BSides Buffalo 2026: Looking for a mentor? You might already be one.

Um, this is Nick Relman. He's uh creative, deep passion for security. Uh, he's interested in enhancing employee awareness through uh fishing exercises that are engaging, not just the boring ones. And click >> Yeah. And uh he involves assistant. Wow. And uh boy, the stakeholder slime, man. You've been doing that itil stuff. >> Oh, idol. Yeah. Yeah. The elephant thing. >> Yeah. >> Big elephant. >> Yeah. Big elephant. Yeah. >> Um and you're committed to committ continually challenging your team organization to achieve higher standards for excellence and security. He also thinks the hot dog is a sandwich. >> Yeah, >> I threw open my mouth a little bit at the m gumbo stuff, but I broke it.

Well, the NLLM broad. >> Welcome, Nick. >> Yeah. Well, thank you. >> Cool. Yeah. Hey, I I I really appreciate y'all coming here and uh listen to me uh talk about being a mentor. This is a little bit different of a presentation for me. Um not going to be nearly as technical as a lot of these uh that I do. A little bit of background uh for me. Uh I'm a infosc consultant. Uh uh that's what my title is. Uh basically it's just a fancy way of saying I help the business do whatever it is that they're primed to do but in a secure manner. Uh I'm a former miscreant. Uh I don't do that anymore. Uh I was younger.

We'll get into that a little bit. I am a chaotic good. Um and uh I'm only cryptic and mabellian because I care. And uh if uh if any of you want to do some fun stuff, you can go to uh nick rules.com and there's like a CTF that's there. It's like a whole terminal system. Uh there's a whole bunch of flags and uh it's it's interesting. Have fun with that. Uh and whatever you do, probably don't run an LLM agent through it unless you really want to use a lot of tokens, but it's designed to be an entrylevel uh CTF for just navigating Unix file systems. So have fun with that and if you you win it, there's contact and I'll

give you something. So anyway, with that, let's go ahead and we'll get it started. So, uh, who remembers AOL? >> Yeah. Okay, cool. I'm not dating myself too much. >> You got it. >> Um, which is which is awesome. Um, was anybody part of like the AOL Prague scene? Anyone know what that was? Cool. I'm going to teach people something. So, um, what AOL progs were is they were add-ons for AOL. Uh, and and really you could do a whole bunch of different things with them. Uh, you could fade text from like one color to another. Uh, you could put like, uh, asky art in like a chat room to scroll. You could send email bombs to people. And you could

even do this thing called punting. Uh, and what that was is you could send a string of characters to someone via in an instant message and it would kick them offline which really sucked in the dial updates because you had to dial back and it it took quite a bit. So, some of the most popular products, these are uh just a conglomeration. Uh, probably the most popular is AO Hell. Uh, that was one of the original ones uh for me when I was in that scene. Uh, Gothic Nightmares was really big. Rampage Tools was really big and and really I was obsessed with these things. I was 13 years old and I just I don't

know. I was a little misre I wanted to kick people off the internet and I uh wanted to scroll in chat rooms, you know, stupid mystery and stuff that you do. And I really quickly I wanted to learn how these worked. How do you make these? What are they made in? And I found out they were made in this thing called Visual Basic. And I uh I I quickly joined uh these these chat rooms and this was actually PR uh private room visual basic and this is uh it's it's redacted because there's a lot of things that were in that chat that probably didn't age well in the year of 2026. Um so uh we we pulled that out but if you

actually look closely you can see people uh in there who had uh the elite stream names. So uh there's someone who has a stream name paint. Uh, so those were called leaks. Uh, and there's people actively cracking screen names in here. Um, pull up. Um, and and this is basically where everybody would test their frogs publicly. And this is where all the cool people hung out. And this is where I tried to hang out and fit in and make my frog, which didn't go over very well. So uh for those who aren't familiar with Visual Basic, you can download these files which is they were basically the equivalent to like a DLL and they were

