BG- Keybnote - The Security Industry - How To Survive Becoming Management - Christien Rioux

right

great all right hi morning morning East sides so today's topic for our you here is going to be uh what happens to hackers that go pro um we are discussing the process uh by which technologists end up in management and become a bit false that uh you can expect uh starting a company or end up in middle management somewhere dealing with a bunch of really creative people uh there's some tricks and challenges to it um I know because I kind of came from the researcher community and found myself unwittingly in a management position and then suddenly found myself running a company and uh you know the the process by which I kind of picked up

enough you know barely enough business acument to be able to do what I do um was uh not obvious I didn't go to business school or anything like that so uh I'm going to use myself as a point of reference um this uh does not necessarily mean that uh everyone will have the same experiences as me here but um you might be able to avoid some things that uh I did wrong and uh maybe learn a few things that I thought we done particularly well so yeah my name is Chris R U hello I uh am going to be spouting a little bit here today um so just bear with me uh try to try to cover this in a in a

personal but uh you know informal way um you know I grew up in the middle of nowhere uh was Bor in West Virginia raised in Main uh I can told you there was absolutely nothing to do about SST programming and um I was probably 5 years old when my father brought home my first computer it was an Apple 2 plus a 16k of memory and a c880 uh expansion C uh it was in the the window of his uh window of his uh computer store that he was uh doing retail sales he had a PhD in music which means that there the way getting a job ever so he ended up accidentally uh selling computers for

living it turned out that it was pretty uh Adept at uh at programming and that was actually part of his PhD pis and you know so early on I kind of latched on to um onto programming I thought it was really neat thought video games were awesome and um you know he brought home the computer basically every day and then the next day had to bring it back to the store store plug it in and whatnot but every day he bring home uh boxes and games we got the plastic open hold the disc out play them for the evening get stick them back in the Box put them on the Shelf again so you know

if I wanted to keep the games I had to learn how to crack them and I think that's where I kind of got my start with security a little bit you I just kind of learned you know sector editing and then eventually assembly for 6502 and um you know for a long time I was programming in basic and assembly and you know was uh what I had access to um I ended up going to MIT um it was actually my lifelong dream to do so um little did I know that it was going to be the hardest thing that i' ever done uh just seemed like a great place to go um I when I was a kid

I had a book on Logo by SE more peer um which was very inspiring I just thought it's really cool that MIT came up with this stuff and I I got into logo and that kind of thing mostly because I couldn't AFF AFF Mouse and I to drw pictures and I just had the trouble do it for me me it's pretty pretty sad but that you know we do make these progress Progressive steps in our our development so I got a Bachelor's degree in computer science um I think it was uh fortuitous at the time for me to be going to Austin because I ended up running into uh bunch of guys from L heavy

Industries at 2600 me uh credential Center in 1985 I think so um it was the year following that that I went my first Devcon which is up FL and um and picked a handle which somehow stuck uh can't change it once you pick it so you just you try to pick something that was that was not confrontational evil super killer or something you know too pompous but uh yeah so D dog stuck um and yeah I got left at a pound hack on IRC a few times until I started publishing advisories um ended up doing a lot of that and lot of exploits ended up graduating uh from MIT in 1998 got an opportunity um because I wrote a a search engine uh

from my senior senior thesis thing senior project and uh got an opportunity um to to meet with some guys from Stanford who were starting a company and doing a search engine and I was just like nah stuff's boring I don't want to do that for work you know turned out it would been like number 10 at Google or something but no no it was uh it was not meant to be so I it advertently turned down you know any number of great opportunities uh just because I thought the work might be boring uh mostly wanted to follow my own path I was really interested in my own ideas really wanted to you know build my own stuff

didn't want to do other people's work and that kind of independent thing ended up Landing me um in in the position of of having to leave a job um that I had been at for 11 months my mother thought I was crazy uh you're leaving the bank to go work with a bunch of hary hackers in a warehouse it you better have enough rent money for like six months and I'm like yeah I do all right so school um getting a job uh worked at LOF heav Industries was the first to go fulltime there worked on L crack anti sniff bunch of advisories there um did this thing back where was 2000 here a little while back what 13

