The Art of Cybersecurity Mastery: From Entry-Level to Staff+

Welcome Floren. Uh he'll be talking today about the art of cyber security mastery from moving from entry level to staff plus. Floren, take it away. Uh sorry. Uh if you have questions, uh please go to bsites.org/q&a and submit your questions through that and we'll uh we'll be going through that for Q&A. Thank you Florian. Yeah, thank you for the introduction. So first of all, thank you for joining me to today. This talk is about the about mentoring basically and mentoring is giving advice based on personal experience. So usually when I work with my own mentees I customize my guidance but today since I don't know know you I can't do that. But instead I'll start talking first a little bit

about uh my own career journey so that you can understand from where these ideas are coming from and how you can apply them in to your own careers. So let's get started. My name is Floren Nuding. I'm a principal security architect with Adobe. I focus on product security and all this talk is mostly about product security because that is where I'm most experienced. And the lessons learned that I'm sharing today still apply in in many other areas across basically all of security. But you'll have to customize it. Some some aspects. Maybe what I do in product security. I focus especially on static co code analyzers or all the security aspects of source code from how to

secure git repositories software composition analyzers sbombs static code analys that all another big investment area for me is memory safety because we have many products that are built on a foundation of C and C++ and you all know it is very hard to write memory safe code without secure by design systems as principle My job is also to evangelize for security to work with business leaders to identify strategies to invest more into security to better protect our customers because that is the end goal really protecting our customers. In total so far I have 15 years of professional experience and six of them in a product security role. So I'm still kind of new to to security but

I'm actively mentoring. So let me tell let me tell you about my journey a little bit and first of all a career is a 40 plus year journey and what I'm I've always did is I wondered about my next step and also the question for you what is your next step. I didn't look 20 years into the future to figure out what I wanted to be at some some point but I simply followed my curiosity and I'm starting with um what I studied econophysics which has nothing to do at all with security obviously. So I truly wanted to understand how our universe works. Unfortunately halfway through it I figured out it's mostly math. I was

okay, maybe even good at it, but it wasn't the thing I really wanted to do. And when picking this uh subject, I told myself certainly naively, I can already write software in 2004 was was good at doing that. So I didn't need to study computer science, but I still pulled through and I see studying econophysics as learning how to learn. After university, got my first job as a software engineer. And within one year, it was a small startup. I got promoted to be the head of the um backend engineering team. I was responsible for coordinating 14 people. Did that for a couple years. Learned a lot about leadership and also a lot about culture and all the things

that can go wrong because we had big problems in that startup. I lost that job. I was let let go eventually but that was actually the best thing to happen to me because I joined Adobe in 2014. I knew I didn't want to be a engineering manager anymore but I was very grateful for the leadership experience that I had gained. So I worked now on developer experience. I was responsible for the um build and um and deploy pipeline to deploy a large cloud product to the cloud. And their primary challenge was they could only do a deployment if they were lucky every two weeks and if they were really unlucky only every six weeks. And what I

did together with my product manager was reduce the time to any number of times per day. We had a web interface that I helped design and implement. any engineer could independently deploy any component. So I truly learned how to work with engineers and understand their their needs. In 2017, I was promoted to senior software engineer and I figured out that security is really exciting and I didn't know before that point that I actually wanted to go into security. My idea at this point was to become a software architect, build highly scalable servers. I thought that was super awesome. But a good friend of mine back then told me um that he was spending a lot of a lot of time doing bug bounty

hunting and was breaking stuff and also earning a lot of cash and I said to myself I can do that too. So I learned about vulnerabilities and I applied my knowledge that I had gathered as a software engineer. I worked with containerization with Docker containers. I worked with cloud deployments and the metadata service for those of you familiar with cloud deployments is a common source of security risk especially back back then when people did not yet really know about serverside request forgery it's the root of trust for many things and I was good at writing well relatively good at writing C++ code certainly better at breaking it and I was good at finding memory safety

vulnerabilities so I hacked cryptocurrencies not the big ones like Bitcoin and Ethereum from smaller ones. I I hacked cryptocurrency exchanges, especially one um where they forgot to properly secure their build system was exposed to the internet. Just had to guess the had to um I hacked a build system that was exposed to the internet and I got access to all their cloud deployment keys and probably access to their hot wallets. Unfortunately, they um decided to threaten to sue me. They actually didn't do that. So, I decided, well, maybe doing this as a side job. That's not the best idea. I want to do this full-time. By 2019, I applied to Adobe central uh security teams and laid on product security role

and within three years I got promoted to principal security architect and I run now run strategy for more or less half of the entire enterprise security wise. So I know a thing about or two about how to advance your career and I want to share that with you and give back to you. I have no clue what I'll do in in the decades until I will retire probably around 2050. My next step certainly is I want a senior in front of that principle. Today we are talking about three things. How to write better resumes so that you have a chance of getting your first job in security. How to ace the technical interview. How does the interview look

