracks so I know there's a lot going on here but um you know I really liked this picture from Henry Jiang he's one of the sis's over at open hi Marin company and it really gives a nice visual and ladle and a variety of security disciplines if you know a security discipline that is not reflected here feel free to shout it out you know we'll get that added to the to the graph and you know it's not the complete taxonomy of all the different domains but I think it does a really good job of trying to break it up into different domains you know that we'll

talk through some of the coming slides

all right so one of the other things we wanted to kind of build into this being kind of on the Builder breaker and defender kind of track is to really think of a visual way to depict where some of these skillsets kind of overlap right and so depending on kind of where you are in your career there's certain places where some of those technical security skills overlap so you can easily try to pivot into some of those types of roles so you know one example might be vulnerability management you know we can kind of see it's a long kind of the offender path that has kind of a breaker aspect to it and so you know to

really understand those vulnerabilities to manage them you do have to have a sharpening kind of skill set around you know how do you exploit some of those vulnerabilities to really understand some of the impact of that James anything you wanted to add here cool so initially I went down this route of kind of using the NIST 801 81 as a framework to provide a taxonomy of technical security skill sets you know this isn't you know not everyone necessarily has to use necesita undergoing anyone but it just was it was one of those few documents I kind of came across which really tried to do a holistic job at classifying all sorts of different type of technical skills and

so next time you see yet another job req for a computer security analyst you might be able to use this to kind of decipher and distill down what types of technical skills might be required in typical in this format they go to town and 10,000 appendices for you know different knowledge --iz and skills and abilities that are required but again it's a starting place for for defining some of these more technical security skill sets that are needed today absolutely as we look at right we're starting to see things like blockchain we're seeing Internet of Things those types of technologies right those occur outside of your organization right so focusing solely on the internals here is

good for DES but we have to stretch our imaginations such that we're dealing with the ecosystem going forward all right and again you know one application of this framework is you can kind of start bucketing the different types of jobs you know either at the national level or in Connecticut and I thought this was kind of an interesting visual way you know I think I guess in Connecticut we have more of a demand or you know or folks focused on the analysis space you know I think that category switched around at the national level compared to protect and defend so I mentioned some of the interviews I had conducted within our security community and so what I kind of came out of that

is some of these profiles for a common career path map back to these more technical security skills as well as non technical skills so again I know it's pretty heavy slide here but this would map back to the security governance track you saw in that big picture with all the the pretty colors this particular individual you know was kind of going down more of a senior manager type role in the vulnerability management space and as we kind of talk through some of those technical skills you can kind of see you know there's a lot of skill sets around some of those securely provisioning systems and devices there's some amount as their career progressed in the oversee in

governance area around strategic planning and policy and then being in the vulnerability management space a lot of focus on and protect and defend type of skill sets some of the non-technical skills required for more of kind of a governance and management track so unsurprisingly communication communicating with stakeholders at a variety of different levels you know as you grow in responsibility and authority and organization being able to manage a group of people to achieve a security objective was also important and ultimately a lot of what I heard through these some of these interviews for folks going down the security governance track is also accountability right kind of seeing through different projects they get the organization to a more secure

state and you want to add James cool shifting over to more of the security architecture track again you'll see a lot of folks typically are spending a lot of time also you know still in that security provisioning type skill set but also complementing that with in the operation and maintain aspect of it customer service and support kind of focus and so when you think of architects and understanding requirements understanding employees and business and security leader needs and you know working to develop solutions that fit their needs you know I think with some of these common career path tracks what you can do is you know I kind of had this vision building out to this where you know if you could kind of

go through your resume and pull out these technical skills and you built this picture what would yours kind of look like right because I could give you an indication of some career tracks that you could potentially pivot to for folks that are just entering into security I hope this gives you guys an idea of maybe some of those technical security skillsets that might make sense to focus on you know whether you want to be a secure architect or someone doing penetration testing and so on and so forth any questions just on kind of how these slides are laid out I know it makes super sense to me when I reviewed it with my fiancee last night she said

what the heck is going on on this slide Alvin so if you guys have questions feel free to ask you know how this you know there's obviously all that back kind of this framework but hopefully this provides kind of a neat little visual package for folks to see some of those paths the third track here that I tried to to build kind of a little profile for was focusing around security operations and so a few of these individuals you know start off on the software side got into the security side and that's kind of went down further deeper into the reverse engineering side I've kind of reached this state as more of a group lead and so unsurprisingly they spend a