years ago and uh wrote a couple advisories uh with them uh help found at stake which is an inter uh band of crazy people um I'd say it was the first uh company to publicly say that they hired hackers of course like the like Consulting compan to say that they hired hackers every it was kind of something you didn't do and was having to fight for the respect that we eventually ended up getting um nobody wanted to give it to uh uh people that that wore the hacker name back then so I'd say with 20 other people we founded at steak at stake everyone who had at stake will tell you they founded it so just just

let him let him say that um but uh yeah I was acquired in 2004 by S anch and that was my first real moment where I started to see what the business world was like this small thing which was sort of a microcosm of the hacker world for me was the sad stick was just got bought by a major corporation and life changed I mean first thing that you noticed that soda now cost 25 cents what it was free before um the other thing is that if you you know we I remember us having in-depth bitching sessions about why Microsoft Outlook was the worst thing ever and we're never going to use that damn thing well once you got bought by

santic now you're stuck on Lotus Notes guess what B about out look you get does get worse so uh we ended up spinning out uh the core IP for ver good my current company um 2005 which is fortuitous and lucky because for the most part nobody understood anything about what it was or how it worked it just looked like a language oriented thing semantic said well we don't do C++ anymore so you guys can take I'm like okay uh it turns out that it you know it was uh something that I could get an investment on and it was my first jump into trying to do this stuff by myself I got a great co-founder

of CHR opal and uh a good team to start with but uh taking that LE was not trivial uh it was a probably 4mth period where I had no employment uh we were all living off our servants pay and then that ran out basically when you're working for company and then you choose to negotiate with that same company they fire you first it makes it a lot easier to negotiate with you when you have no money um so you going to watch out for that when you're spending out make sure that like that that technology is almost out the door already before you start negotiating otherwise it's going to be a long call pulling and pulling and

pulling and you're going to end up calling in a lot of favors and you know your country of capitalists is going to be like up all night trying to call the lawyers over there just to get to pick up the phone and it's one thing after another so you know getting IP out from underneath the the larger posterior of a giant giant Enterprise is non-trivial I wouldn't do it if I could avoid it you know so think twice about uh your IP agreements um at the same point uh you know Loose exal conset as many times you know it's uh the kind of thing where if I hadn't sold it to at stake I wouldn't be able to work on it I

probably wouldn't be where it was today so I can't say I regret it there's really no other path there was nothing else I could I could really do so um yeah so we got funding um now the chief SCI there and um an architect for uh mobile offering so I still a lot of good in in my spare time here which I didn't enough um so uh to to start talking about the actual me of this discussion um kind of have to take a look at how I progressed a little bit um that's kind of how I looked somewhat 15 years ago um I was a programmer I claimed to be a programmer I claim to be a hacker um my motivation

was really just to get a job and to figure out what was going on the world um to learn as much as I could about this industry cuz I thought it was neat um I thought I had maybe some skills in it um but I had nothing to really sell myself no no one would hire me necessarily without um you know uh testing testing me excessively um uh after about 5 years in the industry I had started publishing things publishing really made a big huge difference um you know people started to recognize them my name my my my um my handle and in the work itself um but my motivation changed you know what I

considered success for me changed um and you're going to find that depending on where in the life cycle your employees are for example their definition of personal success is going to be different over time mine definitely was I I I started to want to get in the media as much as I possibly could and could be because I joined C cow around that time and that was their sted goal everything was to get them into the media as much as possible um but I I I really did believe that you know uh making myself more uh visible would somehow be good for my career um turns out that it doesn't make you rich it just makes you visible uh

so um over time I I I was thinking you know how do what's going to make me happy you know it starts to to solidify after about like 10 years um and I came to the conclusion that my interest lied in doing impossible things this could be good or could be bad um we have um some technology that I was writing for verod and that uh was initially deemed Impossible by the mathematics community and other people this whole idea of automatically reverse engineering a binary to a high level model was deemed to be a lossy prospect and not worth writing code on uh I I suppose my ignorance at the time uh was an advantage because I didn't