like? What are the expectations? and I've interviewed so far over 100 people and I know exactly what I'm looking for and I can share the challenges people have and then at the end in the roughly second half of the talk we'll talk about advancing to staff and beyond. So let's get started how to write better resumeums. The first challenge I see is when people apply for jobs, especially their first job, they don't know if they want to be a defender, the knight on the one side or maybe more on the offensive side or maybe you want to do something completely different in security like or compliance role, security analyst in the sock. And they write resumeums that tell

me they don't really know what they want to become. And my recommendation is write a resume per role that you apply to. If you want to have a defensive role, write a defensive resume. If you want more penetration testing and more red teaming, write a resume focused on that. Highlight the respective strengths. Tell a compelling story, how you can help the organization with your skills. And also in the resume, talk about in your past experiences, what kind of role you you had. Were you supporting an engagement? Especially if you are uh still at university and you did an internship you probably did in pentesting. That's the most common thing in an internship. Did you lead stuff?

Did you support it? Or maybe you just learned stuff. That's totally fine. Tell me about that. Tell me about the impact you had. Don't write things like I reduced security risk by 30%. That doesn't mean anything. Tell me how you made the life of engineers better. how you increased visibility into risks or tackled a complex security problem. And for recent graduates and other early career folks, there's a big challenge. Your resumes, especially if you just graduate from university, all look the same to me. And you need to somehow stand out. And the best trick and what I did in my own career too, I went on a side quest. So instead of slaying the dragon up there directly, I

went to boot camp, I went on a buck bounty hunt and I demonstrated that I have hands on experience and I can actually find vulnerabilities in real world systems and back bounty hunting is challenging at the beginning. It even took myself a couple weeks until I found my first vulnerability. It's a frustrating exercise because other people are trying to to uh find vulnerabilities too and well you need to identify your niche where you can be successful and it also tells me if I want to hire you that you're motivated to learn new stuff. So how can you ace the technical interview and I do primary technical interviews. You will have multiple kinds of different interviews where the hiring

manager will also take test you for cultural fit for your um for different kind of potential for example if you can can lead and not only um do the hands-on technical work but this is really about the technical aspects. So in my own interview, I'm I'm looking for technical depth at first. That means I want to understand if you have a solid technical understanding of what you do, especially the basics. I don't know everything either, but and it's fine if you don't know one or two things, but if you don't know a lot of these things, that's concerning to to me. And I want to especially in a product security role, I want to understand that you have

empathy with software engineers. And what I mean is not I'm sorry that you have to fix this vulnerability. It's really important. That's not what I mean. I mean that you truly understand what you're asking of the software engineers who have to improve the security of the systems that you understand how how software is written and where the layers in the software, how they interact with with each other to create security vulnerabilities. And I and when you ask for certain things to be remedated that you have an idea about the amount of work that you're asking for. I'm looking for communication skills that you can talk to me like a security expert that you can talk to a

software engineer or maybe a business leader. Depends really on on the role. But I'm always looking for precise and nuanced language because that is a reflection of the mental models you have in your heads. And I'm looking for potential and I'm testing for curiosity because if you learn are always trying to learn new stuff that is super important in security because our scope is so broad and we have to deal with so many different things. I'm trying to figure out if you can ask good questions. If you can solve a problem together with me. So my interviews are not trivia contests. I I don't have a set of fixed questions where I want exactly one answer. My interviews are

conversations. I want to get as close as possible to actually working with you on a problem together. And at the end I want to also understand if you can say I don't know something and I don't know everything either. So if you can't say that that's not good. The more senior the role is the more this shifts to the right side here more towards communication and potential. So how does understanding the basics work? For example, I might ask you what a weakness is. And I took here the example with SQL injection, but it works really for any weakness and and many other different areas. I have a hierarchy of questions that I will ask you. And if you don't know the answer to

the first one, I'm not going to ask the second question because well, there's no no point. Ask you what is SQL injection? What is the weakness? Why does it happen on the code level? I want to test and see if you have a this empathy with software engineers. How does vulnerable code look like? In this case, it's string concatenation, string formatting, stuff like that. How can it be mitigated? Tell me about the need to escape control characters while certainly not recommending that to to engineers. They should use parameterized queries. I'll ask you about edge cases. Now, we are certainly in in senior territory. How can a query safely be written that depends on user input? for

