MichaelSpaling

foreign well I've been told we can go so let's get started so thanks for attending um I'm actually really really excited to be here this is the first in-person presentation I've done at a conference in I think about two and a half years now so I'm gonna ask one thing from everybody for the next hour or 45 minutes that's just a little bit of patience um I've built some really bad habits in the last two and a half years doing a lot of like virtual presentations um so I'm realizing that what I'm used to and what uh in-person presentations are like might be a bit different so we're going to be good so thank you for attending besides Calgary thanks for attending this presentation I'm going to assume if you're here you're probably stressed out just a show of hands who's stressed out ever just everyone put your hands okay if you're not some degree of stressed out you're probably stressed out so a couple years ago on back in 2018 um I had sort of a peak when it came to stress and mental health issues I started seeing a therapist and I spent two years talking to her and at besides Calgary 2020. um I actually did a presentation uh on on my mental health issues what I learned talking to therapy and since then I've had almost nothing but good responses and good reactions from the community for that I was constantly um encouraged to continue to speak about that continue to bring it up continue to talk about it so it's been two years since I've done that uh covid has since kind of happened um we've all got used to Virtual environments and a lot of different things have happened with my mental health since that conversation so what I want to talk about today is just kind of maybe update the community and talk a little bit about what I've learned what I've gone through and hopefully it can help everybody else so really quick I'm not going to go through all these you can read them there if you know who I am cool if you don't uh my name is Michael spalling I lead the internal information security team at the University of Alberta so the U of A is one of the top five universities in Canada um officially were top 150 in the world but we tend to straddle the top 100 based on what what ranking system you're using in terms of scale so the U of A we measure our budgets by single digit billions uh we measure user counts in the hundreds of thousands we measure devices in the mid to high tens of thousands so it's it's a relatively larger institution um I like working there it's post-secondary and as you can see from a lot of what I'm generally involved in I focus a lot on the post-secondary industry when it comes to cyber security so that's something that we're going to bring up later on in the presentation but full-time career job I lead the U of A's information security team I'm also an instructor at the U of A so I teach one of their Advanced network security courses and one of the um the mint programs that's a master's program I'm also a research supervisor in that same program so as a requirement to graduate the students have to do sort of a six to nine month research project that involves seeking out a subject matter expert in their area to supervise them through their research so I'm actually doing that right now for one of our students and the last thing that I do um is I co-chair one and participate on of just post-secondary committees tied to cyber security curriculum uh in their courses so I've spent a lot of time focusing a lot of my efforts on post-secondary as it relates to cyber security so a little bit of a background and we're going to look at at three things today so I'm used to moving around like this I'm not used to standing just behind a Podium talking to a microphone so if I'm naturally doing this and coming back I'm sorry um we're going to look at three things so I said I've had almost universally positive responses when I talk about mental health and that's definitely been true for I would say the cyber security Community but as I engage other people and especially in the last two years I've actually I've had some negative interactions and I wanted to speak a little bit about those so that's what we're going to talk about at the first part the other thing that I've learned and this has really kind of built up my stress a lot in the last couple years is expectations versus reality uh there's a lot of you know just online communities reddit's got a bunch where you know they show something that you think you're getting and then the next pictures that you actually get and it's they're not related you know it's more comical than anything else so I've learned a little bit about that with the cyber security industry you know oftentimes we have expectations of certain things and then reality sets in and you realize that they're not they're not the same so I want to talk about that but the last thing what can we do to help that's something that I want to talk about um I've learned that there's a lot of stuff out there on Mental Health now which is great there's very little actually tied to cyber security which is kind of sad and the stuff that is out there is frankly it's mostly just statistics it's like did you know that 98 of stock analysts burn out in six months like yeah I don't know if that's the actual stat I made it up but it's probably accurate um so I want to actually talk about what can we do about it because that's where a lot of the stuff I've learned with mental health and cyber security kind of falls apart is everyone's stressed everyone's anxious but what can we do about it I'll share with you some of the tips that I've that I've learned um and the last thing normalizing the conversation so the key word here is conversation so this isn't meant to be you know a talk at you thing where you go hey that was a cool presentation and you leave or you go that presentation sucked whatever and you leave um the idea is to spawn this conversation up with people um one of the nicest things coolest things that's happened since I started talking about this publicly is I've had actually a lot of people not going to out them or anything come to me privately and say Michael thank you thank you for talking about this because I can relate to everything you were saying and the the commonality across those types of people is that they're all different I've had every age group every gender every race every every everything every employee I've had cesos I've had people that just got started say Michael I could relate maybe not to everything I talked about but to a lot of those different portions so this talk is is universally applicable to people and