← All talks

How Sponsors and Mentors Can Supercharge Your Cyber Career

BSides Las Vegas · 20244:48:22209 viewsPublished 2024-08Watch on YouTube ↗
Speakers
Anthony Hendrick
Tags
CategoryCareer
TopicCareer & Soft Skills
DifficultyIntro
StyleTalk
About this talk
Anthony Hendrick, a cybersecurity and data privacy attorney, explores the distinction between mentors and sponsors using real-world examples from Jay-Z and Beyoncé. The talk covers how to find mentors and sponsors, build your professional brand through portfolios and content creation, develop career ladders, and navigate performance reviews to advance in cybersecurity.
Show transcript [en]

[Music]

w w [Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just give you something I I'm just TR to give you [Music] something I'm just TR to something I I'm just TR to something [Music] m [Music] w

[Music]

[Music] [Music] I'm just I'm just in [Music] something I'm just in something I do I'm just trying to give you something [Music] n [Music] w

[Music]

[Music] [Music]

[Music]

[Music]

[Music] [Applause]

oh oh

[Applause]

[Music]

a

[Music]

[Music] n [Music]

oh [Music] oh [Music]

[Music] [Music] [Music]

[Music]

[Music]

n

[Music] [Music] n [Music]

[Music]

n [Music]

[Music]

[Applause] [Music] hey he [Applause] [Music] n [Music] [Applause] [Music]

he

[Music]

[Music]

[Music] he

[Music] TR [Music] hey [Music] hey hey hey hey hey [Applause] [Music] a [Music]

[Music]

a [Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music] [Applause] [Music] he [Music]

good morning everyone welcome to day two of Higher Ground our very first speaker is Anthony Hopkins who's going to give us a very important conversation about the importance of mentoring in your career development Journey if uh if you want to have an interactive conversation I can run the mic for you to the the audience oh that'd be great okay uh hi everyone and good morning I appreciate you all being here I am super excited to present uh you need a Jay-Z and a Beyonce uh how sponsors and mentors can supercharge your career my name is Anthony Hendrick I'm a cyber security and data privacy attorney based in Oklahoma City so while I am a lawyer I am not your lawyer and this

presentation should not be considered legal advice instead think of this as a conversation between friends but if you need legal advice please please please find a local lawyer that can help you I also host a cyber security podcast that focuses on exposing underrepresented groups to the field of cyber security and data privacy uh and you can find the podcast anywhere where great podcasts are found so what are we going to be talking about well we're going to be talking about the best rapper alive so at the 2024 Grammys Jay-Z took the stage to accept the global impact award and so this was a kind of career defining moment it's it's one of those big Awards

uh for Jay-Z but instead of just talking about himself he spent a large part of his speech talking about someone else talking about his wife and he Amplified her accomplishments he defended her Artistry and uh tried to change the perception of her among the Grammy voters and so while the speech was met with a lot of criticism a lot of push back people were pointing out out that that wasn't the purpose of that speech uh it pointed out something else it pointed out what the role of a sponsor is uh we're also going to be talking about Beyonce and so why are we going to be talking about Beyonce well Beyonce is Beyonce right so any excuse that we have

to talk about Beyonce is probably a good one right um but just looking at more research about her she illustrates what a mentor is and so often times people get the terms sponsors and mentors confused us right and so what I want to do today is talk about those two things but I want to use examples so that when you leave here you're thinking okay I know what a mentor is because I know what Beyonce does I know what a sponsor does because I know what Jay-Z does and so that allows you to find what you need in your career because you know what those items are and while both of them are important for you in your

career so what are we going to talk about and what is the order so we're first going to just have a conversation about mentors and sponsors we're going to talk about what those terms are we're going to look at some research uh from some of those leading kind of business uh uh articles and Publications and then we'll talk about Jay-Z and Beyonce and why you need both of those in your careers and then we'll talk about how you can be a better mentor and how you can be a better sponsor if you're in that stage of your career and then how you can find a mentor how you can find a sponsor and how you can be good at that

job because being a mentee and being a protege is a difficult job as well and you need to be good at it so that people want to invest in you and invest in your career and then uh at the end we can have uh whatever questions uh that you want and then I'll be handing out some cyber security stickers as well sound good with everyone all right so let's rock so mentors and sponsors so everyone needs a little bit of help and so mentors and sponsors can play a meaningful role in your career they've done that for me um but they do more than just help you get a promotion right they they do more than just help you get

that next job they also help with retention in organizations they help reduce burnout and they help limit career frustrations and those are all types of things uh that can be roadblocks in your careers and having a mentor and having a sponsor uh helps you avoid those issues and they play a more significant role for diverse and non-traditional workers right um they help you when you're entering into a new field become successful and so mentors and sponsors are important for everyone but they are especially important for people who are entering into the field who are often underrepresented so what exactly is a mentor what is mentorship so mentorship is a relationship uh between you and somebody who is sharing knowledge and

providing guidance um so think of a mentoring as you um directly having a relationship directly with a person where they're encouraging you where they're giving you advice um that's pretty straightforward I I think we all kind of understand what a mentor is it's that person that's giving you that kind word they're giving you a little bit of advice and they're pointing you in the right direction and so there are different types and different flavors of mentoring so there's this traditional model called The Guiding Light so this is where you have someone that's a little bit older than you and they're saying hey you know I've Seen It All I've gone through this and so let me walk you through kind of

these issues and let me point out some things that you may not kind of understand so this is kind of that traditional model of a Mentor that you think about that older wiser person U but there's also another category called windows and so these are your colleagues who have already experienced these issues um they're closer in age to you and they can provide you firsthand experience of about what's going on and so I I like to call these the Jay-Z rule so Jay-Z once wrapped hve did that so hopefully you wouldn't have to go through that right and so these windows are your peers and they're telling you hey this is what happened to me and so

learn from my experience so you won't have to go through that uh and then we have mirors so mirors these are usually people at your level who can help you identify your strengths and your weaknesses and so they may not be giving you actionable kind of guidance on what you should do next instead they're having a conversation and they say hey you're really good at at giving talks you should do more of that or hey you know uh maybe you should work on your writing because you always complain about getting a lot of feedback from your writing so maybe that's something you should work on and so they're not kind of giving you uh the the recipe on

what to do but they're kind of reflecting back to you about areas that you're good at and areas where you may need some improvement and because they're on your level it feels like you're just having a conversation with your friends so what do mentors look like uh when you think about a mentor you really think about that older senior person who's investing in you but that's not always the case and so sometimes it can be your peers it could be somebody on your same level or maybe just one rung above you and so you can find mentors all types of places and mentors can be any type of person who wants to invest in your

success so what a mentor is not so mentorship isn't focused on only teaching you skills it's not a training program and so a lot of times when people think about a mentor they're thinking okay they're just going to teach me a bunch of stuff sometimes but that's really not the focus of your relationship it's a relationship driven kind of process and it's less about criticism but more about being your personal hype man that person that's encouraging you to do something telling you hey you should apply for that hey you should do that um they're kind of just giving you that pep talk that encouragement uh that push that you need so let's talk about what

sponsorship is and so uh one of the classic examples and we'll talk about that a little bit later is Jay-Z's relationship with rapper MBL and so we're going to talk about that in a little bit but what exactly is sponsorship so this is where a senior leader is spending their social capital on using their influence to advocate for their Protege and so mentorship when we talk about that that's a two-way relationship it's you and your Mentor right but when we talk about sponsorship it's a three-way relationship it's your relationship uh with uh not only the Protege and the sponsor but also with the audience the people that the sponsor is trying to change the perception of

you the person that are going around and advocating and telling hey this person that I'm working with is great they're a future leader they're a star watch all the wonderful things that they're doing so it's a it's a three type of relationship so what exactly does this kind of sponsorship relationship look like well it kind of falls into a couple of different buckets so one is amplifying your protege's accomplishment so often times people don't like to brag about the great things that they're doing that's fine your sponsor that's their role they're going to talk about hey did you know that last year they did X Y and Z and they accomplished all of those things and so your accomplishments

sound so much better when other people are saying it especially when it's someone who has a lot of credibility in an organization along with that sponsors are betting their reputation on your future success uh they're saying that hey I'm going to give this person a bigger project a bigger task because I believe that they're going to be able to accomplish this and so they're giving you that opportunity for you to succeed they are betting on you being successful um then also they're sharing their Goodwill and letting others know that you are their Protegé they're going to let you know that this is my person this is the person that I'm supporting this is the person I'm advocating for uh I

like to call this your Rockefeller chain uh so if you've seen any of the members of Rockefeller rapping they all have their chain uh that's the symbolum of the label so everyone knows that they are with Rockefeller they're with Jay-Z and so that's him giving his Goodwill to them and so a sponsor is also a Defender that's a big part of their role and I I think it's probably the most important um they defend you from criticism and if needed they offer explanations for why something might have not been as successful as you wanted um and this is important because often times when you have a sponsor they're going to give you these big projects these Big Stretch

activities for you to do things that you might not think that you can accomplish and they're giving you that opportunity because when you are successful uh now everyone knows that you should be a leader that you should be promoted that you're ready for that next kind of role in the organization because you had a task that was a little bit beyond you and you found a way to be successful and so they're they're going to protect you from criticism and then they're going to explain if things didn't go out uh happen the way that it should have happened and so what is the impact on your career career you know mentors and sponsors are so important and mentorship

can help you develop stronger and more valuable relationships at work it can provide you access to uh important decision makers it can help you develop social skills and create kind of new ties with other people U mentors act as an endorsement and a signal of respect uh from others and so why is this relationship important why is this relationship important to have well when we talk about cyber security in this industry it's hard for organizations to be able to keep employees and there's a lot of different reasons why um but one of the reasons why people leave the organization is a high level of stress and a lack of support right those are some of the common things that happen

and so mentorship kind of aims at those two types of things so mentorship can also reduce burnout so workplace burnout burnout is increasing and compared to two decades ago people are twice as likely to report that they are suffering from burnout at work right and and so what is the cause of burnout well according to studies from hbr loneliness and emotional exhaustion at work lead to burnout and mentorship and the connection that it creates can help reduce this feeling of loneliness at work uh and ultimately can help you with the issues of burnout and burnout is extremely costly for organizations uh it results in a 37% higher absenc rate uh 49% more accidents at work and 16% lower profitability and

so it's important for organizations that employees don't feel burnt out and one way to do that is to invest in mentorship it's also costly for you right uh study from Irvine found that it reduces longevity by 70% a and that's a pretty pretty shocking kind of uh a number it's more uh the reduction is more than alcoholism more than drugs more than all of those types of things uh and so burnout can be costly for organizations and for yourself and one way to fight this is to fight loneliness and develop real relationships with people who care about you so what are the benefits of sponsorship well sponsorship equals promotion so sponsorship is one of the

strongest predictors that we have for promotions and increases in salary if you have a sponsor you're likely going to get promoted you're likely going to make some more money it's the great equalizer uh when it comes to Promotions sponsorship matters more than someone's gender personality level of education and experience it is a game changer for you if you're entering into into a career people with sponsors also have a higher level of career satisfaction you get more fulfilling feeling at work because you have someone who's looking out for you who's giving you these great assignments they're putting you in a position where you feel like my career is moving forward and that comes from your relationship with your

sponsor so what exactly is in it for the sponsor well it's a two-way street so if you're a sponsor uh there are some great benefits that you can have senior Executives who have a protege are 53% more likely to have received a recent promotion I think people kind of understand that if you're investing in other people the organization is going to invest in you as well uh and this works even at people who are at entry level who sponsor someone else they're 167% likelier to have gotten a recent stretch assignment and stretch assignments are the best way for you to show that you have these new capabilities new skills so that you're moving on to a higher position or a

different role with a better title all right so let's talk about Jay-Z and Beyonce so you need a beonce uh mentors provide encouragement they help you celebrate your wins and that's Beyonce's roles and so I'm going to look at a couple of examples but often times when you ask Young Artists uh who are R&B singers about who their Mentor is or who they aspired to be uh they're gonna say Beyonce and let's look at a few TMZ style uh examples so let's talk about this Guiding Light model that we talked about earlier so I want to talk about uh Khloe and Haley and this is a R&B group signed to Beyonce's label and in interviews uh

the group consistently refers to her as a mentor they cons refer to her as family uh not just because they work with her right it's because their careers are mimicking hers they started uh singing at a very young age Beyonce started at a young age they're in a group trying to transition and navigate uh being their own solo artist that's exactly what Beyonce did uh when she moved from Destiny's Child to a solo career and so Beyonce has seen those difficulties that they're kind of facing and she's able to talk to them about it she's able to explain hey it's going to be rough in this area hey making the transition from being seen as more of a teen artist to A

more of an adult artist is going to be a transition and I made it and here are some things that I've seen here are some roadblocks and some issues that you're going to have to address and so she's serving as a Guiding Light uh for those young ladies but she also serves as aera and so let's go back to the Grammys but let's not go to the 2024 one let's go to the Grammys last year and so so lizo won the Grammy for record of the year and she actually beat Beyonce uh and during her acceptance speed she talked about how meaningful and inspiring Beyonce was uh but afterwards people were asking her can you kind of just explain a little

bit more and so in interviews uh she talked about how Beyonce offered kind words how she offered encouragement and talked about her strength as an artist so she pointed out things that lizo was so great at and so you got not only encouraging words but you got someone saying hey here are some things that you are great at and I don't know if anyone told you that today but you were really good at these particular things and she served as that Mera for lizo and so that's an important role that mentors can play so now let's move to the world of business let's give you some business examples right and so More than 70% of