called BAS files. And the most popular one was called DOSS3.bass. And really what this what this did is it created a bunch of different functions that you could then call like send chat. You would send the string to the AOL chat. And I downloaded DOSS32.bass ass and I basically tried to fake these timers and make these bugs and it didn't work. It just didn't work. And I was I was hanging out in this chat room and and I and I met someone in the in the chat room and and his name was noon and and the the reason why his name was noon because his screen name was no only sometimes. Uh and we just shortened it

to noon. and he did something honestly that changed my entire life. He uh sat down virtually of course and uh he taught me how to use Visual Basic. He taught me how to make my first product and it was awful. But he taught me how to make this and I I released a product and it it was it was it was groundbreaking for me. And when you think about this, this was someone who didn't have any sort of a former formal mentoring framework. He didn't schedule weekly one-on- ons. He was just a kid who knew something who wanted to teach another kid who wanted to learn. Now, Non couldn't have been more than 15. I was 16 years old or uh I was 13.

Sorry, always dreamed of being 16. And to noon, what he did probably was nothing. I doubt he even remembers it. I I probably wouldn't have, you know, it was just a kid. Just a kid showing another kid in a chat room. But again, it changed my life. And without that small gesture, I don't know if I would be standing here talking today. I don't know if I would even be in information security. My my path could have taken a a very different turn. And what I really want to get across is mentoring. It it doesn't require a title. It doesn't require a framework. Doesn't require even awareness that you're doing it. two teenagers in a chat

room. It's all it took. Now, here here's the other thing. Half of the people in this room have been in noon for someone. I I I guarantee that you have and you didn't even know. You're probably already a mentor. Someone out there might be standing on a stage someday talking because of some some small gesture that you didn't think was was a big deal, but they did. Now, honestly, I lost touch with N over the years. The the same way that you lose touch with people from that era. Um, he turned 16 and I think he got an RX7 and I never heard from him again. But, uh, if you're somehow hearing this, thanks. So, something I want to take a moment to

really dismantle is this idea that that mentoring is is something that you eventually outgrow. And that's that's [ __ ] It's that's not true. Um, I have 10 years over 10 years now. I'm not getting old. I have over 10 years of professional experience in this industry. and the the need for a perspective never fully goes away. What does change are the questions that you're going to ask or be asked. Early career, it's pretty straightforward stuff that that everyone always asks. How do I break into infosc, right? What do I need to learn first? Am I even cut out for this? When you get to that mid part of your career, it starts to change

a little bit. How do I handle this political situation? Senior How do I lift people up without burning out? Which will probably be my next talk. If I can be here and admit that I still need mentors. Maybe it's okay for you to as well. Has anyone ever heard of putting someone over that term? It's a It's a professional wrestling term. If you can't tell, I really like pro wrestling. Um, that's that's me clearly in the front row talking to some monster. Um, very sober and and my wife is next to me scared for both of our lives. Um, so but we we can really learn quite a bit about professional wrestling. So really what

the term is, it's when an established performer deliberately makes a new performer look strong. I don't know if you know this, but professional wrestling is fake. So when you when you throw that punch, you're not actually landing. At least it shouldn't. But when they sell that, they make it look absolutely devastating. They make them look like a monster. The the veteran is going to sell all those moves. They're sometimes the veteran's even is going to take a loss in that match. It's not charity. It's how the entire industry works. And it's not that different from our industry or really any industry. If you don't have people, if you don't put people over, the audience gets

bored. The business collapses on itself. If seniors hoard the knowledge, don't share that with others, we gatekeep access, we're just going to let people be burnt out who never got an opportunity to grow, never got an opportunity to be a senior. Again, the whole thing collapses on itself. So, when you put someone over, it honestly isn't some grand gesture. The the thing is is they're small but deliberate choices. It could be something as simple as you bring a junior analyst into an incident uh review and you let them share the findings that they found. By the way, and you let let them present, CC them on an email that goes to your CESO, frame it as their win.