lot of their time analyzing threats and exploits and in addition to you know categorizing risk in the security provisioning areas as well as building up the infrastructure and analysis infrastructure to support some of those analysis activities you know I'm sure you've noticed by now a common theme around communication literally every interview I conducted folks you know mentioned communication as one of those critical skill sets that only really gets more increased focus and increases in importance as your security careers mature all right finally I want to play out the risk assessment side and unsurprisingly it starts with the risk management focus but it also involves a lot of education and awareness and communication as you get more senior on especially with

executives right helping folks understand what the risk is and then also supporting you and mitigating it in programming around risk management similarly you know more in the computer security space vulnerability assessment and those types of management skills become a pretty obvious focal skill set so you can't do a security talk on careers without answering the second most popular question outside of word of start and security why answering the question of certifications so as part of that scene this project they also did kind of a supply and demand almost of all the different certifications at the national on the left is the national level on the right is the Connecticut level what's in orange is folks that

have those certifications and what's in blue are openings requesting certification so we talked a little bit about the HR job function earlier what I'll share is every interview said certifications were important because the job recs required it and every individual also said once they got into that job those certifications provided little to zero value after obtaining it so we got to fix this kind of certification thing that's going on here

so one of the other things I wanted to do was spend a little bit of time talking about industry fits and I know there's exceptions in every industry and this is you know from my personal experience you know being in the federal space healthcare large enterprises and now consulting just want to share some of the observations of pros and cons of each you know different types of industry I think the security research and consulting space gets you a lot of exposure to a variety of organizations as well as really sharp and talented talented individuals across a lot of different industries and so for someone starting out in the career you know it could make a lot of sense to to be part

of a security research organization or a consulting organization now you know like I mentioned there's pros and cons of each I can personally attest on the consulting side after doing three weeks of traveling that is definitely a con in my book but you know one thing that was neat working in the defense industry was you really do get yeah you know careers in use cases in defense and government space that you really don't see anywhere else right so I'm sure you guys see a lot of news articles about Romania Russia China etc hacking to us what do you think we're doing to them right so we talked about red teaming a lot in the private industry but you know the

defense organizations just take it to a whole another level and you know for enterprises right and you know you're the type of individual that likes to focus on scaling problems leading transformations that's definitely a pretty hot space in the space to consider James cool alright so shifting over to some of these career pipeline entry points I wanted just the touch upon kind of how folks have gotten into security in the past president future again not meaning for this to be in totality but you know and a lot of interviews that we conducted you know kind of makes sense a lot of folks started out system administrators network administrators software developers you know or they had

computer science or information systems type backgrounds because you know in each one of those respective domains they had to have a deep knowledge and expertise so they kind of knew those systems or software code in and out and those that had a curiosity into security was able to kind of use that as a launching pad into their there's you know you know more full-time security focuses I think nowadays what you see a lot of is kind of this risk flavoring everyone's all about IT risk management you know we're getting more data and as a result I think data scientists are kind of getting pulled into the loop here in terms of being able to say hey

we feel like this is a high risk why you know and I think it's that good collaboration with folks with the more data science focus where you can answer some of those questions we also start you know have started to see an increase in career in majors around you know bachelor's master's PhD programs that you know start off with computer security personally I remember when I was going through college I had to take graduate courses or I had to be a grad student to take computer security courses at all and which actually is one of the reasons I jumped at an accelerated masters but you know the good thing nowadays I think folks are you know in schools are kind of coming

around to just starting to teach the set of undergrad level so you know that kind of shifts us into some of the more you know future kind of trends that are coming down the line in terms of you know as we move from the present to the future what sort of technologies and what's going to be the security professional of the future James I don't know if you have some thoughts you wanted to share their

beliefs of having that strong math Braille will help you with AI blockchain is a really interesting particularly use case in the sense that people aren't going to necessarily try to think about security solely through the Lindt of cryptography and whether they complete break in particular block in the chain but rather they're going to go after other aspects of it so if you look at the blockchain especially Bigpoint you'll see that no one's broke in the chain but people still figured out how to steal money and feel coins and those types of things right from wallets and other things in the ecosystem so as you guys start building out blockchain applications whether it's a policy administration claims ministration

billing payment that type of thing the weakest source will not be the chain itself but it will be the things that hang on to at it through that particular range this is actually going on threat model that is ecosystem aware and it's going to be critically important when we think about things like Internet of Things right we're now going to have more devices that have an Internet address that are just automated that we are going to have that are going to be human control a value scenario where you know they could go down the turnpike and try to break into eversource right or they can go after the best devices all right just have fun

what does that sound like sounds like what the wasps would call an anti automation automation if I were to ask security professionals in terms of IOT what's their defense for anti automation you know how many blanks there is that yet so there's some things that we need to do and start thinking about in that particular space especially around IOT going forward cool so kind of taking it back to to some of the different computer security jobs right so if you believe all the news right so security security spending is increasing jobs are unfilled damages are going over 9,000 bajillion right so you know it's pizza pretty rosy picture you know in some of the research we were actually doing you

know from who kind of came from this side of cyber security ventures when you start looking into the data I would kind of caution you guys when you you know when you you know anytime you hear an arc or something with the data sources some of these sites just literally have no data source and it's just really just clickbait and pushing out these articles the paint a picture focused on some agenda that try and accomplish but you know everything is on the up-and-up right and it kind of made me think of where have we seen this type of cycle before right and so on the graph on the Left right this is a chart between 2000 and 2010 of jobs in