Fortune 500 companies offer some form of kind of mentoring a mentoring program for their employees and most of these programs don't achieve uh what they set out to do so in 2017 researchers at Harvard Business School conducted an experiment at a US call center and what they did was they said all right we're going to create a mandatory mentoring program for new employees it's a four-week four-week program and it is mandatory for uh employees and so they took a group of the new employees and those employees had to do the manag at atory training and they took the other group and they said hey you have a choice you can do informal mentoring or you can say no I

don't want any uh informal mentoring and then they compared the results so during the first two months on the job the people who had the mandatory 4-week mentoring program generated 19% more daily revenue than the unored individuals more than 90% of the revenue gain uh was sustained in the 6 month period afterwards and so just four weeks of mentoring at the beginning allowed them to still keep those same benefits as they moved further along in their career it also meant that people were more likely to stay at the organization they were 14% more likely now that sounds like a small number uh but when you deal with call centers uh people be in and out of that place all

the time so 14% is a big number if we're talking about a call center so the mandatory mentees also outperformed the people who had informal mentorship so people who said hey had like a mentor and then they just had an informal mentorship program people who had the structured required four-week program outperform them and after the experiment the US call center adopted this mandatory program and even after taking away the cost the added expenses that it might come from setting up this program and implementing it they had a one 87% return on investment and so you got your money back multiple multiple multiple times now along with having a Beyonce you also need a JayZ so we started the

presentation by talking about Jay-Z's speech at the 2024 Grammys but what exactly did Jay-Z say right and so just in case you weren't watching um let me just pull out a few phrases and we can talk about that together but you know some things I don't want to embarrass this young lady but she has more Grammys than everyone and so what exactly is he doing here well he's talking about Beyonce's accomplishments and I think people just don't sit sit down and realize that she has the most gramys ever and it sounds much much better coming from someone else instead of having her to brag about her accomplishments somebody else was doing that for her and and this is extremely

important because often times uh women are less likely to brag about their accomplishments and so that's why sponsorship is great because there's someone there who could say nah I'll say it if you won't say it I'll say it and so we also talked about how sponsors have a relationship with the audience the people who they're trying to change their perception so you attempt to change how people people view your Protegé and so I'm going to pull out just another quote from Jay-Z and his speech more Grammys than everyone and never one album of the year so even by your own metrics that doesn't work think about it the most Grammys never one album of the year that doesn't work

right he's changing the perception of the audience he's talking to those Grammy voters he's trying to change how they view Beyonce how they view their award and how they should view Beyonce's Artistry and so he's able to have that conversation because he is Jay-Z he's somebody who's accomplished himself and he's also using that moment where they gave him a Lifetime Achievement Award to tell them about how they're not doing their job so let's look at another example and I like to talk about Jay-Z's relationship with M blee so Memphis blee was the first artist that Jay-Z signed to Rockefeller records they grew up in the same neighborhood and Bleak has been with Jay his whole career sponsors share

their Goodwill with their proes and we already talked about how uh he's wearing that Rockefeller chain but he also uh uh brings him on tour he brought Memphis Bleak on tour when all he had was 16 bars from one of Jay-Z's songs to perform he had no other material to perform and Jay-Z took him there and said we'll figure it out as you go uh you better go to the studio and create a new song but but I'm going to put you on stage and people listened because they were there to hear Jay-Z and he shared his Goodwill with blee but also sponsors give stretch assignments so while mentoring is less about criticism sponsors are required to

give that tough love right because your protege's career is intertwined with your career right when they see that person they see the sponsor and so you need to have those kind of real conversations to say hey here are some things that you need to fix because when people see you walking around or seeing you doing those things they're immediately thinking about me because I've given you all of this Goodwill and so uh blee does a lot of interviews on podcast uh and he had one a couple of ones on this podcast called drink Champs and he admitted that Jay-Z told him he was lazy he sat down with Jay-Z talking about hey what's next you

know I'm thinking about what I can do next and he started listing all the things that he wanted to do and JayZ said hey blee you know what's wrong with you you're lazy you're not working hard enough you stopped working hard and he started telling him about all the things that he needed to do to be better but it wasn't just tough love it wasn't just criticism he then gave him a stretch assignment he said all right you're telling me all the things that you want to do and he handed him a bottle of duay liquor and said you're going to sell these and so now he's an executive for for duay liquor with no uh undergraduate

degree no marketing degree no nothing never sold uh any liquor before but he said hey I beli in you uh this is my company this is your stretch assignment go to all the meetings learn about the business and be a leader in the organization and he gave him that stretch assignment so let's look at an example from the world of business um so a bank did an internal kind of research on why they're female managing directors left their organization like why were they leaving and they were leaving not for work life balance most of the time people say oh we shouldn't even care because they're just leaving for work life balance they don't want to work

hard and that is not the case people were leaving because they wanted a promotion they wanted a bigger role in an organization and they weren't getting that from working at their company they weren't getting those internal promotions and so they left to go somewhere else where they could would further their career and so they said okay we need to stop this we need to figure out a way to be able to keep these uh managing directors in our organization and so what they did is they created a sponsorship program with the goal of assigning more women to critical posts within the organization and so the program prepared uh paired proteges with executive committee members to increase uh their exposure to

these senior leaders the senior leaders who are going to be making those decisions U but they also ensured that they had an influential Advocate and so you can't advocate for someone that you've never met right you can't advocate for someone you don't have a relationship with and so they started building that relationship and so ultimately they were able to find that one-third of the people who participated in this sponsorship program are in larger roles within the organization within one year and another third of the people in that uh kind of participated in the program EX executive said hey we feel comfortable with them being promoted to the next level and so you either got a

promotion or you're about to get one and so that is a great kind of results from a sponsorship program so let's talk about getting a mentor and getting a sponsor and being good at your job as a Protegé and a

mentee so one of kind of the downfalls one of the kind of issues uh with uh being a mentor and a sponsor is that sometimes you can confuse those terms exactly what they mean right uh we spent a lot of time talking about it so we're not going to be confused because we're going to be thinking about Jay-Z we're going to be thinking about Beyonce um but I want to use the example of Ursula Burns and so Ursula was the CEO of xerx Xerox from 2019 from 2009 to 2016 right and she was the first black woman to lead a Fortune 500 company when asked about what helped her get this role she talked about the mentorship that she

received from the company's two prior CEOs and so she used the word mentorship right but when we started asking her about examples what she was describing was sponsorship and so it's not uncommon for people to conflate those two terms and it can lead to troubles and issues uh when she was in middle management the then CEO of Xerox uh showed her the difference in leadership of a company versus being in charge of a department and he started giving her more responsibilities kind of bigger projects that people can see and this led to big risk for her but it also had the potential for big rewards and one of the things that was really important is

that the former CEO gave her a lot of air cover so what is air cover basically uh he protected her from criticism and allowed her that time that she needed to take those big swings to do those bigger projects to do things that may have been outside of her traditional job description and so that led for her to have all of these great opportunities and she didn't have to fear about someone talking bad about her uh or criticizing her because she was doing something else beyond what her role was because she had the big boss going around and telling people no no no she's doing what she's supposed to do I think she's the best person for this job so he

provided her a lot of air cover another kind of problem with sponsors is that sometimes sponsors act like mentors and you may be saying well that's fine right you need a mentor you need a sponsor so what's the problem well a study from the center for talent Innovation found that sponsors themselves don't really understand the role and how to do it well and so only 27% of people who answered the survey uh who identified themselves as being a sponsor uh said that they advocate for a promotion of their Protege which is one of the big things that a sponsor should be doing they should be saying hey there's a position open I know the perfect person that is my protege I

think they are the best fit uh and 19% reported uh that they weren't providing uh only 19% reported that they were providing air cover that kind of protection that important and so a lot of them are missing out on the key things that are required to be a mentor and and so to be a sponsor and so gaining a sponsor is more challenging than getting a mentor so it's important that people who actually have that skill set the people who have that high credibility those people who are in senior leadership positions it's important for them to know what a sponsor is and to do the things that sponsors do because not everyone can do those things it takes a special type of

person with a special type of ability and a special position within an organization to Be an Effective sponsor and if you have those people with those skills not doing the real things of sponsorship then people are missing out another thing is men are more likely than women to find sponsors and when women do find sponsors their sponsors are more likely to not do their full job of sponsorship so sometimes they'll be like yes I got a sponsor and then they say so you're going to recommend me for this promotion and they're sponsor say I don't I don't do that they're not doing their job as a sponsor and so that means that these people aren't getting those

full benefits another kind of issue to avoid when it comes to sponsorship and mentorship is that our sponsors and our mentors need to avoid this mini me syndrome it's not in common for people to want to work with people who are just like them right you start saying oh I see myself a younger version of myself in this person and you go and you invest in their career um and so the center of talent Innovation found that 71% of mentors say that their chosen mentee is the same race and the same gender as them and so it's not uncommon for people to want to do that I'm not saying that anybody's a bad person for wanting to

invest in someone who they see themselves in but it does create problems because there are fewer women there are fewer people people of color in these senior management positions and so these employees are often excluded from meaningful mentorship and meaningful sponsorship when people only want to Mentor or sponsor people who are exactly like them but this also hurts your mini me right uh the best mentoring like the best relationships occur when there are some similarities but also some differences and so if you're looking for someone that's exactly like you you are doing a disservice to the person that you want to help and that you want to invest in their career so when mentors are

sponsors um Mentor someone that's different from them it leads to long-term growth and so a study that looked at mentorship of medical residents found that while same gendered mentors provided this initial growth in this initial help because they're saying hey I had to deal with these issues the exact same thing that you're going through um but after a while those benefits that they got from that mentorship became stagnant their growth became stagnant um however for opposite gender mentorships um while they had to get over that initial roadblock of figuring out how to talk to people how to find that common ground because they thought that they were so different but after they did that hard work of having those

meaningful conversations uh they were able to lead to long-term growth for their mentee um because their relationship was built on all of those kind of mutual uh um factors that they had to work on and build and find out together so let's talk about being a better mty and a better Protege so I always like to talk about how do you get a mentor right there's all of these wonderful articles that talks about the importance of a mentor the importance of a sponsor and you read all the way through it and it doesn't tell you how there's no recipe in there and so I want to just talk about a few ways that you can find a mentor

so how do you find a mentor well you ask um getting a mentor is easier than you think people are often excited and happy to be asked to be a mentor and finding a mentor is easier because there are so many options it can be somebody that you work with it can be somebody outside of your organization that's in the same industry uh it can be someone that um you only have occasional conversations with maybe uh you talk to them on LinkedIn about things and ask them questions um it can be somebody who's more senior in an organization or it can be somebody who's your peer or a little bit uh lower in the leadership uh

category and so there are mentors all over the place and you can have multiple different mentors to fill all of the different needs that you may have have and so it makes it a little bit easier to find mentorship so how do you get a sponsor well sponsorship requires some work you got to do a little bit of leg work here because sponsors are using their political capital on you they often want to see some initial success before they invest in you right they want to see a couple of quick wins uh so that they know that they're not wasting their time and so you build credibility by performing well and taking responsibility so do your job and do

your job well and that's kind of the starting point uh when you find someone you want to be your sponsor you should research what their role is how they got there and kind of understand what their current priorities are so you kind of take all of that into consideration when you finally sit down and ask them to sponsor you uh in your career I think it's important uh when we talk about being mentors uh mentees and to be uh proteges you have to remember that it's a two-way street you're not just taking um you should bring value to your mentor and your sponsor uh this includes teaching your Mentor or sponsor a new skill set so

often times uh I will teach uh other more senior lawyers uh how to use certain types of technology and they'll sit down and talk with me about business development and growing my book of business and it's a trade and it's a two-way street you should also kind of think about other ways to help them extend their legacy a lot of times people want to be sponsors because they view that as a way to extend the Legacy that they've created and so if you kind of know that uh you can kind of keep that in the back of your mind as you're having those conversations because you understand what's important to them so what are some other ways that

you can be better at being a mentee better at being a Protegé well know what you need from your sponsor and your Mentor what exactly do you want to get out of kind of this conversation what do you want to get out of this relationship because if you know exactly what you want out of the organization uh out of that relationship then you can ask for it and you can know when you're not getting the things that you want if you clearly explain what your goals are you're more likely to get that when you get a project or a task you need to focus on overd delivering right if your Mentor or your sponsor says hey I need you to do something then

you need to be laser focused in on doing that work and overd delivering especially at the beginning of that relationship as you're trying to build that trust right you should be focused on doing that work and then you need to be respectful of their time but you also need to respect your time right so if you are are meeting with someone um who you're building that relationship with you need to be on time you need to be a little bit early you need to be respectful of their calendar but at the same time you need to demand that they do the same thing for you right um and if you do that people are more likely to

not cancel meetings last minute because they know that uh my uh minty or my protege respects my time but they also demand that I do the same and so these are just a few small little things that you can do to be better at being a mentor uh or a mentee or a sponsor or a Protegé so what did we learn during this presentation well people forget about half of all new things that they learn within an hour of learning it so it's not uncommon for someone to say Hey you were at a bsid and you went to this Higher Ground what exactly did you learn and you're gonna be like I don't remember uh but he did a great job and I

love his suit right but it's not your fault the human brain can only focus on six to nine pieces of new information before there's this big steep drop off so I have six takeaways so that if somebody asks you what exactly did you learn you can maybe remember one or two things first mentors provide encouragement and guidance and serve as a sounding board for ideas sponsors are advocates for their proteges having sponsors and mentors can lead to personal and professional growth four people often confuse the two which makes them less effective five you need a Jay-Z and you need a Beyonce six It's A Hard Knock Life and we all could use some help so ask for mentors and ask for