listen to anybody and I just said well going to try it anyway um I hit all the same robloxs that all of those other researchers hit in 2002 and 2003 and then I realized I had to start over but I knew what I had done wrong and there was a trip to it and then nobody had seen it at that point I file for the patent immediately I absolutely hate patents I think the whole process sucks uh I would give up all of my patents that everybody else would but sadly the way it is um one has to have those kinds of things if you expect to get some kind of venture capitalist to pay attention

to you um you got to be able to show that you've got some IP otherwise uh you know you're it's just a words if you if your software Works uh nobody believes you anyway even if it works great nobody believes you because for the most part they know what's coming and you don't they know what's coming because your software is going to be placed in an environment that is far beyond your own expectations you've never seen the likes of something as terrible as say enterprise software right I I thought I could handle anything and then I was fed like Adobe Reader and I was fed like you know giant giant programs that that come from

Federated developments all over the world and I was just like okay it's a good thing that I showed that I had some patents earlier on um and eventually those things did get uh approved and I have that now uh today um my motivation really is to improve the state of the industry you up at the you know you know sort of top of er code my my goal is to make sure that what we do matters that it has meaning value um I have almost 300 employees now fa okay it's not small anymore what it was me and two other guys and whatever you know 300 people it's a level lives that you influence um

I I wouldn't want to be doing something meaningless I wouldn't want to just be having another job job you know those people um matter a lot to me so changing their lives but also changing the world a little bit if you can do it find a way to just make sure that what you do has some kind of meaning to the world um sometimes that's just just about having the right timing you know it's not about necessarily the idea itself sometimes but making sure that you have the right thing at the right time I think we were early the idea that I was working on I I gave myself like 10 years I was like

well uh I know three or four of those were even before ver got started so I think I've been writing the same code now for 15 years of my life or something like that so it does take that kind of dedication sometimes if you're really early like I was you're going to find that the market not ready for you and then you better damn well be ready to hang on for a very long time so your Fai is not sealed doing this um you know we I chose to make certain choices along the way um you know certain ones would have totally nuked the project um and left me without any IP certain ones would have probably made it a little

easier for me um but uh you probably make completely different choices and when it comes right down to it it's about understanding people's motivations your own as well as the people around you and really getting to a sense of what success means for you um if you're going to be a hacker manager if you're going to have a hacker company you're going to have to try to find ways to make some of the most critical people in the world Happy good luck with that you know getting a smile of a security researcher is like Ral what um so yeah it's the skepticism gets gets to you eventually um but you know the the same things that make a good

security researcher sometimes don't make a great manager you have to headle switch gears so uh how do we build a better haer temperature um let's take a look at the industry real quick I'm just going to breas through these slides um timeline for the industry really started off with physical security um and which kind of started since the beginning of recording history say physical security is probably the second job ever the second occupation if you can guess what the first one is you'd understand why this security is the second one but anyway um the the internet really showed up in the 60s to the 80s um just gestating basically the privilege people had access to this kind of thing um

computer security got real around the time of the Mars worm when you know the first kind of cyber attacks you know whatever term cyber used to be something that you did and did not talk about and nowadays it's everywhere that's just um anyway network security really took off in the '90s everybody now has a firewall hell everyone I I work for an application security company um and everyone today still ask me well why do I need what you have if I have a firewall I'm like all right those guys they they they figured out how to sell this thing now everyone just assumes that it's got that it fixes everything the other one that that everyone assumes

you AB absolutely need is a is a is a virus scanner you know so they asked me you know so how how is your tool different than than McAfee I'm like jeez we had an education problem in security by way I don't notic that um so security architecture um really kicked in around the the death of B stake uh and you know we had all of these boutiques that just got bu out of like the the remnant ashes of that stake people leaving bleeding out of semantic each we had maybe 150 people and each one of them went out and started a company somewhere so that they can get out um so you ended up with all

