Take control of your career: A panel with Industry Leaders

[Music] all right awesome hello everybody hello Portland um my name is Lee so I will be introducing myself I'll be moderating this panel I'll be taking your questions there is a slido with a number please feel free to send your questions as we're talking don't worry got some prepared um I'm a principal security engineer at Microsoft and I'm going to let the panel introduce [Music] themselves hello my name is Tara cook uh I am currently the governance risk and compliance cyber security manager at boom Supersonic and also just generally do security there because security just has to get done there hi I'm RNA DOI and I'm director dor of third party security at Salesforce and I've been doing security for the last 13 years or so hi I'm Diana claghorn I'm the head of application security and the associate principal security engineer at Sirius XM and I've been in security professionally for about 6 years six and a half years hey I'm Jess H menz I'm a security engineering director at Dropbox I'm responsible for defensive security as well as our product security um organizations okay so we're going to get going um so as we said we're going to discuss what it's like to grow your career in security um deciding between being an IC or a manager what to do if you feel stuck and just whatever you guys want to learn about it like please ask your questions got the slido for this reason it's all Anonymous so ask away but to kick us off cuz I doubt anybody's been like that fast and I of course I'm trying to do face ID from far away that works beautifully um what does success look like for your [Music] role you want me to start cool I can start that's fine um I forgot to mention I've been in security for 15 years so what success looks like for me has like varied wildly throughout the years um specifically in the realm of GRC my personal belief is every GRC person has about 12 different jobs that they're trying to do um so what success looks like for me does typically actually vary on a day-to-day basis um and considering what is being asked of me but more than anything I feel like success is being able to successfully sorry success is being able to accurately dictate the needs of security to the rest of the business because if you can't do that you're kind of dead in the water regardless and especially from a compliance standpoint a lot of people don't quite understand it and view it as kind of smoking mirrors and it's this very scary place so a lot of the time I'm taking the things from the business translating it into security and then flipping it and doing the same and building relationships um although GRC is considered non-technical or not technical first of all that's wrong secondly um being able to build relationships and successfully communicate with people I feel like is my biggest form of success at work because if I can't do that I will go absolutely nowhere and writing right a lot of policies um so I'm a people manager and for me mostly success currently looks like making sure my team is successful they're getting the growth opportunities the learning opportunities and the you know projects that they really want to do um obviously what you know Tera just said we we have to focus on the business because otherwise we'll be out of business uh but really making sure that you know taking the business goals and then dovetailing into what the team success looks like that's what success looks to me right now so I'm going to agree a lot with what Tara said that a lot of what I do is to communicate with the business what risks we're engaging in um what risks we can mitigate what risks we should probably accept and so forth and then to figure out how to manage the culture with the engineering teams to improve the processes that they have so that they can with as little friction as possible include security into their design into the application as early as possible and so they can get the feedback that they need to feel successful and empowered to do that themselves I feel like that is if I'm able to do that or move us in that direction I am creating I'm moving towards my success criteria hey I'm going to answer this question on a couple of different dimensions um success for me in my my role serving the company um is to enable the business to be successful in a way that protects our customers privacy and security um so for me that's a lot of understanding the customer needs the business requirements and then working backwards to um how we apply Security in a way that's an enablement um as frictionless as possible and as a people manager right echoing what's been said before empowering the folks who work for me understanding their career goals and helping to set them up for opportunities and then for me personally um f success for me personally is finding a role that aligns my core values with the core values of the company I'm working at right and making sure that I have the the personal satisfaction um along with the professional success all right awesome we're getting questions rolling in I'm going to keep doing a couple of ours and then we'll flip to those um what are one or two or more depending on how many you have things that have helped you grow your career across different levels sure um so I've been I've kind of restarted my career multiple times I started in the Army and then I worked in the Intel community and then started over really started over like weekend night shift as an incident Handler and got to like work my way up multiple times um but but really the key for me is um just asking curious questions and always having a desire to learn and grow more and like you know never being satisfied with what I what I'm doing and wanting to know how I can contribute more to the success of the mission I come from a very non-traditional background I don't have a CS degree I didn't start my career in my early 20s as a security person I worked as a teacher as my previous job um and I moved into this career in large part and then and grew my career because of the community that I was able to surround myself with the people that I was able to meet in this industry that taught me the things I needed to learn that taught me how to appropriately Google the things that I shouldn't be asking them and how to have the confidence to just go figure it the heck out um is probably what has been most instrumental in me being able to grow my career and also recog izing where my strengths and my Noto strengths are and moving into those strengths and trying to compensate for the things that I'm not as good at um I'll just add to what