sponsors all right so if you like the slides like the presentation it'll take you to my website and you can download the slides uh this afternoon because I haven't uploaded them yet uh but they'll be on the website and then you can push the button and uh you can get the slides for this talk so that everybody has them so I think that's it for me I do want to thank my law partners because uh they allow me to come out to these conferences and hang out uh all week at hacker summer camp and give out cyber security stickers uh so yeah I want to thank them and I also want to thank the Associates who are working on my cases

because they are working right now and taking care of the cases so I can be here with you so thank you so much I think we have a few minutes so if you want to have a conversation uh uh feel free to ask any

questions thank you hey uh so I actually wanted to ask um in your career Journey did you have any struggles finding a mentor or a uh sponsor and when you finally did like come to one or more that you had a positive relationship with what were like the traits that really locked you guys together yeah so it was a lot easier to find a mentor because you can find all types of mentors I have a ton some of them are my mentors about business development some of them or people who when I just need a pep talk I've had a bad day I know that this person they are going to be my hype person they're just all going to be

talking about all the great things that I that I do and so I have some of them within my Law Firm some of them outside of it but sponsorship was harder sponsorship was a hard process and it's a ongoing process right but when I think about what are the qualities of a sponsor uh it's someone who understands what that role is they understand that I am coming to them uh not for a pep talk I don't need a pep talk from you you know I got a whole bunch of other people that'll tell me good job I'm coming to you because I need to be promoted uh within the organization I am coming to you because I need to be put in a better

position to have a bigger book of business to be able to get better cases and so they understand what the assignment is and they do that uh also another trait is somebody who wants the job right there a lot of people who have that kind of capital but they don't want to do it they're thinking that it's too much work or they'll say yeah I I I'll help you and then when you sit down for a meeting the meetings just keep getting uh uh kicked off of their calendar they keep pushing back your meetings weeks and weeks so you you need someone who understands what they're supposed to be doing and who has the time and the

willingness to do so and so those are kind of the qualities but my sponsors are are are very different than than me right you know I I don't have someone who you know looks like the older version of me uh but their career looks like the version of the career that I want thank you um are there any Mentor courses or programs that you can recommend one of the challenges I've seen in my experience is that people want to be mentors but there is a lack of um understanding or or I guess rigor around what that means and how to execute on that effectively no that that's a great question um so when I do presentations I always say

Anthony selling nothing so I have no courses or anything that I'm selling and and when it comes to kind of courses that are out there you know I don't have any that I can recommend but what I would say is if you start looking at people who are advertising those things you should have your own list of things that you want and what they offering should match those things right and and a lot of times there are people who are selling these courses uh about all the these things and they really don't know what they're talking about so if you have your list you know you're put in a good position when you're thinking about when you're thinking about being a

sponsor what do you look for in your sponsees yeah so the thing that you know I will eventually be looking for is someone who likes to do the work right somebody who enjoys kind of the practice of blah or whatever kind of area that I'm the sponsor for uh and then somebody who's had some successes they don't have to be huge successes but you have to have you know done some work uh kind of put yourself out there to do it and you know that kind of gives me the signal that hey me giving you the push is all you need because you have a lot of talent there already and so you know I

want to see someone who kind of enjoys or or is good at and who has like put themselves out there to kind of do that work we

go in your slide you mentioned that mentors should really kind of know or I mean mentees should know what they want to be able to find a good Mentor uh what about someone who's new to an organization and may not know what they want who still kind of wants a mentor do you recommend they do some research first or would you still advise that they look for a mentor yeah so the thing about it is you may not know all the things that you may want from that organization but you probably have a good idea about what you want from your career right you're like hey you know I want to be able to learn skills I

want to be put in a good position uh to be exposed to different people I I I want you know I'm dealing with maybe some confidence issues I want somebody that's going to spend some time encouraging me so those are things that you can know that you want before you may learn about what exactly uh um your organization has to offer because you can have mentors inside of your company but outside of your company as

well hello um what is the what would you say is the cut off if you pick a bad prote like at what point do you say hey um this isn't for this isn't for you this isn't for you know this yeah what point uh so I'm laughing because I took the slides out uh slide out about that um because I was going to use an example um but um my secretary when she was looking through my slides she was like that's a little problematic because I was going to talk about Jay-Z and Kanye West and she was like take Kanye out of it no Kanye no Kanye but you know Kanye talked about uh Jay-Z being his big

brother and then that relationship eventually changed and uh you know while they're civil and maybe trying to reconcile uh that relationship changed and so what you should do is you should be thoughtful when it comes to that right you should be giving your Protege every opportunity uh to meet your expectations and so that often requires you to tell them what your expectations are if you have not told them what you want them to do you can't be mad that they didn't do those things right and so you need have that conversation first uh and then you need to kind of present them a path forward hey you know here are the things I'm expecting from you

right I gave you this stretch assignment and I want you to do it but because everybody knows you're doing that stretch assignment because I gave it to you I need you to check in and just have weekly check-ins about what you're doing you know they don't have to be long they don't have to be and you're giving them what you want and you're giving them a path forward now if they failed consistently failed at that that's when you need to have that conversation um and the problem is when you're a sponsor you're not only having that conversation with that person but you're going to have to start having that conversation uh with the broader Community because

you put your Capital into them and so when they think about that your Protege they think about you so you're going to also have to have conversations with other people and so that is a big kind of punishment uh and so you need to be very careful about it you need to give them every opportunity in the world um before you make that decision time for one more okay so not a question but I just kind of wanted to add on to what you're were saying about as someone who took on too much with a group of people and was consistently failing and had to pull out the thing that helped was a direct honest conversation about like these are

the things I need from you if you cannot meet these expectations then I these are the things that I am losing if you uh cannot meet them um I ended up pulling out and then I was able to like excel in all of my other areas as well because I was just taking on too much at once but that's kind of what I would say from the Mente perspective from someone who had failed I just want to say that was a very smart thing to say and it wasn't a failure you learned yeah see what you just did good deal all right well thank you so much uh I'm going to be around I got some cyber

security stickers if you want one uh and let's be friends all right thank you

[Music]

he

[Music] h

oh [Music]

[Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just in your I you I'm just dring in [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] w

[Music]

[Music] [Music] I'm just TR to get this okay I to f I'm just dring in [Music] something I'm just dring in [Music] something I'm just trying to give you something [Music] a [Music]

[Music]

[Music]

[Music] probably needs no introduction Philip Wy is going to tell us all about how to get into pen testing also you can't see it but we have a leaky ceiling um if it drips on you I'm so sorry uh I think it's the AC but anyway uh that's what we got going on up here um so if he wants to be interactive you just point to me and I'll run the mic and uh enjoy the show thanks for the introduction and thanks everyone for joining so I am Philip Wy I have my cissp OSP in Sans GW aperts my current role is offensive security expert at Horizon 3. a we have an autonomous pentesting platform I'm an offensive

security professional in evangelist so even outside of my day job since we have offensive security tool I'm always Evangel evangelizing the need for offensive security I think it's one area that's often un un overlooked uh underestimated and misunderstood because you can do all the compliance you want you can be PCI Compliant but that doesn't mean your company can't be breached some companies are too caught up on the compliance while compliance is important you need to make sure that you're doing your due diligence everything proper pen testing and everything to make sure that what you're doing is working so I'm a former adjunct instructor so I used to teach at Dallas college so that was kind of a turning point for me in my

career I've always been kind of a competitive person I used to be a powerlifter uh when I worked in sales I was always trying to be the top sales person so always worked hard what I was doing not to say I was ever the best hacker or pentester but always really put so much effort in that but in 2018 I became more outwardly focused uh I kind of looked at my wife what she was doing she taught ESL program she had a lot of students that that were uh undocumented uh immigrants and they would come to her for help and where they needed help and just see that Legacy that she built and how she was helping those people and I

wanted to do the same thing so I started teaching at Dallas College got into a lot more mentoring and speaking so my book The pentester Blueprint came out of my lecture at Dallas College on becoming a pentester which turned into a conference talk at Biz DFW in in 2018 and kind of an interesting fact when I gave that talk some of the people was in audience you may have heard of uh Juno she's part of the cult of the dead cow she was one of my students but at the time of that presentation she was just kind of in the audience I knew her from the community she watched The Talk uh enrolled in my pentesting class the the

next semester and then went on to be a really good pentester and all around awesome cyber security professional and so last year during Bishop Fox Defcon live stream I had the honor of being interviewed by her on that live stream so really cool to see uh former students and mentees getting out there and doing stuff so let's a lot of where my focus is at why I got into the conference speaking and stuff why I wrote the book the book was a way to provide that information to people that aren't going to the conferences because every conference I went to that I gave the pentest or blueprint talk a majority of the audience had heard it yet so give

these talks so many times over when people review uh conference talks they think well we can't take talks that's been given somewhere El somewhere else but you just don't know how many times those talks haven't been been uh heard and so that's one of the reasons writing the book was a way to get that information out there to people that I would probably never run into at a conference or anywhere else so uh this been one of my proudest achievements and a way to serve the community and serve those I hadn't got to meet yet so I'm also was featured in tribe of hackers red team book that's kind of how I got the the book deal they asked me if I had

any ideas for a book and I wanted to turn that into book I'm also the host of the the hacker Factory previous host of the hacker Factory podcast which uh I went independent last April April of last year and the new show is the Philip Wy show same format video now and just not Audio Only uh at the recommendation of some friends I went independent and so this is one story that I like to share with everyone trying to break into cyber security because whenever whenever I graduated high school a long time ago I graduated like back in 1984 for and I didn't know what I wanted to do I didn't take High School seriously and my my grade point

average wasn't high enough for my college entrance exam score so I was going to have to get like eight recommendation letters from teachers and so I really decided my heart really wasn't into it I didn't know what I wanted to do anyway so some of my friends said you know you're a power hter you're a big guy you should be a pro wrestler so I thought that sounds fun so I went off and went to wrestling school and and wrestled professionally for a couple years and during that time I wrestled people like Mick Foley uh went to wrestling school at the Undertaker uh wrestled uh the free two of the three free birds Michael Hayes

and Buddy Roberts uh Wrestled a couple of Dwayne Johnson's relatives that wrestled as the Samo and SWAT team so it was an interesting experience but when I got married I needed a job with insurance and benefits and pro wrestling didn't have any benefits at that time uh I was making like maybe when I first started wrestling I got $75 a night and by the time time uh I quit wrestling they were paying $25 per match which you'd only get to wrestle typically one time they didn't have insurance so if you got injured you're just kind of having to take care of this out of your own pocket so I was trying to figure out what to do so I worked all sorts of

manual labor jobs and I'm the kind of person that I have to be doing something I'm interested in or it's just hard hard to do out of all the jobs I did did Manual Labor retail sales worked as a cook busting tables washing dishes putting up fences Roofing houses uh doing construction didn't like any of that stuff uh but the one job I did like was jewelry sales I was working in a jewelry store I was always number one and number two in selling jewelry in the store and the family that owned that that jewelry store they were starting a new chain they were uh Lebanese and they thought if we created a store chain with

an American sounding name we could be you know compete with zels and stuff like that so their intent was to bring me in and make me an assistant manager and so the story store manager had different ideas it was the person that was always either beating me or getting beat by me in sales was a qualified candidate and he was really wanted to put her in as a assens manager I totally understood that but one of the things I did realize too is I needed to get some skills where I can make a good living and it's not dependent on someone's political or just someone's opinion just you know right or wrong you know you

work in some of those type of jobs you're only going to get ahead as much as the people helping you even back to pro wrestling it was kind of dependent on whether people wanted to do something something with you to promote you because when I wrestled I had to lose all the time and they that's referred to as a jobber or a job boy so you're paid to go and lose to make the good guys look good and so one of the things there is if they like you or if you're a relative of someone in that you get to move up quicker and there was someone there that was booking the matches when I was there that year in the wccw which

is in Dallas Fort Worth where the Von Erics wrestled anyone seen the ironclaw movie it was that wrestling territory they uh one of the Bookers there wanted to send me to Kansas City and that was one of the spots where they people got practice you know got the experience and come back and got to be a legitimate wrestler and not lose all the time but by the time uh they got around to planning that he had the the Federation had been sold off someone else come in so I lost that Co that connection so one of the things I looked at based on that experience working in the jewelry store I needed to get a trade where I can make

good money in advance regardless of whether I was a manager or whether you know depending on what someone's preference wouldn't hold me back in my career so one day I was watching television and saw this uh commercial for the American trades Institute is a trade school in uh Hurst Texas and always like drawing in high school and took some drafting classes so I decided to to attend that school so I learned AutoCAD so this was back in by the time I got out was about 94 I was like one of the another one of the points I like to share here to encourage people when I was going through this CAD school I had a computer

at home my ex-wife's dad had gave us a computer and basically all we were doing is back then you had Prodigy was one of the internet services or whatever and you was really limited what you could do you could play online games I could boot a computer play those online games and that was it once I went to CAD school I was probably the worst computer skills wise and by the time I got finished with school and was in the workplace I was Finding different uh features on new versions of AutoCAD quicker than my co-workers were and when Windows 95 came out I figured out how to use that I was figuring out how to be able to network

systems how to print do Network printing when our local it guy which uh I worked for this this uh Manufacturing Company their main headquarters was in Stevenville Texas that's where all the IT staff was at but they had one accounting person that did our it in our office he wasn't able to figure out how to get Windows to print uh Windows 95 to print on Noel Network and I was able to figure it out and this is the first time I ever got called a hacker so before I ever thought about being one this guy was kind of uh jealous because I was able to figure out something he wasn't and he was kind of the the on-site IT

staff but what I've learned is I had a lot more better more of a knack and just kind of reiterating on that story I went in not thinking I had the skills and I learned it so if you're just starting out in your career maybe you've been in security you're just getting into pen testing the more you do these things the better you're going to get so kind of give yourself some Grace and realize that you don't start out is this awesome hacker pentester or whatever security Prof professional it takes time and you can get there and if you're ambitious and put in the time you can get there sooner so I found out about CIS admin

work I was being uh this company I was working at we were being build out at $30 an hour we were making half of that they brought in a consultant to work on our server and they were billing out $50 an hour so I thought well he's making about $25 an hour that's $10 an hour more than what I'm making and what they're doing looks a lot more interesting so I taught myself how to build computers took a noville netware network operating system uh course for those of you that not familiar with that Noel netware was the predominant network network operating system before Microsoft came out with active directory so got my first CIS admin job did that

for six years and wanted to get information security got some uh the cissp and the the NSA am certification and got to move over in the security team in 2004 so we got a new siso at the company about 2005 around September 2005 he had a more modern idea of the way security organizations should be uh divided so for for us it was everyone was doing network security firewalls intrusion detection systems some vulnerability scanning but when he came in he put me on the application security team and that's where I found out about pen testing I was managing our thirdparty pentest and got to do some vulnerability scanning so when I got laid off in 2012 I applied for a