example, the sort order or the fields or the condition and how can you mitigate SQL injection at scale not only in one piece of software in many products across many different tech stacks which other parts of a security organization do you want to pull in to help you because you alone can't solve it anymore that is uncertainly staff territory and the deeper I can get in the more different areas That is to me a proxy for curiosity because surprisingly many people don't know this stuff and getting a job is unfortunately a competition. So it's a little bit different to what Clint said you're good enough and a to get a job you you might need to be the best fit. It's not only

tech and there are many other aspects there too. How clear is your understanding? So if I ask you what is SQL injection and you tell me SQL injection is when someone puts weird stuff into a box on a website and then likes the website gets confused in the stuff it's not supposed to. It's bad basic that's totally correct but doesn't tell me anything. And another example in this area is if you come if you do I ask you to do a threat model and you tell me talk about security threats that totally don't make sense in that context. that tells me your mental models aren't accurate enough. I don't know if I could say something like that in an interview

interview when I would be interviewed, but I hope I I would get close. I would say a SQL injection vulnerability occurs when code and user control data are mixed without proper escaping of control characters. It allows an adversary to partially or fully control the database bypassing application logic. Look at the contrast between these two things. And this is not a memorization exercise. That doesn't work in my in interviews. And I'll just ask follow-up questions and and and it you'll break down. What I want you to do is think about how sharp are your models. Ask a friend or coworker to practice this with you to use precise and nuance language. Usually half of my interviewers in a 45

minute session that's about 20 minutes is I'll ask you to solve an open-ended problem and I usually use this one for a product security role. Um you've been assigned to help secure a new companywide login page or process. How do you work with a team? And I can share that question freely because every interview will be very different. you'll take a different approach and I just want to see where do you start threat modeling do you focus on the application or product security areas on the infrastructure how do you balance risks with business needs so password storage and multiffactor authentication is very interesting from a business perspective how much do you want to slow users down

logging in or does your business think risk-wise about this which text suggestions do you do you make do you think it's appropriate for the team to use jQuery or should they use a secure by design framework that inherently prevents cross scripting such as React? How do you prioritize the security controls? You know, at the end we have all limited time to invest into security. We want to be efficient about it. And importantly, again, I'm not looking for perfection. I am looking for you to work with me. And not knowing stuff is totally fine. I will guide you through the interview, but you can practice this and get better at it and have a much better chance of getting the

jobs that you want to have in security. Advancing your career. First, we have to talk a little bit about career levels and how they this they are different. And I have junior or entry- level senior staff and principal here. And this is generic and doesn't exactly map to how we use these levels at at Adobe. But in general terms um we can look at technical skill your ability to solve any problem or I call it going from A to B independently once you are a senior and definitely staff and a principal and junior needs lots of help to solve problems. They need a map kind of to to figure out to to solve these problems or else they might end up

in a dead end have to back out again try again another dead end try again. That exercise is helpful too but needs balance and you can see there that um the technical skill level gets fairly flat near the top. So a staff or principal I don't have much more technical skills than a senior but I do something different. I have a sphere of influence where a junior basically has almost no influence. A senior certainly a team level influence a staff an organization influence principal has influence on the enterprise or a large chunk of it at least. So you move from following to leading actually sure is you always follow you always have a boss um even if

your CEO your customers or your board are your boss um but you need to start leading more and more and that means you have less time for direct technical impact. Junior and senior only or mostly have technical impact. So you go from doing the work to guiding the work. I spend most of of of my time at strategic alignment across teams and organizations growing the organization so that we can be more impactful. It is a completely different job than being a senior where you have the technical impact. I certainly miss my direct technical impact because it's very hard for me to take stay technically sharp. I always make sure together with my boss that I still have

time to learn new tech stuff because otherwise my technical skill would take a dip and I need to avoid that because by definition I'm one of the most senior I need to be one of the most senior and most experienced and skilled technical folks at a company. There are roughly two ways towards staff and principal and I'm focusing here on where you become a specializing journalist become good at many things. The alternative is you get insanely good at one thing for example crypto. But think about how many companies are able to hire a crypto expert that could do a new implementation of TLS or something like that. It's very niche. There are not a lot of jobs. Also

our industry most people do job hopping every couple of years. Well, you'll be anyway exposed to something new. So I believe if you truly want to work towards becoming a staff plus engineer, your best chance is to become a specializing generalist, generalist means you have a very broad set of things that you know that you understand and you can also go very very deep. For example, in product security, um, software engineering helps you a lot. You don't need to be able to build systems anymore, but you need to understand how these different layers work together. If your software gets deployed to the cloud, you should understand cloud aspects and networking because how else would you

otherwise do a holistic threat model and figure out how all these different parts fit together? You need to become good at leadership. Leadership is important also in your role to influence software and and engineering teams other parts of the organization happens much before staff level actually understanding compliance and of course you need a lot of security and if you go beyond product security or look at specific roles in product security the shape of this is different and all the principles I'm working with in security at Adobe are specializing journalists in my opinion they are surprisingly broad and surprisingly deep. That's how how you can get to that level. My mentees ask me always one questions. One question, what should I