previously has been said I'm reading this book right now called disrupt yourself it's several years old by Whitney Johnson but um over my career I have just done a lot of different things um pushing myself to get out of my comfort zone and try something entirely new either it's a new organization or a new industry you know moving from biotech to Big Tech or completely different teams where I had no knowledge of that area or domain and just learning and trying to grow into that space but really getting out of my comfort zone over the years has made me grow tremendously can you ask what the question is again because quite honestly I forgot what are one or one or plus things that have helped you as you've Advanced your career that's my reframing of it thank you um not taking some of the traditional advice of oh you need to stay at a job and working in in five no I don't do that um and it's not and I say that because obviously people can look at my resume or my LinkedIn and be like oh you're a job Hopper like yeah I get it um but at the same time I personally do not find Value in showing up for my job every day and hating it and being miserable because that spills into other parts of my life so when I don't like a job yes I go to my management and I try and do the right things and have the conversations etc etc but if that does not work out I'm leaving um and it goes against everything that I was taught by like my dad when I had a good government job and you stay because you get a pension and I'm like that pension doesn't pay my bills in this current moment though father and neither are you so like what are we doing um so I left and it was honestly one of the best decisions that I could have made um other things that have helped me be successful as being genuine to myself just as a person I realized early in my career when I was a consultant and I had to fit into the box of a consultant of wearing my slacks to work and my my fancy shirt and this that and the third I felt very stifled um and because I was not being who I was it showed in my work when I had to present all the time and so when I used to lead audit conversations I'd make like really bad dad jokes and use slang or a a and my management was like you can't do that and I was like well but I can first of all um and secondly my work performance got better and I was actually able to build better relationships because I showed up as a human and not some like weird little robot um so somewhat non-traditional just being like ah this is who I am you can kind of take it or leave it but that also comes with privilege and over time like I wasn't able to do that the gate cuz bills had to get paid nice um maybe I'll just take a stab at this one too um because I have a very specific answer to this um so I mentioned I'm a principal security engineer a lot of my job is actually about influencing others and I remember being a more Junior engineer being like H the I don't I don't know how to do that I also was like I don't really understand who gets to decide the strategy and who gets to do the like what I thought was the cool work um and I actually switched gears and became a TPM for a while and I have a talk about why that's like the best job ever and I still think it might be um but it's the thing like that job is what I point to when people are like how did you accelerate your curve so fast that job because that job was a lot harder than I was expecting and I just remember being like woo I am unprepared for this and it like honestly best experience ever I only did it for four years but man did I learn a lot um we've had a lot of questions roll in I'm going to also reserve my right as moderator to slightly modify some of your questions what are the biggest mistakes that you've made as a leader some of my biggest mistakes I've made as a leader are uh innumerable um but I would say that probably my biggest one is I have a confidence problem and I sometimes let my ic's they they technically not their manager but I kind of am it's weird um I let my ic's know when I'm lacking confidence in something and sometimes they become very not confident too when I'm clearly relying on them to be the experts and so sometimes I need to be more careful about my my own insecurity and make sure that that they know where my confidence is in them and because I'm not confident in something and I'm expressing like oh I don't think that this is the right that I'm the right person to be handling this I'm going to hand it to you it's not because I think it's impossible I think that you can do it better and I think that you're the expert that I hired to solve this problem because this is what you're good for this is like this is your best thing go do it and kick ass and then teach me how to do it um and so not not feeling confident and expressing that is something that I've had to learn how to do differently and better so that my ic's can Model A Better behavior and be confident in their strengths I think the biggest um failure that I it's a mistake I continue to make but like starting today for real this time I'm going to be better at it um I don't say no enough not like I'm pretty good at defending my team's uh you know Charter like I don't put a bunch of random things on my team to do but I definitely like anytime there's a hesitancy and a meeting and we've got to get something done like the NCO and me the non-commission officer me is like I'll just do it so we can stop admiring the problem and move on to the next thing and the end result of that is like I have zero time like I have less time to dedicate to my team and my team strategy I have less time to dedicate to my family and my friends um um I don't have the capacity to do the Deep work that I need to do so I think not saying no enough is probably the biggest mistake that again starting today yall are here and my accountability friends I'm going to stop doing [Music] same um I have the same problem but I'm I'm getting better at it I've worked at a long time um one thing that I am not great at that I'm still working on um I'm a natural introvert and so my tendency is to not want to go and talk to a lot of people I have enough meetings on my calendar you know and so um part of my job as a manager though is to evangelize my team and the work we're doing and go talk to different teams and say hey look at all the awesome things my team is doing tell me about your team or what are you working on and that's one thing that um over the last years you know I have let go off or not done enough of and that that's um you know kind of hinders my team in their growth and so that's one of the things