Consulting role with Verizon and got my first pen testing job and another lesson there is to just if you want to do it apply for it don't you know let them turn you down don't be the thing that's going to prevent you from getting the rolls I they took a chance on me and one of the things they saw was my passion to learn I was doing a lot of self-study uh I was doing I used to do web design on the side and I hosted the web servers in my home so this manager saw that I like to build things and do a lot of self-learning so he liked that that was his kind of his way of doing

things he really wasn't big on telling us go take this pen testing course he said learn how to build it first then you know how to build it you can secure it and then it's going to be easier to break into it so I kind of fit the culture and his mindset and they gave me the job they took a chance on me because my background I had some vulnerability scanning application security network security and also sis admin the CIS admin experience gave me more towards that job than anything else so uh first five years of my career spent Consulting worked internally for companies and so Consulting if you had the chance to do Consulting I highly recommend that

experience because you get access to so many different environments if you work in environments they're going to change systems things are going to change but on a slower Pace compared to Consulting in Consulting you're uh exposed to so many different types of systems and you've got less time to test uh because actually if you're going from an internal employee to a consultant it gets a little more difficult because a US Bank I came from from AT&T having a week to do the same pentest we had four weeks to do there and so if you're doing things right you're going to be able to test more thoroughly but if you go from that to testing as a consultant you've

got a lot less time you have to learn to be able to do more in less time so the the uh Consulting experience is very important so what is pen testing so before we get into how to get the experience we're just going to cover it so it's testing uh different digital assets and targets from a thread actor perspective because people are always worried about getting hacked malicious hackers they're always what are we trying to protect our systems from threat actors so you have to learn how to think like they do and and one of the advantages that has is if you're able to find you're able to assess the security from a threat actor's perspective you're

able to find vulnerabilities that are actually needing to be remediated you run a Nessa scan nexos scan or tenable you find these vulnerabilities that they say may be exploitable but not necessarily so sometimes they've got mitigating controls in place sometimes if you get a footle there's other things you can do get access to so a pinest is really required and so some of the experience need to get first is learning how to use the tools and one of the things I'd recommend you know if you look at the ocp course and there's a lot of good courses out there most of the stuff they're telling you to do is manually uh they're like with uh ocp they don't

allow use of vulnerability scanners which is building some good manual skills but one of the things it doesn't do is show aspiring Security Professionals or those trying to break into pen testing how a real pen test is done so when you're doing a real pen test you don't have all the time to manually test everything you'll run your vulnerability scan scanners and then you'll go through and do some manual testing the vulnerability scanning kind of helps guide you so a good way to get that experience I believe tryhackme has a a nessus track on their vulnerability management track that you can go on there and learn how to use uh nessus so you can download a a free version of

nessus that'll test 16 IP addresses and so in your home lab environment you're able to use that so you get experience with a vulnerability scanner that's a transferable skill to work in a company in vulnerability management because when I worked at US Bank there were people coming in from the vulnerability management team or the remediation team moving over because the vulnerability management was basically just working with uh remediation running the reoccurring vulnerability scans the remediation team would go through and test to see if it was still vulnerable from the pentest so those were skills that prepared them to move into pentesting so learning how to use a vulnerability scanner can be important uh it's you know the learning how to do

the manual stuff is important as well so you have your network vulnerability scanners as I have listed up here in nus and Expos open Vos and nuclei open Vos also has a free version uh that you can download but I would recommend nessus since it's pretty well probably most widely used in Consulting but used a lot in internal organizations so some companies use the commercial version which is tenable Essentials or ten uh or tenable and it's the same type product but getting used that helpful learning how to use uh Linux especially the different operating systems that are geared towards pin testing like C Linux and paros S those are two two of the best I there's some others out there

like Arch and some other uh pen testing dros but the nice thing about C Linux and paros they've been maintained for a long time and work really well and another thing too is learn how to use tools in a Windows environment so mandant came out with a couple different uh VMS or projects one's Commando VM and one's flare VM Commando is strictly pen testing tools whereas flare VM is reverse engineering so reverse engineering is important to pentesters so you take your windows VM or your bare metal operating system and you run these scripts against it it's a it'll take a long time it takes like hours to run these scripts it uses uh the automation

it uses the scripts are called chocy as the scripts it uses but it's kind of comparable to some of these other automation tools for Windows but it installs all those tools and one of the things it does for you this kind of a a pain when you're setting up a Windows system to do hacking is it goes in and sets like a shared section of your drive where you know Windows Defender antivirus is not going to delete your tools but have you ever try to install tools on Windows Windows Defender you know is doing its job what it should be doing what looks like malware removing it so trying to set up a pen testing box

is kind of difficult so one of the best options with this not only does it install tools It prepares your hard drive so your tools aren't going to be deleted so other pin testing tools like inmap and Metasploit uh metlo is a good one it's a a exploit framework and one of the only free ones out there just about everything else is paid and you get a lot of this similar functionality out of met exploit Community Edition compared to professional because professional kind of integrates with their nexos product so if you're lucky enough to work for one of these companies as nexos you're able to find some of these vulnerabilities and it works kind of uh integratedly with with

Metasploit but fortunately I'm glad I started out with the Community Edition because it's a little more difficult so you don't have the opportunity to use menit Pro and so different web application pen testing tools burp site is like one of the industry standards zap is good and does a lot of things but one of the things with burp Suite most companies that are looking for pentesters typically want you to have uh burp SED experience and uh different web application vulnerability scanners so burp Suite Pro does vulnerability scanning and OAS zap or zap actually they they're part of another project now they're outside of oasp uh but it does vulnerability scanning as well so if you're using uh burp site Community then

you can use the vulnerability scanning feature of of Zap and so fuzzers are also good options to learn how to use these tools so getting to learn how these tools is important getting the hands-on experience so as you learn how to use these tools uh some other skills that are helpful and this all kind of depends on where you are in your career so if you you're working in it you may have the networking and and operating system skills but you kind of need the operating system skills at AIS admin level I had students before and a lot in mentees coming in say you you spent like six years of CIS admin do I have to work

in it you don't have to work in a specific roles you just kind of need the CIS admin level experience and we talked to some experienced people in the industry you'll run into Gatekeepers but then you run into people that's just their honest opinion that they think you have to work in it first but I recommend having those skills because you know if you're wanting to be a pentester you don't want to wait six or 10 years to get into that into that type of job so also hacking and pentesting this is an important part whenever I started my job at Verizon I knew had to run vulnerability scanners I didn't know how to to hack so I had to gain the hacking

skills so the ocp was the best option at the time so I signed up for the ocp also took some of the e-learning security courses and then reverse engineering reverse engineering is important because maybe you're doing a pentest and you find a APK file for an Android app sometimes there's hardcoded credentials in those APK files and even Java jar files uh I did a pen test once for an airline and we found a Java jar file that was used for their application and it had hard-coded credentials to the database in there so it has the username for the B database you loged into the application but it connected to the database using the same credentials but

from reverse engineering that was able to uncover it so that's an important uh skill to learn there as well so getting the hands-on experience this is what's going to be very valuable sometimes you think that if you don't have the professional experience if you learn how to do this through ctfs hack the Box try hack me uh offensive security has their cyber range with vulnerable VMS building your own home lab getting this experience and and documented is a way to get that experience because if you're going through a job interview and you don't have the actual professional experience if you're able to explain how the tools work that's going to be helpful because as a pentester in your

experience you're going to get asked these same questions how do I do this type of testing with burp Suite or you know how do you use nessus or these other vulnerability scanners and how do you use metas you'll get ask some of these questions so if you can answer those questions that'll go a long way for helping you get through the interview so other ways to get experience is through bug bounties so bug bounties are kind of like crowdsource pen testing but with bug bounties uh it's basically you're getting paid per bug and some people get into it and they find duplicates or the the duplicate the finding they find is a downgrade they'll get paid for it but

don't get discouraged the thing is you're finding these vulnerabilities and if you're able to find those if you were doing a pin test you would be able to find these vulnerabilities and one of the reasons I think people should look at bug Bounty learning resources and even try bug Bounty as a pentester you get paid to do the job period but with bug bounty hunters you have to work really hard to find bugs and some of those people are able to find bugs that maybe a pentester may miss because they're having to do different tricks to try to find those bug bounties because they want to get paid so using that will make make you a

better web app pentester and so there's also pentest as a service so Cobalt does this synac with Cobalt they do like Network pentesting web application pentesting Cobalt's nice too because they pay $1,500 per pentest so by pentesting fir uh terms and compared to other roles that's not a lot of money but it's good side money and once you've done that for a year you've got a Year's worth of pentesting experience now you've got that experience that you can apply somewhere full-time and make more money so I'm hearing people making 60 uh $80 an hour $10.99 contract doing pentesting a company I work for they were paying like $113 an hour so once you get that experience then you're able

to translate that over to full-time jobs and and people are starting to see because one of the things I I talked to someone when I was interviewing for a job back in 2020 and they said it's easier to find web app pentesters because bug Bounty because this gives people an opportunity you're able to do real world pentesting whereas there's not really much out there for the infrastructure side testing you know servers and hosts outside of pentest as a service and some of these offer like a if you look at synak red team and calt they have different paths to apply for their team and some of them is going through some of the hack the Box uh

challenges you have certain certifications it'll get you a an interview so there's different things in the career path to help you get in there so the more of this experience you get that uh you're able to get into the roles like that that that'll help you get your foot in the St in the door so pro bono and lowcost pentesting so if you know some nonprofit or religious groups that they can't afford pentest you can offer to do a pinest for them and if you know someone has a small business you could charge them a really low price and so you're actually getting professional experience and you're kind of starting a side consulting company uh

but this is a way to help someone else and get experience at the same time plus then you can get referrals from these people as well and get referred to a potential other business and cve common vulnerabilities and exposures this is one that uh that I was aware of but something I never did but one of the things I would say for and I've talked to other people that work in pentesting and they say hiring uh professionals if they find someone has a cve sometimes they value that over a certification because with a cve you're finding a vulnerability that may have not existed before essentially a zero day and so they know you're going to be able to

find vulnerabilities past what a vulnerability scanner will do so I'm sure most of you are uh familiar with cves is basically a database of these vulnerabilities that you report to some companies maintain their own miter and some other organizations uh maintain these databases but one of the nice things about this you get a cve you can put it on your resume on LinkedIn you can put it on Publications so you can put a description of that cve on there and put a link to it so that way people can validate they can go to the cve and say your see your name on there and see that you're actually uh found that cve so that goes a long way so someone sees

you're finding cves then you're more than well qualified to be a pentester so some good learning resources on that I recommend it and so uh Joe heli was the one that really brought my attention to to doing this uh he's also known as the mayor he works for TCM but what he did is he found some open source software web application software he built a web server at home set up a server installed the software and performed a pin test against it what bugs he found he reported those CVS and got credit for it and then he's built up cves you see some of the really good bug bounty hunters they've got lots of cve

so this is a good way to build up your resume improve experience before you're actually getting paid as a pentester so Bobby cook had some really good information and Joe hel referred that so when he was going through one of the offens of security the oswe certification he was working on finding OD days and stuff to help him through that certification process so both of these these articles are really good and if you go to Joe hel's uh medium he's got several different writeups that he's done on finding cves so demonstrating skills so you're taking these different recommendations that I mentioned uh so you do writeups on it so if you're doing a CTF hack the

box or tryck me of course be sure to respect if they say not to share this on the Internet or something so that way you don't get any kind of trouble with them but uh do writeups you can do that Medium GitHub or through blogs uh if you like to do video type stuff record walkthroughs on YouTube there's been a lot of Security Professionals that really launched their career through content creation it's a really good way to build your brand as I mentioned cve IDs earlier you document that on your resume and on LinkedIn and then scripts are programs you write even if you alter a script to do something else shy that on your GitHub people like to see what

you're doing and uh you may be competing with someone for the same pentest job you could have the identical CTS but the cves may be the thing or the things you got documented may be the thing that helps you get the job and this kind of demonstrates some of your skills some of the things that through the first interview they may not get and through one that you may not see something till a technical interview but you're able to prove that and these stacks of resumés that they're getting in it's kind of a good way to to help you know kind of get you that uh that interview and one of the things too is you know used to as