If you get asked to speak at a conference or an event, declin, I know someone who'd be perfect for that opportunity. Share your process, not your conclusion. Each of these things is going to cost you something. I'm not going to lie and say that it's free because it's not. It cost you a little bit. Maybe a little bit of the spotlight, maybe a little bit of credit, but that's going to be something that compounds in into into an entire career. So, I I I I want to be very upfront about something because this is where it gets hard for a lot of people because professional wrest or not professional wrestling, um putting someone over requires ego management.

Now, in pro wrestling, there's going to be some people who are notorious for refusing to put people over, for always protecting their spot. Infosc has that too. We know what the architect looks like. It's the person whose entire job security model relies on them being the only person who knows how this works. It's the person who answers something con with condescension. If if this is you and and I understand these are these are habits that it can easily fall into. If this is you recognize that you can change. It's not too late. Something that I like to tell other people is that I can give you the tools. I can give you the advice. I can give you the

process, but I can't get on that bike and ride it for you. Mentoring is not handing someone a link to a SAS course and saying, "Here." It's not telling them to Google it. That's dismissive, by the way. Don't don't do that. It's in instead it's this weird middle ground that actually makes it hard to do. The difference is is I'll help you figure out which bike you even want to ride. You want to be a sock analyst, cool. You want to be a pentester, even better. GRC, that's neat. Cloud security. Listen, I'll even run alongside you for a bit. I will let you fall, but I will be close enough that falling doesn't break you.

That's the difference between being a resource dump and a framework for helping someone find their own answers. So get real specific about what mentoring actually sounds like versus what it doesn't. So mentoring it's really asking what have you tried so far? Again, not because I want to dismiss you, because I want to understand your thought process. You might not think the same way that I do. We all think differently. That's actually what's really cool about our industry and really cool about teams is because you might think differently than I do. And that's what makes us stronger. So, it's not just Google it. It's not a resource dump. It's someone who's connecting people to others. You

know what? I'm not the best person to know about that. Let me introduce you to someone who does. Last year, I took someone to Defcon for the very first time. I got to live vicariously through their experience. It was awesome. One of the one of the greatest things that I did was I introduced them to my network. People who I met over the past couple years. Now they know who I know. Now they have the same resources that I do. I don't think they realize how powerful that is. I gave them the tools to start to create their own networks, meet their own people. The right answer is usually the most uncomfortable one, not just for them, but for both of you.

So, there's an intimidation factor as I lean on this and push it up against the table. And and and really that's not not the not the leaning table that people don't want to talk about, but it's the uh the intimidation. And it's intimidating on both sides of the of the coin here. As a mentee, you're going to be absolutely terrified of being exposed. Imposttor syndrome, right? I bet a lot of us suffer from it. I'm I'm one of them. I'm up here talking. I I suffer from imposter syndrome. It's screaming at you and now you want to voluntarily tell someone where your flaws are. It's very uncomfortable. as a mentor, you're worried about a a

different set of things, but you're also worried about being a fraud. I'm just I'm just going to put that out there. I'm I'm also worried they're going to realize I'm a fraud because imposter syndrome never fully goes away, even for myself. But I'm also going to be worried about am I being helpful or am I patronizing? What if I get bad advice and a person makes a career decision out of this? That's some heavy stuff. What I found is that both sides are often projecting a worst case scenario. Both sides are almost always wrong. And that's not just with mentoring. That's that's with just about anything that you do. I'm always looking at that worst

case scenario. We're always looking what's the worst case scenario when we fret model. We're looking at what's the worst possible thing that can happen. We're just wired to think that way. And honestly, the mentee thinks that the mentor is going to judge them. And the the the mentor thinks that the mentee will think that they're overbearing, but the reality is is both of them are going to benefit by just having the conversation to begin with. So, just have it, please. I went to a I went to a a a conference a couple weeks ago and there was a quote that really stuck with me and it was that infosc is the magnet that picks up