that I'm working on to fix mine is the same as just always saying yes to everything yeah 100% all right this I like this question how can someone in a junior role support a team or organization that is behind in security maturity and not moving quickly so from a manager perspective what how would you advise someone who's in a more Junior role to help a team [Music] mature I'm going to use a very real life experience of the magician I just hired um uh this is his first job in security I'm going to leave his name and any details out but he's a magician and he is very very very good at what he's good at and he's really good at solving complicated problems and knowing your Niche and then making it clear that like I am super good at these things I want to solve these problems and then coming to your management and saying I am super bad at these things and they are important for me to continue to solve these problems help me solve this he's incredible at everything whenever we have a problem that's really hard we hand it to one of us and whenever we have a problem we think is imposs we hand it to him and 4 hours later he solved it um but you know he's going to have knowledge gaps it's his first job in security and so he's been very good at coming to us and saying I have no idea what you're even talking about or I don't understand this thing and he has no he doesn't need to have any Shame about exposing that he doesn't know what he's doing because he knows inside the environment that we have I go to him and I say I don't know what this is can you help me and I'm his leader and then he says oh yeah let me help you or let's figure it out together and you know we go and we explore it we figure it out and so as an entry level or Junior engineer know your strengths work on them and then recognize your weaknesses and ask the people around you to help Mentor you into growing in those strengths into or those weaknesses maybe not into strengths but into something that you can work with or around um something that's very underrated in insecurity in my opinion in general is storytelling um we all are just like oh my gosh everything's bad and it's like oh my gosh yes it is um but that doesn't really do much in the grand scheme of things because we all just collectively agree that it's bad um how do you tell that story to your manager because also keeping in mind and it took me a very long time to like understand that I was not the most important person in my manager's life um because I'm me and I'm a middle child but anyway um being able to tell an appropriate story to your management who has 50 bajillion other things that are going on is like pivotal that I'm starting to like realize more and more and more so if you start to understand how to speak to them and you work with them long enough and understand like well these are the things that I noticed that they really care about how can I spend this into some of the other problems and things that I see or things that I think are important is reverse psychology um by the time it really boils down to it and stuff that we've been doing to our parents forever um but also like I'm in law school right now and I'm in a clash about negotiations and mediations and there's thing called a bat a best alternative to negotiable agreement um so you might have one specific way that you would go about doing this thing and as far as you're concerned it's the only right way about doing it which is fair um also a problem that I suffer with but if you can I'm just being honest about me as a person um but if you can come up with like I can't get to this but I'll take that and at least it's moving us forward instead of being so like just hellbent when it has to be done this way I will instead it's just I'll take this increment and maybe that increment is good enough for your management and for you um because as we all know budgets are super tight right now so like these big Pie in the Sky things that would have not been Pie in the Sky 3 years ago really not sure if you can like swing it in the budget so what something smaller we can do but more importantly understanding what's important to your management and essentially managing up to them um in order to get the way that you wanted to go there's an awesome book called turn the ship around um and I won't spoil it for you if you want to go read it you should definitely go read it um but but one of the key Concepts it talks about is building a culture of empowerment in your teams and so I think if you're a junior or you know earlier in your career engineer feeling like you don't know what to do or you you have an idea to make things better um one of the key Concepts that I've embraced is to just call your shot and then go do it right and not wait for permission not ask not be stuck in this but who needs to say that I can do this thing um just call your shot ahead of time so you get the credit right it doesn't count if you just go silently do things you got to call the shot and then go do the thing um and that's how you build up your the trust of your colleagues um and your reputation as somebody who can solve problems but also go turn the ship around all right R okay good we can keep going it's it's been said that's that's kind of the problem a lot of times you'll like be on a panel and be like yeah what they said and you're like oh crap I need to say something what type of entrylevel security roles are good if you want to pursue a future in and they specifically list GRC or absc but you could just be like any security domain what are good entry level roles for getting started in this field want go first you want who's a GRC person raise your hand I know it's synonymous but hey what's good hey I see yo like more than one hand that's super nice um GRC has been in like an uptick in the past two to three years which has been wild to see after 15 years or wouldn't be like ew um so it's really nice uh things that you can do to get started in GRC I am of the mindset take any job that you can get right now not the best mentality but hear me out GRC people like I said do like 12 different jobs and I wish I were kidding but you're really doing very many different jobs and I did not start in GRC I started as an information system security engineer and I've done QA I've done virtually almost everything except for pin testing and anything dealing with programming because I do not like it but I can read code um because you have to work with such a wide variety of people getting any knowledge that you can is beneficial to you versus like in some roles that are more I guess traditional security like if you're doing progr