just artists that needed to have portfolios but Security Professionals especially when you're just starting out a new to the industry it's a good idea to to you know kind of have a portfolio of the things you've done document your uh Journey just like the Cyber Mentor started out creating videos because he is documenting his learning experience so you can do the same thing and I've seen a lot of people do well with that and kind of the more connections you build on social media the easier it is to get jobs and an example I like to share is I was uh looking for a job last October I gave my two weeks notice I really didn't start looking until a week

or so before that two weeks notice uh I left on a Thursday by Friday I had two job offers the next day and part of that was because my network I'm connected my network they know what I do and so it's I had a lot of different uh people reached out to me with jobs to to interview for and so the more you're connected and one of the things you're going to do too is kind of get past that HR firewall now they're using Ai and these systems you upload your your application and one of the things I tell you there is if you can network with people you can get your resume in the

hands of a hiring manager easier companies are paying referral bonuses and a lot of people in your LinkedIn Network may be happy to get you know $500 up to $3,000 bonus to refer you because otherwise when they're going to recruiters that could be 10 20,000 could be 10% or 20% of your first year salary that they pay these recruiters and so referrals people are happy to refer you a lot of times so that's kind of a good way to to do that and kind of to go on into this a little further this is kind of building your personal brand uh share what you're comfortable with there's some Security Professionals that don't like to be very public but it's easy to

build your brand and keep your private life out of it but using some of these ways I mentioned to document your experience so streaming uh creating videos and writing these are good ways to get uh your name out there writing is pretty important so find one of these mediums that if you're too shy to be on camera but the the funny thing is is interesting the way that works too some people that are comfortable speaking in person have a hard time recording solo that's funny with me because I can do in person speaking and I do well but if I'm trying to record at home by myself it's the hardest thing in the world I did a

video one time for CompTIA and I took like 20 or 30 takes to kind of get that video acceptable but then you take some people that are super introverted they can go home turn on a camera record this stuff it doesn't phase them but they don't speak in public very well so find what you're comfortable with and sometimes it may be writing and all this is important so speaking conferences security meetings we had a recent uh UT UT Arlington uh student at one of the Defcon 214 meetings and one of the hiring managers from city was there they did a talk on malware analysis this hiring manager worked at incident Response Team asked for the resume they

got a job so they basically displayed their technical skills through this Meetup doing this talk goes back to this could have been a recorded video or other things but this was a way to kind of Almost Do a technical interview improve uh their skills and this makes it a lot of easier on the hiring managers because they get so many resumés in that they got to find ways to to to get rid of rums and it could be they're looking through to see has certifications maybe they don't look at them deeply enough and you get missed over but doing stuff like this and working on your network is a good way to build that and one of the things I I'd

say too because plays back into the professional networking uh cuz for me back in 2017 I wanted to get out of Consulting I was tired of the travel uh I met someone at OAS meeting they told me they're hiring at US Bank I gave them a resume I had an interview within a week had an offer within two weeks at the same time I applied for a job at Bank of America was more than qualified had my ocp Sans web at pen testing certification CSP and I didn't hear back from them for from a year later and I just went on their their application system uploaded my resum May and applied and didn't get the job so you can realize someone is

trying to break in it can be even more difficult these systems are looking for different keywords and maybe you're not using enough maybe they're not using the correct industry standard way of speaking and sharing things and I've seen companies where actually one company I worked at before we're having a hard time finding red teamers out of India but the original job description was geared more towards uh web app pin testing so we had a bunch of bug bounty hunters so we changed the the job description to include like actor directory and infrastructure pentest and we started getting good qualified rums in so sometimes it's just the job description itself and it's kind of funny you see some job descriptions

where they copy and paste from another company and don't forget they don't remember to take out the other company's name so the professional networking is important so any people you meet here make sure you're meeting people connect you know even if you're going through college and stuff some of the people you're going to school with or you're taking classes with uh even trainings this may be someone helps you get your your next job I've got a real good friend of mine that helped him get his first pentest job we worked back in our AutoCAD days back in '95 and about 2017 or so he's wanted to get into cyber security got his cissp and I helped him get his first

pentest job and this is someone I knew from a long time ago and it's funny because uh he was kind of my mentor in my AutoCAD days because he helped me write my first really good resume that I kept that format for many years and then I was able to return the favor so pay it forward and make sure to network with people uh groups like this I highly recommend the bsides communities people are more willing to help the focus is on the community to help others that some of the commercial conferences be can be good but sometimes one of the things I don't like to see is when they eliminate students if if you're a student you

can't attend uh if you're not in management you can't attend so that's a good sign to find the the organizations that you're welcome at so your Issa groups are good isaka uh the isc2 groups Defcon groups but one of the things I recommend too is because I fall into I you know I run a Defcon group myself and I attend like our dc24 meetings and our Dallas hackers Association meetings those are the ones that are most fun sometimes I kind of don't go to the ISS meeting Issa meetings but it's good to to go the different types of meetings because the way I describe to people the hacker Association meetings the Defcon meetings the OAS meetings you learn

there but you go to the OS the Issa and isaka meetings to network with hiring managers and look for jobs so make sure to kind of uh diversify your your your different groups you're associating with Twitter has gotten the online communities like Discord and slack Twitter or X as it's called now are are still good places most of the good security research I find is out there still good places to uh to to network with folks find different conferences and stuff to go to and then LinkedIn is a must have I actually found out from my uh friends that he's possibly in risk of losing his job and he doesn't have a LinkedIn profile so that's something you

always want to have that's your online resume that's how people are going to find you if you're not actively posting on job boards so we can open it up to questions and if you can't think of questions now feel free to connect with me and and check out my podcast because I've got a lot of people sharing some really cool stories about how they got started long time listener well I enjoy your podcast I get to listen to it very frequently and uh how would you recommend is there any magic bullet CER certification process that helps with lacking in the pedigree that comes from a military background in red teaming so yeah thanks for thanks

for being a listener and thanks for question so one of the things I would look at is uh like the zero point security red team operator CT that's a good one so I would find yeah Zero Point Security it's their certified red team operator that one nowadays I'm hearing people that hiring managers for pen testing roles they're tell telling people to get the ocp or the crto but the crto you actually get to use Cobalt strike it's true red teaming because sometimes people get confused with what red teaming is but uh rosta Mouse he originally created content on hack the Box the offshore Labs it was kind of red teaming stuff so you have to find the

legit red team uh content out there but there's people creating more good content but yeah if you find some of the red team focused stuff you want to do red teaming but and even seeing like if you go to blackout and some of these other conferences or even offl offering physical pinest training and stuff like that so yeah certifi certified red team operator is pretty decently priced well recognized certification and so that one would be kind of one I would start with uh sector 7 creates actually some malware creation uh courses out there and I think the new the certified red team Operator 2 I think it's kind of a malware so malware is like another progression in red

teaming you know once you kind of get the fundamentals down be able to write malware be able to do evasion because you know as a red team operator you're wanting to be quiet when you try to break into environments you're welcome any else like I said if anyone can't think of anything uh you can message me on LinkedIn I'm happy to answer any questions I do mentoring calls all the time uh so if someone just wants to have a call Zoom call you know I can kind of take a look at your resume your LinkedIn profile and give you advice and answer any questions if if you can't think of anything here our last speaker was about

mentoring and the question was how to find one so this is a perfect example of people that are willing to help and one of the things I wanted to say because I wasn't really totally sure about his full talk one of the things I'll say too if you're looking for mentors don't pay for a mentor there's a lot of people that do it for free I've noticed a lot of people lately that they've got these accounts set up that you pay them for mentoring you need to find someone that's really passionate about helping other people they're going to do a better job and you don't need to pay for it now I can understand care coaching if

you're someone who wants to be a ceso at some point you're making good money and you can afford that career coaching is a good thing but if you're trying to break into a certain area of the field there's a lot of people find someone that's passionate wanting to help people and you can get that for

free well thanks everyone yeah someone had a question over [Applause] here yeah I was just going to ask how much uh credence do you give to the Paul Jeremy certification map I don't know if you've seen that online where it it has a series of certifications based on uh specification um is that something that you recommend people leverage are you familiar with it and what was that again exactly the the Paul Jeremy certification road map for cyber security asserts oh yeah I think I've heard of that I yeah I think that was a lot of work put into that but I I think sometimes some of those things can kind of be misleading because are listing

thing listing things like CH if you're wanting to be a pentester you're wanting a certifications that's universally accepted you need something like the ocp ppnt you know stuff from cyber Mentor uh certified red team operator those type of searchs CompTIA you can learn some good stuff from it P the CH you can learn from it but it's not really going to help you build the skills to be a pentester so the things they put out there is usually like that those road maps are so General they don't give you enough information and some of those people hadn't worked in some of those fields so when it comes to offensive security it's one of those areas that

you really need to talk to someone that's experienced because some people are trying to tell you what they think pen testing is it's so much different that it's just really hard to describe so yeah they those things can kind of be overwhelming and complicated when you see all those hundreds or thousands oferts in there in the road map of what to do and yeah good question

well thank

you our next speaker is at 1:30 so enjoy your lunch break [Music] [Music]

he [Music]

[Music]

[Music] [Applause]

oh yeah

[Music]

[Applause]

I

[Music] the

[Music] n [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Music] [Music]

[Music] a [Music] [Applause] [Music]

[Music]

oh [Music]

[Music]

[Applause] [Music] hey hey hey [Music] [Applause] [Music] [Applause] [Music] [Music] he a [Music]

n [Music]

[Music] track [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music]

he [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music]

[Music] [Applause] [Music] he

[Music] I [Music]

[Music]

oh

[Music]

he

[Music] h oh [Music] la [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just TR to get something this okay to you I'm just TR to give you [Music] something I'm just TR to give something I do I'm just TR to something [Music] w

[Music]

[Music] [Music] I'm just TR to something I I'm just TR to [Music] something I'm [Music] just just trying to give you something [Music] oh [Music] w

[Music]

[Music]

he [Music]

[Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Applause]

all

[Music] oh [Music] a

[Music]

[Music] [Music]

[Music] [Applause] [Music] oh [Music]

[Music]

[Music]

[Music] [Music] [Music] a [Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Music] [Applause] [Music] hey hey hey [Music] [Applause] [Music] he he [Music]

he

[Music] he [Music]

[Music] track [Music] hey hey hey [Applause] [Music] hey hey hey he hey hey [Music]

d [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Applause] [Music] he [Music]

[Music]

he

[Music]

a [Music]

[Music]

[Music] [Applause] [Music] [Applause] w w [Music] [Applause] [Music] I'm just to give something I I'm just TR to give [Music] something I'm just I'm just to give something [Music] oh [Music] [Applause]

is

[Music] [Music] I'm just I'm just TR to give you [Music] something I'm just to something I do you I'm just trying to give you something oh [Music] w

a

[Music]

[Music]

[Music]

[Music]

[Music] I [Applause]

oh

[Music]

[Applause]

he

[Music]

n a [Music] oh [Music]

[Music]

he [Music] [Music]

[Music]

a

[Music] [Applause] [Music]

[Music]

[Music] n

[Music]

[Music] n [Music]

[Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Music] [Applause] he hey hey hey hey hey hey [Music] [Applause] [Music]

he [Music]

he

[Music]

[Music]

[Music] TR [Music] hey hey hey hey [Applause] [Music] hey hey hey hey hey [Applause] [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] he [Music] [Music]

[Music] [Applause] [Music] he [Music]

[Music]

why [Music]

h

[Music]

[Music] oh a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just trying to give you [Music] something I'm just to give you something I do you I'm just TR to give you something [Music] he [Music] [Applause] [Music] [Music] [Music] I'm just to I do you I'm just TR to give you something [Music] I'm just TR something [Music] I I'm just TR to give you something [Music] w

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music] [Applause]

oh [Music]

[Music]

[Applause]

[Music]

[Music] the [Music] m [Music]

[Music] [Music] a [Music] [Applause] [Music]

[Music] oh [Music]

[Music]

[Music] n [Music] [Music] [Music] [Applause] [Music]

[Music]

[Music]

[Music] a [Music]

[Applause] [Music] hey [Applause] [Music]

[Applause] [Music] [Applause] [Music] no [Music]

he

[Music] [Music]

[Music] TR [Music] TR

[Music] hey hey hey he [Applause]

hey hey hey hey [Music]

[Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] hacking and tracking your career by the one and only Leaf dler if you would like to interact uh at his at his discretion raise your hand so I can bring you the mic so that the people on watching on live stream can hear you thank you thank you hi Carissa great job earlier hopefully yall caught her talk it was uh definitely funnier than mine and you might learn something about Saku and jenz lingo all right so I'm Leaf uh this is hacking and tracking your career uh I was supposed to have a fantastic co-presenter but unfortunately she could not make it she is getting married to a very nice Elvis impersonator that she met yesterday

uh I'm Leaf uh I've spent the last decade working in the security industry in a bunch of different roles uh my last four have been in people management both uh kind of in security and software engineering uh I'm very excited to be back here with y'all in Vegas I always look forward to seeing friends and uh meeting new people when I'm out here and I'm currently an engineering manager at sem grip I also co-host uh a podcast 44 security not found which does monthly news and discussions Anna is a former co-host as well and before samre I worked at a company called seg mint which sounds very similar but is not very similar in terms of what the

companies do as an appsec engineer and then later went on to do a bunch of software engineering in the security space and then became an engineering manager uh you might have heard of sem grip we have a popular open source tool but we also have paid offerings for static code analysis software composition analysis and secret scanning and if you want to learn more about any of these there's a variety of Su grip people in the audience here uh that I got our CEO to say they had to come and if you want to talk more they'll they'll be here we also have a booth so uh that's the last you'll hear about surip um the

agenda we are going to talk about how performance reviews work how to prepare throughout the year how to get recognized for your work how to have lad based career conversations and how to prepare for promotions at the end of the Pres presentation you should hopefully have some new tools to help you get that next raise the slides uh are on this bitly link if you want to take a picture of this uh that might save you from taking pictures later uh it's HTC for hacking tracking your career um also have this later in case you decide later that you want it so raise your hand if you are an individual contributor all right uh keep your hand

up if you would consider yourself as early in your career keep uh raise your hand if you're interested in becoming a manager okay few people and uh raise your hand if you're a manager right now okay cool good mix uh so this talk is for both individual contributors and managers most of my experience is as a first as a manager is as a firstline manager so managing other individual contributors although I do have a little bit of experience managing another manager um for individual contributors uh these are going to be skills that are just going to help you throughout the year uh and it's going to give you insight into how a layer above you your

manager's layer operates managers need to be able to teach your team these skills and then you also need to be able to apply these to yourselves because you are also growing in your career um if you're a good manager that's going to help your team because you're going to be able to get promoted and get more scope and more influence within your company which allows you to uh help out the folks on your team that are doing well so uh part of M am Misha's philosophy is that you are responsible for a lot of your own Career Development and it doesn't matter if you're an IC or a manager uh part of your manager's job

is to teach you these skills help you stay on track uh collaboratively chart a career path but they shouldn't be expected to plan your whole career for you things are pretty formulaic at most companies to go from an entrylevel engineer into a mid-level engineer but they get less so as you get more senior and you need to be able to navigate these things yourself uh autonomously as you level up throughout your organization learning to do these things independently is going to help insulate you from Bad managers changes in managers and will accelerate your own growth nobody else is going to be with you your whole career so getting to learn how to do these things yourself is

really really important so uh next I'll talk about some things that you need to prepare for throughout the year everybody's juggling a lot of things and it's easy to forget the details of what you worked on a few months ago and your manager is also going to miss things they're not going to remember everything that you worked on especially if it if it's a bigger team when you're earlier in your career they're going to be a lot more Hands-On with the things that you're doing but that isn't going to be the case forever and you it's a really good time early in your career to get in the habit of tracking your accomplishments if you're

not early in your career and you don't have this habit it's never too late to start um but make sure uh that in addition to tracking the things that you're working on that you understand how performance reviews and calibrations work at your company if you don't know this ask your manager if your manager doesn't know make sure that they figure it out and hold them accountable to telling you uh ideally they would be doing this proactively uh but if they don't you should tell them to do it so one of the most important yearr round events for your uh pay and your progression throughout your career is performance reviews um most companies do these two

times a year some companies do them one time a year uh during full reviews uh you'll do a self- review you'll get reviews from people that you work with regularly these are called peer reviews and then you'll also have a review from your manager the manager reviews typically include a performance rating meets expectations exceeds expectations some something like that um as well as an evaluation of whether you're ready or not for promotion you want to prepare for these as I said by taking notes throughout the year and um I included just like a quick sample of what a two review year might look like you might have the first review period be January through June this typically means that

you're writing reviews and doing calibrations and things like that in sometime like July or August and then uh the work that you do between July and December that's going to be review period to and that's going to be uh something that you would do the uh mechanics of in January or or February some places also do a promo only review I think this is better than only doing one review a year because it gives people a second opportunity to get promoted instead of waiting six months um I like doing full reviews twice a year even though it's a lot more work for everybody involved but I think that it is nice uh for people to get more

formal feedback um on a more regular Cadence especially if they're on a team where their manager isn't doing um more regular career conversations so I've said calibration a few times um calibration is when managers go over projects ratings and performance Readiness for their reports uh your manager is just going to be up there by themselves you're not part of this um managers can expect for their proposals to be stress tested by other managers they might ask questions um this is when ratings can change so maybe your manager thinks that you got a meets maybe another manager thinks that based off of what they've said that it's below that or above that I think it's actually

a good sign when there's some disagreement amongst managers since it means that people are actually paying attention and scrutinizing proposals as long as stuff is being applied fairly um but I think it's actually bad if nobody's checking anything because then managers are just going to promote people and if you have people that aren't ready for that next level and they're just getting promoted it really causes a lot of problems in your organization make sure as I've said that you really understand how this process works because it's really important uh and impactful to your compensation after calibration there might be an additional step where engineering leadership does a review of promotions your manager may be asked to

create a promotion packet for the leaders of your company to look at this is a great growth opportunity if you can work on this collaboratively not every manager will do that it's not always possible for you to work on this but I do think it gives you some really valuable insight into how your promo is being finalized it's also a good opportunity to make sure that you're being uh represented accurately so now that we've talked about some things that just kind of happen at a lot of companies uh there's a few things that you should watch out for and try to insulate yourself from one is when your manager changes this is typically something you're not going to

have a lot of control over I mean maybe during a reorg you can advocate for yourself to stay with them if if you like that manager but a lot of times they're leaving the company or things are changing around you and you're not going to have a lot of agency here but one thing that you can do is make sure that you are tracking your accomplishments this is a really good way to help onboard your new manager to the things that you've been working on you can walk through your list of all the projects you've been doing the last few months and then you also need to um oh you might be tempted to think that your

old manager is going to take care of this assume that won't sometimes they will uh especially if they're still at the company but really you should be preparing for a situation where they're leaving and uh they don't do any of this stuff if you're a manager uh try to take care of people on your team if they're changing teams within the company if they're going to change to a new team try to have a last career conversation with them if you haven't had one in a while and make sure that you document the things that they're working on make sure that their projects and their their lists are in good shape this can really help them keep momentum towards whatever

that next level that they're working on and is I would say doubly or triply important if they're close to a promo if they're close to a promo really try to make sure that you have some time to sync with their new manager if you're leaving the company this person might not be at the company already but if you write up documents and share it with your manager uh hopefully they will take care of things and hopefully they'll share that with this person's manager but um I think you can really have a positive impact uh when you're you're switching to to do this kind of handoff some things uh can be pretty unpredictable especially to individual

contributors reorgs can happen suddenly sometimes they're painful sometimes they're welcomed um but uh the best way to keep yourself on track is to make sure that you have a list of the things that you're working on and uh this is also helpful because as you get more senior um it's going to be less straightforward for how you get promoted and so having your uh a plan in mind that your old managers bought in on uh and that you're working towards regardless of whatever else is happening is a good way to make sure that you keep making progress planning docs and retrospective docs are a great way to help keep projects on track and reduce instances

where you make the same repeated mistakes these docs are pretty common in security and Engineering organizations that are doing a lot of Project based work um but they can also be really helpful for your career growth since they are written record of the projects that you worked on if you haven't written um engineering docs before uh I think it's really important it's a really good way to get good at technical writing which again is another thing the more senior you get you need to be able to influence people throughout the company um and especially with so many people working out of different offices or working remotely uh I do think that written communication is something that you really really need to

get good at and then the earlier you start the more practice that you'll have so uh once you've written down a plan for your work now it's time to socialize your work with people that uh are qualified to review it this is just going to make the project go better I know it can be painful to get uh you know critiques on the designs and things like that but I promise it's way more painful to have to go back and redo something uh where somebody could have told you how to do it better up front and so just make sure that you're getting uh your plans reviewed by people on your team or other people at the

company that you know have experience in this area if you're being asked to review things make sure that you're uh debating the idea not the person this isn't about being right it's about helping you and your co-workers have the best plan possible to give you the best chance of success if you have time um to build in extra time into your plan for testing and supportability and metrics that's something that can really make your performance reviews stand out um I wrote A Blog about this a couple years ago ago about some of the product uh metrics that we have for some of the security things that we built at segment and uh project Retros I know

this is just like one more document that you have to write and a lot of people don't like doing these but I really think that these are an important part of making sure that you don't make the same mistakes and they're also a really good thing to look at um when you're being asked to do your own self-reflections if you haven't written a project retro this is just a pretty simple uh format that I follow it's not something that should take a ton of time but it is something that's pretty useful to have uh in like a shared document store like notion or G drive or whatever once you've completed the dock even though you might be a little bit

vulnerable uh in the in the document like maybe there's some things that didn't go well be honest about things that could be improved share the doc with your team this is a really good opportunity for the people that you work with to learn from the things that went well as well as the things that uh didn't go so great if that sounds a little scary uh the benefit to you is that you have something that's just built in when you get asked that question that everybody hates about like what are your areas of improvement just go back to your old retro docs and look at the things that could have gone better in your projects

and create some themes and now you just have a built-in answer to those questions another source of information for uh your self- reviews are or or your peer reviews actually are quarterly team Retros I think it's a great time to look back at the things that you've done on a little bit longer time scale uh sometimes if you just are doing project Retros it you can be a little bit narrowly focused on like that project and not look at the themes that are either uh helping your team or plaguing your team and so doing something quarterly is helpful for the teams that I manage we follow a pretty simple format I ask everyone to add what we

worked on to the gray section before the meeting um that just saves time and people you know that's usually the the least exciting part is just listing what we worked on and then I have people in real time populate uh what went well and we'll add little plus one stickers so that people can vote on the things that they agree with we'll spend some time talking about those and then we'll do the same thing for what could be improved and then as we're going we'll take action or we'll write down action items and learnings in the uh the Blue Square another thing that I found really helpful especially as a manager um but I I actually like wish I had done this as

an IC as well is I'd set some time aside to take some weekly notes and I'll write notes about myself about the uh about my manager about people on my team um or people that I work with closely even if they're not somebody that I manage um I just have a recurring calendar event on Friday to write down some stuff it comes in handy when you need to write a lot of these reviews especially peer reviews I think a lot of times people are just like oh I worked so closely with this person but like what should I tell them um this is a good way to avoid that sometimes I don't feel like writing

notes uh or I don't have time and that's okay it's better to have some notes than to have no notes um I found that this was really helpful when I was doing peer reviews for people because I just like could go back and look at stuff that happened throughout the the quarter um it's also a good reminder that if somebody did especially great work to drop a note to their manager this kind of thing goes a really long way and I I think not enough people do it so uh to wrap up this section some year round artifacts that are really helpful when you need to uh do review writing is uh your engineering design

docs your project Retros your team Retros and your weekly notes uh I think the first three are just part of being part of a mature security or engineering organization so you should be doing those anyway but if you need some extra motivation to do a good job on those uh think about yourself so I've talked a lot about writing down your accomplishments um I call this a hype list and this could be being somebody's Mentor it could be features that you've built it could be changing a process it could be giving a conference presentation um or anything else that you think is significant it's better to just write down extra stuff and then go through and prune it out

later if you're like actually that like didn't really matter um but uh if you're thinking hey you know you're telling me to write weekly notes you're telling me to do this hyp less thing like this is a lot of annoying stuff um you know I get it the last thing you want to do is like keep tabs on yourself and you might be thinking like my manager knows what's going on um that is probably not true and if you make time for this a few times a month uh it's not that bad I actually hate doing stuff like this but once I got into the habit of doing it it's I promise it's not that bad and uh

really the motiv ating Factor here should be this is an opportunity to make more money um and get promoted it's a lot easier to do those things if you've been writing down the that you've been doing rather than trying to remember it six months later um and again as I mentioned earlier if you get a new manager this is a really good way to onboard them so that when they show up they're like oh this person rocks they've been doing all this cool stuff um I'm excited to work with them so hopefully that got you convinced to do a hype list I promise it's not that painful I just use a sheet with a few different columns in it um the what

happened is just a super brief summary of what you did assume the person that is reading it is at least like kind of familiar with your projects um obviously this isn't going to be true if you're using it to onboard a new manager but you should just walk them through the document the first time and they can just ask questions and it's a really good opportunity to just get to know them and and share what you've been up to impact I think this is the one that most people do a bad job on um that until they get some coaching um think about what is the business impact of what you've been working on think about

not just what you built but why you built it or why somebody asked you to build it and then this is a really good time to incl incorporate some metrics as I mentioned earlier uh it's a lot more impactful um during calibrations and during performance reviews and even when you're just you know just operating within your company to be able to say hey I built this thing and it's used by 10% of our customers or it saved us money or it made us more money than just saying like hey I built this thing and just hoping that whoever is reading or listening to you is able to draw that connection between what you did and how

it positively impacted your business um so yeah I would say think about these things a few times a month um and and just even if you don't add things it's good just to get in the habit of thinking about them does anybody have a doc like this already all right other than you two people that rais your hand uh start on one of these next week if if you have some time uh focus on the last 6 months you don't need to go back forever look at poll requests look at project docs uh look at your calendar to backfill data if that sounds horrible uh just do the most recent project it's better to just

get started and keep tracking stuff going forward than to get bogged down and not do it and just like never have any of this stuff another thing that I think a lot of people uh find uncomfortable is getting recognized for their work this is not about bragging um it's an important component of getting rewarded for your hard work uh if people don't know you're doing stuff it's hard for them to say like hey we should give this person more responsibility or more money or a better title or whatever so uh make sure that people know what you're doing this helps your peers stay informed about what people are doing at their company this can avoid situations where

two teams start working on the same thing um again this is a good opportunity to flex your technical Comm communication skills which get more and more valuable the more senior you get and then it's also a good opportunity for people to understand your areas of expertise this can create interesting project opportunities it can give you a chance to Mentor people and it also helps support you during calibrations as I mentioned earlier your calibration is when your manager goes and presents to a bunch of other managers if those other managers are already familiar with your work because the people on their team know what's going on or they know what's going on um it's a lot easier for your

manager to get their ratings and their promos approved rather than oh I'm trying to get somebody approved and like nobody has heard of any of this stuff and I have to spend extra time explaining why it's important so some ways to share your work um you can sign up for company demos at sem grip we do demos every Friday this is a low pressure low stress way to share what you've been up to it doesn't have to be something technical people demo uh spreadsheets people demo processes it can be anything um we also have a product updates Channel where people post uh updates um about things that they're working on for our product you can also post updates in your team