these little security boutiques everywhere and architecture became ping for a while as a result Big Data it's obviously big now um application security is starting to pick up because people are getting good at all the other layers we're actually starting to Mak some making enal progress in securing things I know it doesn't seem that way sometimes and everything gets owned anyway but there's a line there's a line there there's certain people that are not getting hacked nearly as much as they you know might deserve um but they've done the work um and uh you know I'd say that um raising the bar and we use that as a strong man generic term for what we do

but it is what the security industry is about you're never going to be 100% secure so we always are talking about different ways of raising the bar um uh these companies as I mentioned uh you know uh the security companies that you're run into are these consultancies uh manual Services technical Tech assisted manual Services pen testing architectural reviews things that generally require a human being um uh product sales uh so you we're talking the virus scanners of the world the things that you install in your under servers uh Enterprises that have security departments and uh uh QA and it and secure responsibilities across the the organization and uh software are service type companies that are offering

Services um through automation so you're going end up running into these this range of companies uh each one probably defines success a little differently um personal success is a little bit hard to get at um but we're going to try business success is pretty obvious it's pretty clear what makes a successful business sometimes and it's going to be money share Li vality we love that term um things like Market leadership U being able to measure your stability and predictability um so yeah what do these have all in common is measurement you can't improve what you can't measure um so having a business that is measurable is one that can be made successful and then we'll have the

uh people interpreting it as a successful business um the uh that's that's all I know about Finance but it all looks if it looks like that it's good that's what people want to see if you can make it hocky stick too I hate that term but I'm even from New England whatever um yeah if it's up and to the right you're good right okay good and now that you know and you just want to make sure that keep sh keeps popping up all the time um exit strategy one thing you could do in your business is run out of money it's likely that this will happen most companies don't make it and uh they find a way out

usually at the very very last minute to find a way to take care of the employees in the time of need um but for the most part angry VCS sad Founders fire sale of everything and uh yeah then you start applying for dumb jobs so that you can pay your bills um not the way you want to up um your build quick exit strategy um you know the California model here is that you know you're trying to um taking as little investment as possible um sell early if you can um so that you don't uh basically build too much burn over time um and then you know you really need to know people I wouldn't start

doing the build quick strategy unless you knew who was going to buy thep already you you basically need to have that it's like you know I launched a company okay who's going to who's going to buy us you it's going to take you a year to get that done but you know two years in you know you better res signing paperwork if this is your plan um so little to no investment usually means seed round and then you're immediately using very lightweight Technologies to distribute what you do um a long haul company which apparently is what I've done um is a long-term multiple round investment from various various uh players up there for spcs and uh it's really about building a

market um you know many times uh you are are bringing something new to the table that nobody's ever seen before this is just part of how things are if you were kind of doing the same thing as other people then you're already entering a compet a competing Market unless you have something really magical about the way you're doing it it's probably not worth your time and you probably won even get the investment so you know you really need to be doing something new interesting and as a result um you know your goal eventually is going to be to get bought or to go public and honestly you want to be going public no matter what you don't want to be the company

that says uh uh we don't have the finances to go public so let's get FY that ends you up in a negotiation where absolutely everybody's got three years of golden handcuffs and your stock doesn't uh buy as many options or your options don't buy as much stock in the acquiring company and you end up with a much more dismal acquisition unless you're willing to be able to and capable of saying no to an acquir you can say I'm just going to go public instead sorry your deal sucks you're going to do a better job you know you be able to say no they know that they won't make the bad offer and they get the good offer

that's the trick so never ever even if you don't plan on going public always say you're going public that's the rule just say never Weaver from it and have the financials to back up that that's an option so even if you do intend to get bought 100% um make sure that you have you know CFO that gets how to you know you got to be serious you got to have a CFO that understands you know how to do a how to do a public company and it's done it before then they'll BL you so lifestyle company um too many of these out there but uh usually this is what happens when you have sort of one person