work on? What should I prioritize? And it's really important to to understand the difference between output and outcome. And then I found this wonderful illustration. I had my target of 50 arrows a minute. I hit my target of creating 50 threat models last year. That doesn't mean anything. You want to hit an actual business goal. And the first thing I I I tell them is um you can't do all the work. I myself can't do all the work either because there's always more work coming to me. And I write it down all the work I have to do. And then I consciously decide what to drop. I think about what is important, what is urgent and I also

think about work that only I can do in my organization because I I have perspective over a large part of the organization. If you're an individual contributor working directly doing the technical work, you often lack that perspective or I can work across large parts of the organization. So I focus on work like that. But to simplify this, there are two things that are always important in security. That is increase risk visibility because then you can talk with the business about it and decide what to do. Should we remediate it? Is it acceptable? Can we maybe mitigate part of it and reduce risk? Try to tell compelling stories how your work connects to one of these

things and anchor yourself there. And always align with your manager. Even so your manager is supposed to kind of know what you do, they don't know all these things. My manager doesn't either know all these things. I I I do especially at principal level. You are very independent and I set my own agenda largely. So it is important to set shared understanding create shared understanding with your manager and they can give you feedback on the things you're working on and see if you have the impact that is required for the higher levels. And there's a fallback trick that works while you try to achieve staff. But to truly achieve staff level, you need to figure it out. If you lack

perspective, just figure out what your what would make your manager look great. And if they are successful in a good company culture, you will become successful too. In a bad company culture, they'll claim your wins as theirs. Well, then you need a new job. So, very simple. What can you do to get a staff plus promotion? You need to set up feedback loops and become your own critic. be able to really be rational and objective about the quality of work you deliver and be intentional about it. There are a couple more feedback loops that you need to set up. Create a promotion package and there's a book, the staff engineering book that I highly recommend. There's a

link here. Go read it. I recommend that as one of the first steps to get a promotion for all my mentees within Adobe and outside. And also importantly, manage expectations actively. That means agree with your manager on what it means for you to be ready for a promotion. It always backfires when people try to say, "I want to be promoted at a certain point in time." That doesn't work. There might be other people that are already ready ahead of you. There might be no business need for the next career level. So, there's no role available at at all. Lots of complications. And in in many companies, career progression is to some degree decoupled from from your salary.

Be clear if you just want a salary increase too. And you might have to do some jumping through hoops to get your promotion. I certainly had to do that when I wanted to become a senior software engineer because I was told again and again I need more visibility. What is that? What does it mean actually? And the higher level promotions and only well senior maybe a little bit but really only staff plus promotions work like this. You're here in the orchard. you report to to your chain and obviously your chain decides if you can be promoted. But for high level promotions, the directors and principles on the side also decide whether you can be promoted. So if they don't know anything

about you, how can they help you with your promotion by endorsing you? So what you have to do is you need to look at your sphere of influence and as a senior you probably have a sphere of influence that's shaped like this mostly your your team and by implication your direct line of management but at Steph plus level you need to work with the other teams. you might not be able to work with a director up there. Then work with the manager or or their peers because if the manager is asked to endorse your promotion, they'll certainly ask their direct reports, their managers if if they have worked with you, if they know anything about your work. And if

you work over them, then you have visibility. That is what it is means to have visibility. You can also work with your principles or other staff plus engineers and talk to them and usually you need a a sponsor and your manager is by default your sponsor. What does it mean to be a sponsor? A sponsor gives you bandwidth, time to work on projects that exercise these new skills that help you get more influence that help you work on leadership skills because influencing without authority is very different than doing direct technical work. And ideally, if if you want to accelerate this path, go and find a mentor in your own organization. So I I double checked this with a couple hiring

managers from other companies. It works in these large organizations also like this here from my own experience. But go figure out how it works specifically for your

organization. So in overall this means lots of hard work unfortunately and there's no silver bullet. You'll need to build up experience, good judgment and critical thinking. So follow your curiosity. Figure out what you're truly interested in in learning. Because if you follow your curiosity, this hard work becomes much easier. The hard work of finishing my econophysics the degree I don't want to do that again. I'm much more into softer stuff. So it's much much easier to me. Master your craft. I take a lot of joy out of mastering my craft and getting better. And I've seen other people that feel the same way. And if you're at staff and especially principal, this is the best job I ever

had. It's it gives me so much freedom and purpose and impact, which is really awesome. Once you've mastered your craft to a certain degree, move on and learn something new. Rinse and repeat. So, what's your next step? Thank you. [Applause]