channel so that people uh can can see those we have a shoutouts Channel where people can just give public accolades to to folks that have done some really great work and then you can also write blogs and speak at events I know it can be really uncomfortable for some people uh but you need to do it it does get easier over time and you might be thinking should my manager be doing this stuff and the answer is yes they should but you should also be doing it because it's way more effective if both of you are doing it than if just one of you is doing it and there in addition to that there might be

a time where you don't have a manager or they're too busy or something and so having you do it is is really important um this could be a whole talk it actually has been a whole talk uh that I gave here at uh besides Las Vegas last here which I'll include a link to but here's some just quick tips if you want to get started with blogging and speaking um your outline serves as the basis for your blog or your presentation similar to your hyp list this is something that you can write over the course of months like when I'm working on a presentation I just add notes I don't worry about structuring them I

don't worry about it making sense to anyone but me um but this serves as the jumping off point when you go to actually write that presentation or uh submit to a conference this content helps your team with recruiting this gives folks outside of your company an opportunity to learn about the stuff that you and your team are working on and somebody's going to read that and be like yes that is something that I also want to work on um some of the best people that we had joined the last company that I was at joined and they would always cite the fact that we were giving presentations and and blogging and stuff like that if

you're looking to get started uh a great place to start is with podcasts and local meetup groups as somebody who's been a chapter organizer before there's always a lack of people that are willing to give presentations and a lot of times they're willing to work with people even if they're firsttime speakers to help out some conferences like bsides also have a a speaker mentorship program that you could check out next year and then uh everyone gets rejected uh I got rejected this morning for oos SF so it it happens um just keep applying to stuff and keep practicing and you will get you will get a shot for sure um and then don't forget to act the

add these activities to your hype list too so if you want to read about some stuff that I wrote about speaking and fostering a culture where people speak I wrote a couple blogs about this last year and then as I mentioned I co-presented with Colleen kulage who was uh the Fantastic ceso of segment uh about these topics uh here at bsides and so you can check out the recording if you prefer to watch stuff so hopefully uh I see some of you up here next year I love hearing about people submitting to their first conference I had a few people that read the blogs last year reach out and say that they got accepted to uh some

conferences which was really rewarding so uh yeah if you if there's something you're on the fence about just just do it the next topic is lad based self- reviews and career conversations so ladders are an imperfect system but they do help standardize levels within an organization without ladders it's more likely that performance reviews are going to be influenced by time enroll Vibes and people being noisy about not getting promoted which is not a very fair system um and they also help with tying your work to a more widely accepted standard of what it means to be operating at a certain level within your organization so just to be clear when we're talking about levels uh these are

some example levels that your organization might have you might have like a an entry-level software engineer a mid-level a senior staff um different companies use different levels but like these are some some relatively common ones ladders are a great way to help set expectations for what people need to do to meet the standards of a given title and role for example senior security engineer they're also a more objective way to get people aligned on promotion Readiness uh and if you haven't seen ladders before check out progression. FYI they have a bunch of Open Source ladders that people um have posted from their companies intercom is on there Circle CI is on there so there's like

well-known companies that have ladders if your company doesn't have ladders this might be an opportunity for you to bring them in uh especially if you're a manager you could work with other managers to build them it is worth noting that ladders are expensive or can be expensive to build and maintain so a lot of smaller companies aren't going to have ladders you also might not have ladders for more specialized roles you really need like some critical mass of people in a given role to have the maintenance and building cost of the ladders actually make sense um as I mentioned ladders can be a really good way to guide your career conversations um you want to be on the same page about

how you're doing performance-wise before the Performance Cycle uh it's a really bad situation if you just like are completely surprised by uh the ratings sometimes it can happen you know if somebody changes managers or like just hasn't had time to have a lot of these convos it can happen but if you've been reporting to the same person for a while it's much better to have these conversations before performance review season and you can actually use these to write your reviews your manager can use this information to write their reviews so it's pretty helpful one way to do this is you can deconstruct the ladders so um like two of these sections are impact and craft

and then there's different bullet points underneath these that you can do individual ratings for you can make these more or less granular depending on how much time you and your manager have um but it's a good way to just have some structure to this uh performance review process and and these career conversations this is a link from um a Blog that I wrote uh you don't need to look at this right now obviously but just if you go back uh you can click this and see like what a deconstructed ladder might look like um so when you're filling out the details each row is a granular assess assessment for each point on like that section of the ladder the first time

that you go through this it's naturally going to take longer because you or your manager doesn't know how this process works um but after the first time after you've gone through it it should be pretty easy to go through this for future times and you just need to do a Delta between last time and this time uh you don't need to go through and like do a full revamp every single time um and you can fill it out collaboratively together the first time just so you kind of understand like what all the different rows mean and uh you're on the same page about uh like what the ratings are and that kind of thing after that I recommend filling it

out separately and then copying in your evaluation at the same time as your manager so that you know you're not just looking at theirs or they're looking at yours it it really does bias things if there's already some some data in the columns this is the rating system that I use just to kind of show some progression over time um especially as you get more senior you might not see a change in every single row uh you might just not be working on the right projects to be making progress in certain areas and that's fine uh as long as you are making progress towards whatever the next level is that is totally okay you can spend less time talking

about the cells where you basically both wrote the same thing and like gave yourself the same rating and then spend more time talking on the cell talking about the cells where you don't don't agree um if you are rating yourself higher than your manager meaning that they think you're doing worse than you are and you disagree I think one of the most productive things you can do is just brainstorm way to improve a given category because as you improve uh their rating of you is going to get closer to how you think you're doing um I think this is better than just trying to like argue over the ratings if you really think that they're massing something

like it can be worth it to try to convince them otherwise but I think it's better just to try to improve in a given area um it's also worth keeping in mind that generally for each row you're going to need more than one example you're not just going to go from like yellow to Green because you did something one time especially as you get more senior you need to be able to show you can do senior projects repeatedly you're not just going to do one senior project and then get immediately promoted if you're going through the ladders uh and you find something confusing you should give that to your you should give that feedback either to

your manager or to whoever is maintaining the ladders um these improvements are things that can benefit other people on your team and so uh you know these are living documents these are things that that change over time a lot of companies uh use ladders for a pretty broad set of roles so it is worth keeping in mind that even if it doesn't like totally apply to you maybe you're a full stack engineer maybe the latter also applies to sres and security Engineers so there might be a like pretty Broad cross-section of people that are using the same ladder um but on the flip side if everything feels a little bit off it might be worth it to

actually make a new ladder um again there needs to be enough people benefiting from the ladder to have that make sense but a lot of places do have separate ladders for security Engineers versus software Engineers another uh like this is more seldom um because you're not going to be getting promoted as many times as you're getting reviewed but another thing that's use to know how it works is the promotion thesis uh promotion thesis or promotion packets as I mentioned earlier uh can be part of the promo process and they're either something that's presented during calibration or they're an intermediate step in between calibration and final approval this is the promotion thesis we use it's pretty simple the first one is

why now what's changed between the last cycle in the current cycle uh why this cycle instead of the next cycle what's the case for promotion is this person already demonstrating that they're at that next level um this is where completing a deconstructed career ladder for your current level and for your next level can be helpful because then your manager can show like hey these are the areas that they're they're already demonstrating and then what would be the case against promotion um there's always going to be something that you know you're not doing at the next level and the folks at your company want you to be successful and they want your manager to have a plan to mitigate some of these

areas um and so it's better to just like be honest about how you're going to address these rather than trying to pretend like they don't exist so um now that we've talked about the template here's some things that you can do to make sure that you're prepared for these um try to work on a promo packet collaboratively this might not be something that you can always do as a manager or as an individual contributor um but if you can work on this together it just gets both of you more invested in the process and it shows people like how uh this stuff works and uh as I mentioned previously like try to do a deconstructed ladder for your current

level to show like hey this person is exceeding and then also do one for the next level to show that they're already meeting some of these like next level requirements and then it's also worth keeping in mind not all promos get approved even if you and your manager think you're ready that doesn't mean that it's going to survive calibration um try not to get discouraged by this I think as a manager you need to use your judgment on whether or not somebody that reports to you is ready to know that they're up for promotion some people might take it poorly if they uh you know don't get promoted but the way that I would think about it is

typically when a promo doesn't go through you're going to get really useful information from the other engineering managers about why they didn't think you're ready and then you can actually address that before the next cycle and I've been in a lot of calibrations at this point and you'll often hear things that were Reference last time of like hey this person's pretty close they're not quite there and then they'll do some stuff during the next cycle and people will be like oh yeah we said this was kind of what they needed and they did it and so I think it's actually helpful to get that info rather than uh like not trying until you think you're like kind of guaranteed to

get it so uh this one's for the managers in the room um one thing that I do before calibration is I create cheat sheets for all the people that report to me with pre-written answers unfortunately um a big part of calibration is how good your manager is at calibration and so having prepared answers for things uh can just make you come across way more confident and uh people like that and so you're going to be able to do a better job representing your team if you just have stuff that's already pre-built and you can just answer it on the Fly another thing you can do is get support from other managers beforehand um I work with

Misha who was supposed to be my co-presenter and I worked pretty closely with some of the people on her team uh during a previous review period and one of them was up for promotion and she asked me beforehand if I would uh you know speak on this person's behalf which I was of course happy to do and it's really nice to have more than just the person's manager talk positively because that's just going to help make sure that things get get approved so some closing thoughts uh take steps to own your own Career Development nobody's going to be with you uh your whole career and so it's important that you can uh play an active

part in directing your path make sure that you know how this stuff works at your company even if you've gone through it before things change companies grow companies get acquired so make sure you know how it works every single time uh if your manager doesn't know how it works make them figure it out and tell you uh if your company uses career ladders during calibration make sure the first time you're hearing about them is not uh during performance season go and look at what is in your ladder make sure you're having convos with your uh manager about the ladders how you're doing relative to them document your uh your progress and setbacks throughout the year this makes

writing reviews a lot easier for yourself uh the positive and the negative and then lastly celebrate wins whether they're your wins or your co-workers wins make sure that your work's visible make sure that you're recognizing other people for their uh contributions to your company and make sure that their manager knows that you think that they're doing a great job so um that's it I'm happy to take some questions I'll also be at the semr booth for a little bit after this um there's a link to the slides uh the substack link also has a Blog that I wrote about the same topic uh maybe like a couple months ago so if you want to just skim through

that on on text form it's there but um yeah thanks for attending and uh happy to take questions [Applause]

all right I covered everything [Music]

[Music] [Music]

[Music]

[Music] he [Music]

[Music]

[Music]

he

[Music] h h [Music] a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just TR to give you something I I'm just TR to give you [Music] something I'm just TR something I do I'm just TR something [Music] he [Music] w

[Music] [Music] I'm just I'm just TR to give something I'm just TR to give [Music] something I'm just trying to give you something [Music] oh [Music] w

[Music]

[Music]

[Music] [Music]

[Music]

he [Music]

[Music] [Applause]

oh [Music]

[Music]

[Applause]

he

[Music]

[Music]

[Music] n [Music] I [Music] oh [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Music] [Music] [Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Applause] [Music] he [Applause] [Music] [Applause] [Music]

he he [Music]

[Music] you [Music]

[Music]

[Music] TR [Music] uh uh tying your personal uh Hobbies into into your career so without further Ado cool thank you so much take it away [Applause] excellent all right I hope this livs up to everybody's expectations of it um most of this is going to be storytelling about my day job versus my night job and the stories and lessons that I've learned from living history uh quilting history that really apply to cyber and I hope that it helps you find synergies in your own uh Hobbies Lifestyles and other things to learn these lessons and move forward so how living history and quilting made me a better cyber security professional so uh I'm Mia Clift by day