who owns almost all the stock in the company and all they want to do is hire people to get the work done around them and they don't intend to sell they don't intend to go public and they're just going to take forever and eventually they're going to pass it on netically to their kids or something you know it's not there's no exit strategy at this point it's not exit it's about it's my company and I will have it for the rest of my life the Dynamics are very different there so personal success factors um yeah right so we're just talking about the fail competition there um you know what people consider success um what motivates you matters uh

are you altruistic are you doing it because you think you're doing a good thing for the world are you doing it for money Fame are you just bored I know I was at the beginning and and uh security was uh and hacking was very uh motivating I I I first time I got a taste of actually do something and wri an xplay for it's like oh yeah I do this a lot um you know the question is you know what what makes you feel good what makes you happy um so you like your job would you want to start a company would you prefer to do your own thing or do you like to be a good follower I mean

there's great leaders and there's great followers great followers take good ideas that they believe in and make them possible it takes a careful blend with both of those types of pers ities to make something really work um so know which one you are you know if you don't want to lead don't lead but be a great follower instead of being a great leader it's fine it's important that you make that distinction though and know which one is which you know you're going to see the leaders out there and it's going to be pretty natural for them it's not natural for you maybe it's maybe being a great follower is what you should be studying up on there's actually a formal

psychological uh term called followership that one can read on if who cares um so yeah getting famous sounds like a good idea once you're famous it's really hard to turn that into money um it's just you know the long arm of marketing personal marketing personal branding I would be surprised if my kids didn't by the time they were 5 years old already have their own personal brand it's what is happening around you in Mass everybody is going to be you know themselves plus whatever products that they've produced and uh uh you know things they've written uh it seems like everybody online has a brand now U so understanding that um is sort of key to

understanding Fame what do you do when everybody's famous next to Facebook you everybody knows what everyone else does now so yeah so what do you do once you get some money do you you know how do you how do you use that to make yourself happy you don't want to act like a person with money that that that's like the number one way to lose friends lose influence lose prospects and you know think that your ideas are way better than they are because you're not taking criticism from the people around you that are rich so we need to be asking for feedback a lot I'm going to get to that so what is good enough uh

success is different for everybody but we tend to agree that money is not happiness um we tend to think that happiness is a requirement to build well um uh I think that fortitude required to grow your career requires that you love what you're doing I wouldn't be able to do 15 years the same code but it absolutely think it was awesome so um yeah so what is good enough is there a perfect job a perfect project you know does it have to be you does it would you love to work on somebody else's stuff get those answers for yourself school if you're going to do it you got to get a job School helps um if you hack all the

time you're going to get bad grades like I did um and then graduate though and even though I got bad grades I was actually told by my advisor in my junior year at MIT that I had no future in computer science and that I should stop doing it and I should be for major I'm glad that I loved it enough and I knew that she was full of it she want sabatical and uh that semester when I went into my uh current affairs and Computer Sciences class um sort of a an elected class around what was going on in the world turned out that the cour work was my exploits for an explor so I started feeling real good

about graduating and sticking with computer science in that way because they had no idea that I was sitting in the room they told me that you know I had no future and I'm like okay well you're teaching my stuff right back to me at least this year is going to be a really easy year yeah chances are you're not Bill Gates though chances are you're not Steve jobes you're not going to drop out of school and then suddenly everyone's going to respect you for your your Genius it's just not rare rare occurrence um so so try to get that graduate you know um hacker companies um I'm glad to say that I've helped to start one um I'm glad that I love to

have hire hackers I love to hire people that are creative everyone at barode sort of passes this this bar of being a extremely creative person you know we really you know pull from the industry and we try to get people and give them a career path and help them grow one thing that um shows up a lot though is skepticism and it is part of being a security researcher you have to think that everything is broken and you have to show how everyone how that thing is broken um when it comes to other people however and teams and groups we don't always need to find fault in each other it's easy to do it's hard to turn

off that skepticism when it's appropriate um so healthy skepticisms things like per to me that you've done some work securing that machine before you put it out the internet that's perfectly good thing that we should be doing uh unhealthy um everyone has faults it's only a matter of time before I discover yours and exploit it leaving you to power as a powerful powerless variety your occupation so the idea of you know pulling apart your your uh your co-workers is not not a friendly thing to do and will not get earning points from anybody but uh it's typical and and pretty common so watch out for that parano also good uh we should secure uh uh you know do full security using the