to the people who are out there talking about this kudos to you thank you I was actually um asked to speak at Beau Valley College virtually a couple months ago uh for an event that povalley was hosting for their I.T staff um so James invited me to speak there and we talked publicly about some of our experiences and that that was like that was great that I think that helped so that was awesome um last piece of intro Tech here very important one I'm not a doctor I'm not a therapist I don't play them on TV so I'm not licensed certified in any way to tell you what's wrong with your brain um my therapist can tell me that so this is not you know advice it's not medical advice don't take what I'm saying as medical advice number two these are my thoughts and observations Okay the reason I have my in there is you are welcome to disagree in fact you go right ahead you can say well that's stupid I don't agree with that I never experienced this totally fine these are just my observations okay and number three your mileage may vary so working for the University of Alberta and in the role that I am I'm blessed to have access to certain types of benefits I have a lot of leeway LCA with with perhaps how I do my job and how we do security but I realize that that may not translate to some of the other organizations out there so let's get going it's all in your head Michael out of curiosity has anybody ever said that to you you know you bring up a problem to them and they just go ah it's in your head and you you don't really feel good when somebody says that right I I've had that said to me a few times and it comes out with very dismissive it's very very passive um obviously I'm not gonna out the people who've said that to me but um I've had great conversations with people who have said yeah this is awesome let's talk about this more but I've also had people who have told me they don't get stressed so when I when I asked earlier who's stressed right now and you know people didn't put up your hand well one of the great equalizers of being a human being is that we all get stressed we all get anxious right death taxes and stress is really what what should be those equalizers and I've met people who claim they don't get stressed um I've met people who claim they don't get anxious um how many of you have heard of imposter syndrome just you know how many of you have imposter syndrome you can put it on you see the funny thing like like I see people here who are literally chairs of boards just put their hands up saying I have imposter syndrome and like crazy but it's a thing um I had someone tell me imposter syndrome's not real uh someone who had never even heard of it when I was explaining what it was they said no Michael that's not that's not even a thing and I was like but of course it's a thing like there's literally books on this stuff there's there's research in that area you can't just tell me it's not a thing so um I'm not going to get into those those those discussions but uh that's some of the barriers that I've hit in the last couple years is even people not realizing that things like imposter syndrome are real so I expected to go into the conversation saying oh yeah this will be easy and then no you have to actually convince them first that it's a real thing never mind trying to get support for it um I was actually accused of being selfish in the last year I I build on a birthday party um last minute and and I was called Selfish because I didn't consider the thoughts of the person whose birthday it was and I didn't consider the thoughts of this and this and that and like I understand I get that and and I can see why they say that but I had gotten to a point in my head where I couldn't do it you know I was so stressed I was so anxious I I just could not go to that birthday party anymore and I had to take time for myself so when somebody says to me now you know I'm like oh it's all in your head I usually have two responses to that is first off find the common ground I agree with them uh yeah you're right it is only my head it really is some of it may manifest as you know physical symptoms but that's the problem it's all in my head but number two that doesn't make it any less real just because it's just in your head and maybe it's difficult to measure it's difficult to describe it might it doesn't make it any less real so um I'm showing you my notes Here so I've made a point of time decision if I go back to the birthday party example right is I had to be not selfish but self-care it's one of the key things my therapist has taught me is that at the end of the day when you're dealing with mental health issues making decisions that are for you yourself and your best interests some people might think they're selfish but at the end of the day it's all about self-care right you do have to look after yourself and your mental health first and I'm terrible at that right I'm usually trying to put other people's first I'm trying to you know schedule stuff coordinate stuff and then 10 minutes before the event I'm sitting here going oh why did I agree to this not this by the way this was great I love doing this but I'll just clarify that right um but uh I'm just gonna say if you happen to be someone who has said you know oh mental Health's not real or let's um you know imposter syndrome's not real uh just if someone ever comes to you and says I'm having some mental health problems just please listen to them okay take it seriously and listen to them and see what they have to say so again it's all about supporting them so it's all in your head Michael like I've had that said to me but you're right it is however that's the problem and it doesn't make it any less real so let's work together to solve it um the other one expectations versus reality this is where we need a little more to decide camera security side of the house so I explained what this means earlier if you don't know again it's just you know my favorite examples are um you know people like they they go to Amazon and they buy something and they think that it's going to be this like super cool like six foot tall Pokemon stuff yeah then it shows up and it's you know like maybe a couple inches because then it's like what's going on um another really interesting one uh but Instagram reality it's literally a subred credit out there where it's like you know you see selfies of people what they post on Instagram and then you see selfies of people they post on real life completely different right um but that's actually a fascinating thing to me because that's not real right that's not real and I can't stress that enough um