Silicon Valley Valley I'm sure a lot of folks in the room experience going through that dot-com bubble explosion right so I feel like security is kind of here on the upswing and we're headed for that cliff and in a similar way of you know on the right side is employment and computer Silicon Valley high-tech businesses from 2000 and 2009 you know a lot of these legacy kind of security jobs or security jobs of the past right are probably gonna get gutted immediately after we fall off that cliff so what are some things that we can potentially do here for as we think about what the future's going to look like right so there's technologies coming out in this particular space that

are gonna add business context to wallet such that they know what they're looking at we need to have Identity and Access Management that's all this federated problem we got to go deeper than that we got to start converging physical and logical right so imagine a scenario where someone in this particular Bank is you know logging on in the parking lot right we don't tend to correlate those two things but we should going forward we got to understand a data governance we move a lot yeah services whatever right that we're not doing the basics of that very well either give you an example many companies are building Web Services Microsoft's is those types of things vast majority security departments will

of course open up the firewall so let all about traffic through they help make sure there's strong identity right but they don't ever look at that payload in web services you can do something as simple as access these string okay which means that it has no input validation no regular expression they don't specify the amount of fines that have occurred and therefore you're just creating more more holes as we keep punching holes into the firewall embedded security program we're going down Internet of Things and this is an interesting top right because we're starting to buy consumer devices to do many different things imagine a scenario where someone determines that you can put Google home devices in your legal department to save

money on a lawyer or transcription right lawyers like to go Baba blah blah blah right and therefore you might want to automate that using home type technology so imagine if we're not understanding how to do security analysis on those types of devices and we created a particular problem space advanced network engineering is going to a very very interesting place this week it was the gardener symposium that day there are companies working on things called dispersive technologies where they are changing up and springing routes right so you'll have let's say for example if you're routing normally right all traffic to I don't know Galgo goes this path all traffic to a o L goes this path they're working on

dispersive technologies such that the packets it evenly spread right to prevent sniffing and those types of things and when you're starting in spring things and you're spraying things securely across different routes right you can replace technologies as well so it's an important a different conceptual way of thinking about that google dispersive technologies for homework in terms of kind of cloud right right so we're putting things into containers that we do not control we are even going towards model called surrealist computing where we're just focus solely on the business logic right so it's not about pointing

we have to get a lot smarter in terms of understanding business logic and variants that occur there for us to get the skillsets right so those are some of the things that we need to kind of start thinking about all right so you know how do we you know in kind of pushing forward on that you know how do we prepare for kind of that up clumb upcoming cliff Security's headed down you know what are some different security paths that you might be able to focus in on and I'm sure there was some influence here but somehow we arrived at the quadrant gene so you know I think a lot of the the safer kind of security

tracks here right you know maybe for folks kind of mid-career and things that you're always going to need someone to manage security staff right companies are always going to have vendors there's always going to be some education and security component to the profession right I think there's some things that are a little bit more also going down innovative paths that we're not really focusing on as an industry you know a few of the guys from lodestone are here in the room today Keith's constantly harp on this every other week but privacy and usability right who's designing those types of solutions who's making security usable you know for business owners security is always just seen as something that gives them less

usability right so you know another kind of more what I affectionately called the dead zone is careers where you know is starting to become more commoditized and again apologize to the folks on my team but I think penetration testing is headed down that cliff as well you know network scanning and security really feels funny saying that on the consulting side during penetration sessions but we'll see so you know the concept of IT auditors right and you know James mentioned a little bit about blockchain and you have you know cryptographic principles around kind of auditing and securing that trail who the hell needs an IT audit of anymore are there any actors in the room all right

no one at least willing to admit it now kind of following laws of supply and demand right you know you can always target some of those more niche security career paths you know that that not you know everyone is doing although I know Robert came on earlier and threat modeling we were chatting a little bit about oh was-- right at some point that was nishan now it seems to be all you know very much kind of in vogue in something that all companies are talking about the downside of those potential initial career paths though of course are you know at some point they may just kind of fall off that cliff when it's no longer popular or you know kind of go