software for release and automatic reviews for every minor release and I kind of think paranoia the expectation that you're going to get hacked is part of our nature um the unhealthy side of this is things like I think the Sals and marketing team have it out for the engineering team they might but um you'll find that the paranoia doesn't help in briding the Gap there bringing even closer together um you have to go out your way it's not comfortable um for either side of the house there to you know come together but get those social events going you know do things you know we have a uh you know friendly drinking night type thing in am we do a lot of uh games

we have poker kns and all that kind of stuff so people actually that might not normally hang out get know each other we get the opportunity to do that so um maker ethics um we should cons uh we should conduct full Security reviews of this offer each qu of release that's actually mistake from the old slide anyway um okay so we're going skip that one but the uh the notion of having Neer ethics in your company is uh is really good because the uh the desire to create things and tear them apart and understand how things work is all two sides of the same coin um you know I think uh you know the the growth of the

maker industry um is really uh you know been a boon for the security industry it's almost like um the more people that make things the more valuable our work you know so keeping that perspective is is important um encouraging hagri culture um there are things you can do in your company to encourage um hacker like Behavior Creative Behavior um you give people free time give them you know the Google time that they want the 20% one day a week uh to do whatever they want um many times you're going to find that they do things that benefit the company because they love what they're doing um we at herco do hackathons um which are basically 3-day

plus a weekend hacking runs of just do whatever the heck you want and um sometimes people work on work ideas sometimes they learn new things that they've never learned like you know sales guy comes up and learns how to solder you know put some Blinky lights together you know kind of thing um and it it it gives people respect for the amount of creativity that is not going be showcase that little science Spar never hurt anybody um uh we do security awareness trainings uh so people that might just take security for granted at least understand the scope of the problem um it might not be all that fun to sit through an awareness training it sounds

like an HR weasel word but it it really when it's run by the research team and everybody has to sit there and kind of get used to the idea that security is not going away anytime soon you know um that's the kind of that um at Le increases respect when people say I mean when they get the big fat no you can't put that on the external website or whatever um you know at least understand that there's a process and the process is there for their own good it's becoming less and less of an issue say Grandma's getting hacked these days everybody gets hacked everyone knows what identity theft is like 10 years ago nobody knew that grandmother didn't know

what identity that was wasn't an issue this these days it is so I give less push back um role progression everybody expects that their job is going to make them um you know uh give them some progress over over time you know you going to start off as a researcher and hopefully get seen a researcher and then maybe principal architect and then maybe you can work with management or whatever whatever that progress is you actually have to be a little wary of it knowing what makes you happy is it may not be getting a raise or how many times when those things happen they come with responsibilities and those things change if you like writing

code maybe you don't want to be development manager you might find that you're doing project management all day and spending every single waking hour of your time in Jura and clicking on people story points and asking them why it's taking them so long to get the work done and I'm my God this is never going to get done on time all that so you know instead of actually sitting there and making the thing happen uh you're helping to hurt cats and if if you if you like doing that then then fine but you might not want to take the promotion unless you're absolutely certain so no wear in the company makes you happy too you know uh many people are individual

contributors you're going to find that you end up as a Project Lead if you do your job well you just be given the responsibility leading a project it's going to feel good you'll want to do that but then you know you realize the next step is middle management and you're like interesting all right executive management to get even even a little more remote and of course you get the big long with the company and it kind of gives you some sense of you know uh what people when people invest what they're really worry about I mean you taking how much of their money that's a lot of money other people's money is not something you really want to have the

responsibilities to those people is huge you know you take in $40 million or something boy you got $40 million of debt and you better be making those people happy you know so yeah it doesn't come for free um so coming up going up and and then kind of ending up as Founders or CEOs or board members of companies you end up with a lot of this uh you know what you know you're right up against the money right up against the investment and um you know you have to be able to make commitments that you're believe in and it's about your word at that point they're going to invest in you because they believe in your ideas they believe