the metal shards of neurodeiverse individuals. How true is that? That's incredibly true. That was besides Tampa, by the way. I can't remember who gave that talk, but I want to make sure that there's at least some credit there. We're we're we're drawn to to systems, puzzles, uh pattern recognition. I recognize patterns in systems and I can't tell you why or how I recognize those patterns. It's it's this ability to hyperfocus. And honestly, these are genuine superpowers for us in our field, in our industry, but they're a curse. When we try to create these interpersonal relationships, it makes it really hard and difficult to talk to people. reading social cues. It it can just feel very very hard to

do. Now, what we have to do is we have to recognize that the same way that we would when we have limits of any other system that we're trying to uh secure. What are those limits? Recognize adapt. Not everyone needs small talk mumbo jumbo. Okay. Direct communication. It's not bad. Some people really thrive on that with with us neurodeiverse individuals. Some of us really thrive on that. I don't need small talk to build trust with people. I'm sorry. I I I really don't. I I I need to know what it is that you're working on. I need to form organic relationships. Not, hey, how are the kids? That's that's great, but I want to I want to know the you. I want

to meet someone where they are, not where some [ __ ] program says that they should be. Okay, that's what's important there. Sometimes a a Slack thread at 2 a.m. is going to be way more impactful than trying to force some one-on-one. How many people have one-on- ones? A lot, right? And and that's fine with management, right? There's people who I mentor, I have one-on- ones with there. There are schedule to keep me honest. If we're not feeling it, we're doing something. We don't need to have that. We can have it some some some other time. That's okay. You don't want to force those one-on- ones. You don't force those engagements. All that's doing is just making people go back and

forth. Oh, yeah. The pleasantries. You're not growing from that. Don't force things.

I take a little sip, water the plant, so to speak, cuz this is this is really the reframe here. We are professionally comfortable with being uncomfortable. We poke at systems all day. We live in ambiguity in gray. That is our entire industry. That is every single day for us. Nothing but uncertainty. We can compartmentalize that. >> I made this sticker and put on my monitor on the bezel on the bottom says asking for help is a superpower. >> Yes. >> Yes, it is. >> Because I recognize that I just Yeah. I'm not going to want to have those conversations. >> You know what? I did something very similar and thank you for sharing that. I have a picture that's printed out at

my desk that says, "If being hard on yourself worked, it would have worked by now."

>> So really, when you think about the compartmentalization of of your of your skills, they transfer. So it it's really the the curiosity. Why does it work this way? It's the same with a person's career path. It's the same muscle. It's really that persistence. Oh man. Man, that persistence. We're hackers, right? We don't get it right on the first try. Never. I mean, sometimes, but never never works on the first try. We're persistent. You got to keep at it. What's the What's the What's the most important thing? Showing up. It's the hardest. And it's also the easiest thing to do. Don't think Don't you don't think so. It's really, really, really easy to go to a conference on a Friday when I get

the day off of work and work pays for it. Really easy to do that. What about today? Saturday. You're all here because you want to be here. You all showed up. Seriously, congrats to all of you. Give yourself a round of applause. You showed up. I'm not saying that you don't. If you if you don't show up on a Saturday, that like you're here because you want to be here. That's the thing. And those are the people that you want to gravitate with. Those are the people you need to build communities around. When you have your first meet and only five people show up, those are the people that show up. It's easy to show up when things are

growing. It's easy to show up when there's a thousand people there. When there's only five, it's not so easy to show up. Showing up is honestly the the easiest and it's also the hardest part about all of this. So, this is the the really the practical takeaway in a lot of this. And I and I rushed through a lot of this. I I spoke spoke really fast, but maybe we can have some discussion towards the end of this, but it's really not that hard. And and I' I've gone over this a couple different times because I watched some video where I I supposedly I have to say it three times for it to to to