the way of COBOL let's say right as James kind of mentioned earlier on the x-axis there was a little bit of I don't know folks that kind of caught in the room more of the James actor you could probably explain that one right so I'll call it the traditional INTJ towards the left right you know introverted that type of thing right and you're judgmental really good if that's your personality type to getting the malware analysis right you can hide out at your desk and do pen testing right you don't have to talk to those nasty business people like you know understand but if you go over here to the entp right MTPs are energized by

communication right so you know we got over there we got things like threat bottling and you know up top right you know security DevOps right because we got to start selling right you cannot be effective as a threat model right if you don't want to engage in people right so make sure that you're thinking about you know not just in terms of skills but in terms of your own personality to guide your career the other dimension I will say that's somewhat less apparent in this particular model is I will say that everything over on this particular side you're a hero when you get a win you penetrate a network to penetrate something lasting but when you're over here in terms of

threat modeling or you're working on privacy right that's the harder work right takes longer to get cred so think about it through a couple so when you're laying out your skills don't just think about it as I need to know X Y & Z I want you to think about in terms of your personality thanks James [Laughter] every every one or two weeks for myself personally James but all right so yeah I know we're running a little bit out of time here but you know I wanted to provide some resources and again kind of did the mapping to kind of in this framework here right there's one of the former colleagues I had had worked at

when I was in the federal and defense industry work at a company called mitre came up watch a site open security training info and literally they recorded every training that we went through and what was known as the mitre Institute everything from x86 intro to that to reverse engineering vulnerability assessments rootkits etc and published it all and made it all open probably much to the chagrin of the mitre overlords but you know and there's you know earlier this year at b-sides Boston they did a whole track just on non-injured engineering security crews and I thought that was good to highlight for folks as we mentioned kind of at the beginning of this talk you know that are

not necessarily in engineering fields what are some of the different opportunities that are available there and of course there's all sorts of conference talks on YouTube was-- besides comm that are published and available if you guys can develop some sort of AI machine learning algorithm for like sorting through those talks so that you know instead of searching through all of them right I can just go I want to learn about pentesting and and have it just come back with all those I think there is a start-up security for you finally she also mentioned you know some of the folks on our team was using this and I was starting to dig into it and these aren't all the classes

available at cyber area well what I liked about them was a lot of their courses are open source and free but if you're looking at pivot to different technical areas definitely check out their repository they've got a bunch of great talks and pretty much all the different security domains to at least you know kind of get a start and getting a little bit smarter in these areas all right so my secret hidden agenda was to talk a little bit about mentorship and I'm gonna send you know one of the things that James and I have been talking about was kind of more from the mentoring angle right you know we talked about kind of that apprenticeship was

trying to figure out you know folks that are out there are there folks that are open to mentoring kind of others as well as folks in the room that may be looking for mentorship markdown if you're a builder breaker or defender and we want to kind of start an initiative to so kind of help out you know at the end of the day it's a community right it's a security community here in Connecticut and it's a unique community and I think the more that we can do in terms of not just looking at websites and things that will teach you the technical training but actual the people-focused sides you know the resources that we have here in

Connecticut as a community I think I

mean I think that was that was pretty much the enemy I know James if you had any takeaways not just think about in terms of current state market demand in terms of job boards and skills that they're asking for but to essentially align over the future state technologies that we know we're coming down the pike solve the pipeline problem right all of us are professionals rights and are later we're going to retire and we better leave our pensions and all of that other stuff in good hands unless we want those back to when it will be broken elderly thing so there's a festive interest in investing in the view solving some of the particular challenges of academia and demanding

more and better in terms of that understand how the pipeline is changing let's make sure that we're not just adding people because it's an in-demand skill and we create more supply than demand but rather we all focus on areas such that there's an even distribution and coverage and of course we're going to focus on things that avoid things that might be potentially automated right think about some of your tools like using and strengthening your resume one of the things I'm going to say about resume is is that in this particular scenario don't make you make sure that you just address skills but you start addressing outcomes this is increasingly becoming something that's on the radar

in terms of the board's executive you saw that the dollar figures are going out bringing they're going up higher awesome inflation so we better be putting things in a dollars and cents term yeah yeah and I know Rowan Romans throwing me death stares here I think we're going overtime a bit so yeah so for the mentorship aspect you know we're gonna collect those sheets again if folks are interested in volunteering to help kind of drive that forward I think that's definitely something that we want to focus part of this year and the coming year on in terms of helping to build our security community so thanks everyone was a pleasure getting up here to speak today

[Applause]

you