in the people that you've assembled so um you we the peer principal the peer principal says that people will always get promoted to their level of incompetence if you're really good at something they'll give you a promotion until you're no longer good at that thing and now you're stuck doing a job that you're not good at just kind of you really need to vet that promotion make sure that the work you're going to be doing is something that you really want to learn that you really want to get into otherwise be so I had a lot of people that I started a company with that don't want to progress past middle management they just don't want to do it and I

totally understand they want to have their fingers in and that you know uh at the individual contributor level as well and it's it's important that they continue to write code and things like that to make themselves happy so they don't want to do all of the other stuff so I totally get that so I'm going to actually sum this up and wrap up this uh this topic here with basically 10 things that I think are absolutely fundamental to uh hacker management dealing with creative people and running hacker companies all right so number one Thou shalt appear presentable approachable and kind it is non obvious at first that books matter um but as you were hiring um I've seen some syap of

horror shows when it comes to people scaring customer or clients uh or you know people scaring uh their managers and people scaring people because they're dressed in a in a very U scary way okay black all day is good that's fine you know wherever you want up the office very good but for the most part hygiene matters smelling good get having a meeting with somebody you know it's good to to actually um avoid the troll of the Brit um so if you don't want to be treated like an outsider and you want to make contacts and and whatnot at least soften it a little just soften the the look heart is good I like heart but

there a time and a place for it um rule number two um that will be a good team leader and a good individual contributor you have to be both you cannot just become a manager and then lead your team I've seen so many managers that are just looking to get idolized by people that work for them they become the friend and not the manager and at a certain point you have to realize that those people are not contributing anything they're just kind of summing up the work I've ever been beneath them and passing it on it's like why are you here what are you doing what are you adding value you actually have to add your own

value still cuz really in an order chart you think about it you have people that you that work for you but you're also on a team of people at your level if you're not contributing in an individual capacity to that team uh you know forget managing you know and you lost what got you there so don't do that rule number three Thou shalt prioritize the team that you're on rather than the team you lead it's even a little deeper really the team you're on is the one that needs to be successful you know the executive function at the top of the company is the thing that needs to be successful otherwise you are walking blind you are

making bad decisions all over the place all of those things that you know you hold dear at at the individual contributor level they're going to go away because people don't understand the value anymore so making each team successible from the top down is really important it sounds like self serving you know cuz I at that executive level but honestly if they're Flying Blind and they're not doing a good job because people uh on the team around them are dysfunctional then everything beneath them is going to be terrible too um effectively you should be able to at any time delegate to your best of your direct reports if you're doing a good job there's somebody beneath that you're

that you're work that you're managing that you should be able to delegate to so that you can continue to be an individual contributor when necessary One Number Four um that show be inclusives of many skill sets and expertise in your organization um I would not want to run a completely homogeneous computer network I don't know why anyone would want to run a completely homogeneous company the same reasons you know you don't want to amplify the things that are um weaknesses in your organization you want to have a little bit of everything if you can um try be as broad as you can in your hiring understanding full well that not everyone's going to understand everybody um takes all kinds of people

um surrounding yourself with really smart people sounds like a great idea but it's also important to understand that boring work will never get done if you only hire smart people it's just how it goes you're not you're going to find that there's a cluster of work that absolutely nobody in the right mind would want to do so you need at least a few people that aren't in the right mind to do that work make sure you get them don't don't Snicker at it cuz it's it's so important that that gets done but you just you're not going to be able to get you know the extremely creative sometimes to do them extremely mundane those still need to get

time so rule number five thou sh Embrace time and project management techniques yeah J all right here we go um yeah so every project that looks like it's going to be longer than two weeks worth of work you better be breaking that stuff down into like dayong tasks uh basically everyone takes as much time as possible to get a task done if you give people 6 months it'll take them 6 months to do it if you give people a month to do something it'll take them a month to do it I you might get different things but you might actually get exactly the same thing except that people took six months so understanding what work really needs