online does not equal the reality of it but a fun thing about cyber security I've learned is that so much of what we do is online right um maybe you know it's 2 A.M in the morning and you're trying to you know get a firewall to reboot or something maybe that's physical but the rest of it it's almost an entirely virtual domain now for us so we spend a lot of our time online and because so much stuff online is easy to misrepresent I've learned for me it started to cause me some stress over the years as to you know is what I'm dealing with online is this actually the reality of what's going on or is it not so I've tried to become a little self-aware with what I'm learning what I'm seeing online and comparing that to what what I consider to be true in reality so I want to just go through a few examples of this I'm going to take a quick drink real quick but how many of you are involved in incident response like security incident response how many of you who aren't how many you want to be you think it's pretty cool how many of you saw these slides and you go yes I want to get into it now um some of these are amazing like my favorite that makes things just sound soon super cool all right here's a guy in the bottom bottom right there incident response he's got his fancy futuristic little iPad thing he's just pushing the lock button and we solve their problems um what else do we got here there's lots of lock button Cyber attack security breach Okay so I just went to Google and I just searched for literally security incident response and I cherry-picked all the really fun you know it's a lot of like like graphs and flow charts no one cares I picked the cool stuff because that's what they want you to see right when you go to Google and you search security incident response this is the type of stuff it shows you it makes it look really cool and really sexy and really awesome and really neat you want to know what security incident response actually looks like that real actual picture um I had this talk in my head for the better part of like six seven months and uh I submitted to besides Calgary got accepted that's me not me that's me taking a picture this is actually me this is real um that is me doing security incident response at 9 30 PM in my in-laws basement they live two hours south of here I'm from Edmonton by the way they live like Lethbridge um in their laundry room slash basement uh because we were dealing with a pretty big breach so we just learned about that morning um I was on vacation by the way and I get a text from one of the guys on my team saying hey I think we have a problem and you know that's generally a daily occurrence in my job but the question becomes is this like a hey FYI we have a problem I'm just you know keeping you in the loop and we'll deal with it is this uh I was at the lake with with my my wife and my kids and sister in laws and their kids you know just to come back to shore problem or is this a catch your vacation short and come back to Edmonton so spoiler alert was number two it was at the store and get on this call right away uh we realized what was going on we realized that we had to bring in some external groups and we had to coordinate all of that so given everyone's schedules 9 30 p.m at night my kids are in bed my wife's upstairs and laws are upstairs this is me at 9 30 doing incident response this is what it looks like and bonus if you can't tell by the way that's not a chair that's a foldable step ladder okay I couldn't even find a chair so that's this is the reality of of of of incident response another fun one um I don't know if you can read that so there's a really funny website out there it's called viralpostgenerator.com it asks you two questions it says what did you accomplish and what's your inspirational message and then there's a cringe slider and you can slide between low level of cringe and high level of cringe and anywhere in between you hit generate and it will generate you uh sort of lincoln-esque post um and it you know and it's completely fake but it's hilarious so all I put in here was like you know cyber security I passed a cyber security exam and what's your what's your inspiration you know do it you do what you set your mind to so this is made up but I can see people laughing at this how many of you can relate to seeing these types of posts in in your feed basically everyone's just kind of going uh-huh how many of you post this stuff yeah everyone just said okay I'll Trust so this is I want to talk about this one for a second um because I'm going to be honest with you these posts they make me feel bad about myself which is really weird because people tell me you know I'm generally accomplished and okay if you want to say that fine but at the same time I see something like this and I don't feel very good you know I have a lot of security certifications they weren't easy to get um one of the things that I learned about this is it gets my brain going in this spiral as I read this and I'm like wow like this is super inspirational this is the easiest thing on the planet look at how cool this post is look at how easy look how happy they are to have gone through the certification process who's ever been happy to go through the certification process right you're happy when you get it but the amount of Stress and Anxiety you deal with and I noticed that that was um I was just time out super happy there's a lot of students here today um that's fantastic even six seven years ago frankly we never really got students coming to security conferences so besides Calgary besides Edmonton the other ones that exist out there hearing that you know there's 80 I mean what was it 80 something students 100 students that is amazing to hear their students here because it also means that a lot of the stress stuff translates to what a lot of the students are going through particularly in cyber security exams so when I look at this I start asking myself like why is this person making it sound so easy right why is it not easy for me why is everyone else liking the why is that of 10 million likes on it it's fake but you get the picture is it easy for them well I suck right I don't have it this easy at all I'm doing something wrong right and this is just like one post okay so this is the expectation if we've never gotten into the industry and started looking at security certs and it's like well this should be simple right but what is the actual reality of doing this type of stuff it's a lot of this right no one ever talks about how much they had to study or how long they had to study and they whine about it but this is the reality