sync with with a lot of folks. So, I made it a three-step process, and it's really only two. First find someone whose work that you respect. Could be a con like like this. Could be LinkedIn, Slack, Discord, infosex 716, right? Anywhere your own team even. Say the small brave thing. Hey, I like how you approach this thing. Want to talk sometime and pick your brain a little bit? That's it. That's it. That's it. And and and if they say no, that listen, that's okay. There's nothing wrong with that. Go find someone else. You didn't sign a contract. You didn't sign your life away. You didn't ask them to prom. Okay? It's that simple. Hey, you I connected

with so many different people today. Just having organic conversations that aren't forced. As for the other side of the room, if you're if you're experienced and you don't have to wait for someone to ask you, hey, I really like that question that you asked in that talk. What are you working on? Oh, I missed the the the best part at the end. Sorry. Most mentoring relationships, they don't start with the word mentor at all. They start by having a conversation that just becomes a pattern. Most of the mentoring that I've ever experienced never used that word, but it absolutely was mentorship. Now, how do you be a mentor without becoming a second job? Because it easily

can if if you don't uh control this. Um, first really, you have to lead with questions and that that can be hard for some people. You need to ask, don't tell. What have you considered? Again, I want to understand what your thought process is. Where are you getting hung up? You don't need to think the exact same way that I do. I just need to understand how you think. Second, who's heard of asynchronous mentorship? It's a newer one for me. And and and what that is is that's that's basically online mentorship through different Discord chats. It's not formalized one-on- ons. Holy [ __ ] I didn't even know that was a formal thing. I didn't

know like I I really didn't I do this with so many different people. It's awesome. Take advantage of that. You don't have to have a mentor where you work or like it can be anyone. Sometimes a thoughtful message that's it in the middle of the night. It's it's way better than some forced one-on-one. Third, you need to be honest with yourself. I don't know. Let me connect you with someone who does. That's not failure. That's honestly some of the best mentoring that's out there. I love connecting people with others. I love sharing my network. It it it makes us all stronger and that's the only way that we're going to become strong. That's the only way this industry

survives. Again, put people over. Fourth, the check-ins are going to beat those formal meetings. I talked about this already. Don't force the one-on-one. Sometimes, uh, a short message of you got this or how's that thing going? That's really going to help out. You know what? I got three messages from people who I guess it's a mutual mutual mentorship said, "Hey, good luck with your presentation." You know, I I that's that's the stuff that's the encouragement. We need to do more of that. In fact, this is probably the hardest for everyone. Know when to push people and no one to hold. Sometimes people need to hear the encouragement. Some Sometimes people need to hear you got this just like I

did half hour ago or whatever it was. You need to hear that sometimes. Other times you need to hear you know I like this but you really need to rethink the approach or this isn't ready for for prime time yet. That's being honest. Both of those are mentoring. Both of those are really strong. So, as I as I bring this back, a teenager in a chat room like 20 years ago, okay, more than 20 years ago, they taught me visual basic. And he didn't know that he was mentoring. He didn't have a framework. He didn't have a plan. He simply was someone who was a few steps ahead and wanted to help someone who wanted to learn. And I'm standing

here because of that. And and really what I want to sit with all of you is I'm I guarantee a lot of us some of us many who knows are already at noon for people. So, and and that could be that time that you answered a question in Discord, time you walked a junior through a log. Hey, time you said nice question. A time you caught someone in the hallway, wanted to talk. You probably don't even remember those interactions, but they probably do. So what I want to ask you, be that person for someone else deliberately on purpose. Put someone over. And this is honestly the hardest part. Let someone be that person for you.

the conversation. It doesn't have to be perfect okay? And and honestly, I'm not going to lie and say that it will be it. They're never perfect. What's important is that conversation happens. So go find someone in the hallway afterparty, the infosex 716 Discord, and say that thing today or wherever the hell it is that you go to meet people. Say that small brave thing out loud. And thank you.