to be done is really important don't just take time estimates and face value everyone that's an engineer is absolutely terrible at time management it's just how it is it we all take an infinite amount of time to do everything it's it's kind of you know work is never done you know and that's actually um kind of a big deal too uh so that's all depend on rock stars and hero cters um you know it's great to have smart people it's great to have people to take on responsibility they don't scale as a project gets bigger that one guy that knows how everything works is either going to be you know you're either going to become a slave to

that one person or uh they will die and get hit by buy a bus or something and now you you have no company you have like a whole quarter of trying to make up for that loss you know I suppose that's a little insensitive moving on um somebody dies po anyway um okay so yeah so you're not Invincible that's the point um you know just because you have really good programs or what doesn't mean you're going to you're succeed uh so making sure that you Empower everybody and that you make the the software maintain able if you're writing software for example um well number seven th s Embrace process um so yeah all of the stuff that goes along with

that project management it's there for a reason you know so learn your agile learn your scrum learn your handband and get religion around it the idea of providing people a way to measure that you know measure their progress measuring is is key to Improvement being able to show that estimates are wrong and that things are taking less or more time is really really important um you know there's nothing worse than you know telling a major Enterprise that product's going to be ready and then having it ready a month after they want start us immediately you so when you make a promise on a date you better have all the all the stuff and the numbers to

back it up um hire somebody to do this you don't want to do it yourself but do it um and uh in terms of your your departments uh nobody should ever feel that they don't know what to do uh in a situation you know there should always be an outlet for asking questions there should always be a single point of entry you know I come back from a conference and I've got a pist full of business cards I should be like well I'm just going to throw these in the garbage somebody in marketing wants those things might not know who once it come to gets to a certain size it's like well I don't even know who who wants this right there

should be a place you should be able to ask should be able to find out and then you know deliver those things you know every little thing like that um to smooth out the process of you know of scale uh it's going to be really important okay rule number eight thou shalt not require Perfection for does the mortal enemy of good enough um everybody wants their code to be done it's never going to be done ever it's again why we have an in right um so yeah yeah it's it's it's important to note that um the attitude of um of winning or catching the bad guy is actually uh you know totally fatal um stopped going to a lot of these uh

government cyber industry working groups because they were spending all of their time kind of talking about the last time they got hacked like some kind of weird cyber AA meeting then then after that just you know rat H holding on the concept of catching the bad guy who did it to them as if that wasn't just going to prevent somehow the next bad guy I mean while they're talking about it somebody else attacking him again right so um recognizing is good enough when you see it uh is a skill that should be uh uh near and dear to the heart of secur researchers you know there is good enough and there is overkill a waste of

time and waste of money rule number nine those sh trust but verifying um it's important that you give people a chance to do the right thing in your organization as a manager there's a Temptation when especially in a technical manager position to micromanage the crap out of beneath you asking for constant updates asking for you know uh you know a lot of meeting time uh you know there's the meetings that are that are that are designed to be problem solving and then there are meetings that are designed to be um you know information sharing but really if you think about it meeting should be 20 minutes or 2 hours that's it period if you're not doing it that way think about

it um so yeah producing number of meetings try to do that um but trust people to do their job when you give them something to do trust that they're going to do it and let them fail if they fail let them fail even then you know minimize minimize the impact of failure of course but let people do their job um you're going to find that delegation doesn't work unless you do and the last one here is one number 10 Thou shalt give give feedback well and take feedback even better ask for feedback be a big enough individual to ask your direct reports and the people around you to give you constructive criticism it may hurt even if it's

constructive but those people need to give that feedback to you and you need to ask for it they won't do it unless you ask so ask for feedback and don't put together a companywide survey and then just expect that all of the red information will somehow be derived from this uh it's a person personal thing one-on one's really important in that way once a quarter ask for feedback on how you're doing it's it's really important and it'll make you a better hacker manager so I think that's it for now um if you ever have any questions about my experiences or uh what I think you can do to do a better job um come talk to me

find me at the bar around here or shoot me email I'm really easy to find in bar good so we to talk just about anybody so thank you guys for your time