I've been in it and cyber security for 26 years some days I wonder how long it how it's been that long but here we are um currently I'm principal executive adviser in cyber risk engineering for liberty insurance and uh that means that I get to advise cesos on what's going on in their infrastructure but I also get to evaluate insurance for their security posture to make uh our Underwriters informed about whether or not they're a decent risk to insure uh in the future we're hoping to be able to be partners with our insurance so that's super fun it's an amazing job I love every day um it's exhausting it's only been about 8 months some days it feels like 5 minutes

some days it feels like 5 years uh outside of that I'm also a mentor for cers which is an organization that supports underrepresented communities in cyber I teach a GRC class for them and I lead their mentorship program as a mentor Advocate I also am a mentor for isaka and Weis uh as I said I teach governance risking compliance I'm a presenter and a writer uh and I'm passionate about improving the cyber security posture of businesses of all sizes whether it's small medium large I'm specifically passionate about a critical infrastructure space my previous role was in water and wastewater and boy do I have stories but by night I issue all technology since 2000 I've been a living

history participant participating mostly in 1745 to the 1812 I forget that uh things happened in this country between 1840 and 1870 I like to say that I was hanging out with Queen Victoria in England at that time can't imagine why um and then I jump for it I do uh a little bit of Victor Adian and I do uh auxiliary territorial service in Britain because they were women with motorcycles and that's freaking epic so that's my living history background my primary role when I lived on the East Coast I live in Minnesota now uh was of an 18th century surgeon uh I also took my Greyhounds and did an organization called historic hounds so we would go

and talk about the history of greyhounds in uh the world specifically in the 18th century because George Washington had them uh bradock had them uh stoin took his during the American Revolution campaign up and down the East Coast he was at Valley Forge so my Greyhounds and I got to go have parties um I also am a collector and restore of antique sewing machines uh as you can see in my photo there I'm an antique quilt collector I'm also a quilter I hand quilt I do hand piecing and I do machine piecing uh I'm also studying I'm a journ quilt appraiser I took my quilt appraisal classes this year now I'm appraising to become a master appraiser and certified

in a few years that's my retirement career when I'm tired of looking at Cyber postures oops go back so the reason I put this presentation together is not just because I like talking about quilts and history all day because that's super fun but also because all of your lived experiences can contribute to your cyber role and really all of your career roles every every lived experience that you have can be a story it can be a lesson that you can apply to what you're doing and it can bring Humanity to any of the presentations and any of the discussions that you're having with your teams with your leadership even with educating your next Generation even just looking at

what is going on in my cyber world and how do I explain it in a way that people are going to get one of the things that I consider one of my greatest advantages and I take this from my living history practice and talking to the public is is two things one analogies are amazing and I do a lot of them but also you have to learn to read your audience there are going to be people who want to come and learn all the little nitty-gritty bits about everything in the history of everything and then there's going to be the person who comes up to you and is like where's the alcohol CU I want to

get drunk before you operate on me and then you have to do a very brief explanation that alcohol was considered a stimulant in the 18th century and then they get bored and wander off because you've ruined their mystique and they just want to go because their kids are here and there's food or something so you have to learn to address your audience in that way and by reading the room and by doing that in living history and all my other backgrounds I've been able to apply that to my life and I hope that in doing these lessons today you'll take away some lessons that maybe are are valuable to you as well so the rule number one of history

and I'm going to I'm going to say it a little bit more crass uh if it ain't primary source it's crap to use uh the Saturday Night Live thing about if it ain't Scottish it's crap um you need primary Source documentation anybody can tell you anything my great grandmother made this quilt my great grandmother didn't make this quilt but somebody will tell you that to make a buck somebody will tell you a story to get you engaged somebody will tell a story to sell a historic site or sell tickets and all that kind of stuff it's not always true so the image on the screen is records um for the pension office for the War of

1812 my seventh great-grandfather was named Thorton and his obituary in the snon newspaper in Virginia says celebrated veteran of the War of 1812 now as a 1812 living history person I was like this is great I can join like maybe I can join the sons of the American Revolution or the Daughters of the American Revolution and because I had a an a war of 1812 person maybe his kid was in it and I can do some genealogy so we we du some we did some digging and we found the pension papers there is 42 pages of documentation here that basically says that my great great great great great great grandfather father served 6 days so he was

ineligible for a pension so again while everybody was like oh he did this great thing he fought in the War of 1812 he he went to he went out to a militia muster for six days and was like yeah I'm done here so primary source is imperative to verify that information that you have heard or that information that you are curious about and that applies to cyber in that trust but verify mentality anybody can tell you anything about their network but if you don't have proof in the pudding it doesn't exist when I was doing GRC one of my greatest examples was you know you can tell me that aliens are guarding your server room but unless I see the Men in

Black show up and take you know take pictures of your little green men outside it doesn't exist you can tell me anything you can tell me you have MFA everywhere but if I don't actually see evidence of that MFA it doesn't exist and that's a challenge sometimes because it's hard to actually quantify and and visualize some of the things that we have but that goes back also to being authentic with each other and you can do that through your personal and and also just saying you know I understand not everything is going to be accurate you're not going to have all the answers to everything that goes back to you try to do the best you can with primary

source but always trust but verify lesson two folklore and urban legends can be both helpful and hurtful so on the screen I have two things there's a uh there's a 50 caliber lead bull bullet and a cal trop so I'm going to talk about the bullet not as much about the Cal trop Cal trops are fun but a longer story um there is a urban legend and it was popularized by Hollywood that when you had surgery in the 18th century because you didn't have anesthesia uh that you would bite a bullet while they were operating on you and so without I have tons of people who would come up to me and be like where's

the bullet for me to bite on again it goes in it goes hand in hand with where's the bottle of whiskey um the reality is that there's some truth to that they found lead bullets in North Carolina around some battlefields that had tooth marks on them but the reality of medicine and this is the reality of humans if say you had a lead ball in your mouth and you were biting down on it and somebody immediately punches you in the chest or Cuts you on something what do you do you suck in a deep breath and you swallow so then you're choking and we don't have the himl maneuver for a few more years so you're going to die on

that table what the reality is is that in North Carolina you have wild bores wild bores like the taste of lead wild boar teeth look a lot like human molar imprints so the the hypothesis running now amongst historians and archaeologists is that the bullets that they found were eaten by pigs not bit down on for surgery so if you ever see that you go about that I talk to a person who studied this long and hard um and so really what it was was a stick so if you've ever seen the movie Master and Commander they were probably the most historically accurate in doing surgery at that time and it's also a great movie highly recommend it the Cyber equivalent

here is that the truth is always stranger than fiction how many of us have that no there IW story I have several I know you guys all have them and so we can tell stories that are scarier and Stranger Than the stuff that's coming out and the example that I have here is you know the Wi-Fi toothbrushes that were going to be bought bot netted and taken over the world the reality was is that that was a thought experiment by a company that got released and then fear mongered across the world fear mongering isn't the way to get people to move in the right direction it just worries people and then they're like I'm never going to do

anything ever what you have to do is say yes there is a threat of Bot Nets because of iot your toothbrush is probably not going to be the biggest concern that we have so again use the truth to your advantage use those urban legends to educate but also educate that there's a bit of distrust within that and I mean there's tons of urban legends that I could talk about all day especially when you get into quilting too but this is this is some of the primary ones that I dealt with on a regular basis I mean my parents called me about the toothbrush thing and I'm like you don't even have Wi-Fi toothbrushes why are you wearing but but

but no don't don't move on lesson three you have to understand the bigger picture to see the whole story so this quilt that's on the screen is this quilt that is here this quilt was made in around 1840 probably in Pennsylvania but if you look at this quilt all of the diamonds are the exact same size every single diamond out of this piece is the exact same size the other part of it is you can see it looks really cool it looks almost chaotic in its own right but if you step back it's got five or six different oh my god um five or six different uh patterns within it and these are the kinds of quiles that I

like I call them organized chaos because you can see a habit within them and you can see uh some really cool patterning yes hi hi so I uh in case uh folks don't know we have this thing called outrageous speaker requests here at bsides and when you you know several months ago fill out your uh your presentation uh submission uh you you put down I know all green M&M's or whatever right so uh I believe you made a request for a signed photograph or a cameo with Sebastian yes and uh technically any signed photograph of anything signed by anyone would satisfy that request Fair um anybody named Sebastian fine yes uh we i t decided to

kind of combine the two you get to have a cameo with Sebastian or rather he's going to have a cameo with you during your talk what what and it is it is signed Dam it oh my God and I hate you so bad right now cuz you knew about this oh my God and then as a bonus we got you you did not oh

my my God thank you so much you're very welcome where would you like this right there it's fine okay Sebastian Stan the Winter Soldier I have a kind of crush does anybody have something slightly heavy I could putli on this um yeah he was he was the Winter Soldier in the Marvel series Bucky Barnes he's also he was on uh Once Upon a Time and some other stuff but those are the big ones thank you for speaking oh my God you didn't know what to do the Cameo holy thank you oh my

God I don't what am I okay so side Side Story really quick because we have the minute um I went to London and and uh I got to see uh the guy who played Admiral pooo in a Stage production uh he was in the Horatio Hornblower series and that was when I was doing 1812 in Napoleonic and I went to the side door to say hello and I was like oh I'm gonna say something really cool and he's going to invite me out to a pub and we're going to have great history discussions and the only thing I said was a whole bunch of reenactors in Washington DC think you're super cool and he looked at me and he was like oh

thanks and like signed my playbook and then left and I was like that was the most embarrassing thing so I'm totally going to embarrass myself in about 5 minutes whenever this Cameo happens so thank you so

much all right so back to quilting um so you have to understand the bigger picture to see the whole story and this is very apparent in cyber you can't just say everything is locked down you have to see everything you have to understand the whole story while somebody can check every box and say we're completely secure I I know you're lying not everybody is completely cure it's it goes back to another story um in my last job we were setting up a monitoring solution for our OT environment and uh the leader of that team went to his engineer who I was talking to regularly and he goes so once we have this monitoring solution we're done with

security right CU he thought that that was just all he needed that was the one part of the picture that was going to solve all their problems we can't do that that's not the reality so um you really do have to see the whole picture to enjoy the story and then you get lost in the story so you know realizing that the back of this quilt was made in the around 18 you know 1848 the back is Pennsylvania because Pennsylvania likes colors on their backings where most places didn't and things like that so you you learn and and find more stories and then you find more rabbit holes to go down to learn more about your

environment and where you want to go next and how you want to improve Lesson Four there's always more that meets the eye so this is my absolute favorite quilt in my collection I call it organized chaos it was made in Western Pennsylvania around 1860 so it looks chaotic doesn't it like it's hard to look at but you have to look closer so you see all of the peonies so those are the red flower looking ones and then next to them there are L moin Stars which are the star blocks and then on the diagonal you have pin wheel blocks so this quilter without being able to put up a design wall to see all of the stuff from a distance was

able to figure out this whole image and every time I look at it I see a new aspect of the quilt and a new complexity so I call it organized chaos because it is organized and honestly to me it looks like a garden in the fall where the leaves have fallen around the flowers so in that quilt I know a lot of people who wouldn't buy that quilt because they don't understand it how many environments have you been in or how many organizations have you talked to or how many cyber environments have you worked in that were chaotic but you could see the beauty within you could see the pattern and you could see how it

all played together and sometimes it did look chaotic on the outside but on the inside it's beautiful the other lesson and this is one of my favorites especially as I've dealt in the OT space everything old is new again so doing 18th century medicine everybody talks about blood leing and leeches um leeches were not as commonly used as you would think most of the time they were used on the in infir children or on sensitive areas like your eyes um your ears and your toes but to that end I did have pet leeches for a time uh sippy gulpy and gugger um I had to go to a local butcher shop and get blood for them about every

3 months so that they would eat uh and they were wonderful they swam around uh two of them ended up escaping and disappearing until I moved out of the house that I was in and one of them lived a very long life cuz I took care of them the thing about it is leeches are now being used in medicine today so um they're not being used to take blood away what they're doing is they're using the leeches for reattachment surgery so in the saliva of a leech there's an anti-coagulant so if you put that on a a reattached limb and let them start sucking blood they actually recalibrate the circulation so they bring blood flow

back to things like ears noses and fingers and there's such a great success with it there's actually a company called leeches USA that supplies all of Med medicinal leeches you personally can also buy from leeches. Biz at $8 a pop with a $25 flat shipping but that's the thing everything old is New Again the PLC on the left was built in 1975 that was the first PLC my father ever built he tells me it's probably still in operation in the middle we have a gopher terminal one of the things I tell new Cyber security people is if you want to understand networking go to gopher because you have to do it menu based and you have to know how to get around

networks point to point to point which is routing at its most basic form today all of our routing happens automatically it's rare that we see some you know we see a down detector because of a Dos attack but I remember back in the day this is me being old you know we had to Route everything around the internet so um we still have that and then of course in OT environments we still have Windows XP Windows 85 I heard uh a colleague of mine tell me that uh she was told that there's Windows home on her network currently so you know everything old still exists my oldest quilt in my collection is made in 1816 so everything old is New Again

people are starting to come back to quilt revivals as well people are getting back into history and we're learning new things even while dealing with those Legacy pieces the final lesson lesson is there's always more to learn so this picture is from a 1910 book that singer put out called singers instructions for lace work and art embroidery that is embroidery on a piece of veneer this is my new challenge because I found it in the book and I was like there's no way so uh when I leave here I'm going to the Virginia quilt Museum to demonstrate trle embroidery and I'm going to be doing embroidery on veneer but that's the thing is there's always

new things I that book and I was just looking at it for the thread painting and the lace work and then I opened up chapter 90 and BR R wood I'm like you got to be kidding me but it's a new rabbit hole to fall down and it's technology everything's changing even if it's not changing there's always a new rabbit hole to fall down if you would have told me five years ago I would be where I am or even three years ago that I would be learning about OT and going to my dad and being like explain PLC is better for me I would have told you you're crazy but here we are and who

knows what rabbit H all fall down tomorrow and I hope you fall down robbit holes too thank you so

much if you like history and you like quilts and textiles and you want to see more about the things that I do that way you can find me on uh Facebook at history by hand um you can find me on uh LinkedIn and I also have a database project called the feed saac project that's cataloging um feed saacks from 1935 to 1965 that are printed colorways about 20,000 of them so feel free to do that are there any

questions all right thank you so much thank you Mia that was amazing thank you [Music] he hey hey hey [Applause] [Music] heyy hey hey hey hey hey [Music] he [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Applause] [Music] w a [Music]

oh

[Music] h

[Music]

a [Music] [Applause] [Music] [Applause] [Music] h

[Music] I'm just trying to give you something I you I'm just trying to give you [Music] something I'm just tring to something I'm just TR to give you [Music] something oh [Music] w

[Music]

Related talks

7:26:26
From Help Desk to CISO
BSides Las Vegas · 2025
28:06
Hire Ground Kickoff
BSides Las Vegas · 2018
56:14
Failing Upwards: How to Rise in Cybersecurity by Finding and Exploiting Your Weaknesses
BSides Las Vegas · 2022
21:07
Hack (Apart) Your Career — How to Fund Doing What You Love
BSides Las Vegas · 2019
25:45
Cover Your A**: How to Protect Yourself as an Independent Security Consultant
BSides Las Vegas · 2019
32:31
Hacking Tech Interviews
BSides Las Vegas · 2017