HG - You're Good and You Should Feel Good - Victor Wieczorek

so it is my honor to introduce guide point they've been a longtime supporter of higher ground and they always have a great presentation so I'm going to let them introduce themselves and take off from here thank you alright great yeah thanks so much everybody for joining us afternoon so first and foremost my name is Victor was Erick and I am the practice director for a threatened attack simulation team a guide point says the team that does all of our pen testing red team social engineering all that fun stuff I have been with guide point for about two and a half years now a little over that and I'm based in Indianapolis Indiana and I'm a senior manager on the

same team as Victor as you mentioned we do pen testing social engineering I'm based out of Baton Rouge Louisiana so our teams kind of spread out all over the place but we have a good team and I've been in the industry for about 10 years now first started as consultant my blue team for a while now back to consulting so yeah it's a good time yeah so ed and I are both involved in the hiring process for our team obviously so we interviewed lots and lots of people who are interested in coming on to do red teaming with our company and have a lot of experience both on both sides of the table but you know interviewing and

interviewees and we think that there is a distinct lack of confidence and understanding about what the you know the pivotal role that you're about to undertake in terms of that interview is especially on the part of the interviewee so yeah so I mean we're gonna kind of lay this out and a few different points one thing that we noticed is that a lot of people put emphasis on I mean even in higher ground talks in previous years a lot of people put emphasis on being prepared for the interview they're prepared for the questions that the interviewer is gonna ask you but not a lot of people and I mean in our experience when we interview people not

a lot of people ask us questions and ask us about guide point so we're gonna walk through some categories here just to kind of give you guys some ideas of things that you can be asking as you interview these jobs just to make sure that the job is the right fit I mean you don't wanna be looking for another job in six months or a year because you find the culture it's not a good or through fast-paced or to slow-paced or whatever the case may be so yeah we'll hang on a few points and and kind of tie it back into the the title of the presentation it's important for you guys to enjoy the stuff that you're doing

just for your own mental well-being I mean if you it's especially if you're in a remote position it gets really easy to get wrapped up and work and it's harder to get away from it because it's right across the house and you don't leave work at work and that can kind of weigh on you as you deal with your families and what-have-you so it's important to make sure that you're gonna be in an environment where that's not gonna distract you from your personal life as well yeah absolutely what you're about to embark on is a professional relationship so just like any relationship it's two-sided and it starts with the interview a lot of people really fall into this trap of it

being 90% - interviewer talking and 10% - interviewee talking and you know the cadence of that it's rapid-fire questions whether it's technical or whether it's culture fit initial screening all of that and then they leave maybe the last five 10 minutes - do you have any questions for us that kind of thing you know you kind of put on the spot after being berated with you know tons of questions about you know who are you your fails your your faults and all those different things what you want to do and all that so just getting you thinking ahead about how you contribute to that relationship that professional relationship that you're about to embark on that in essence you

are interviewing the company just as much as they're interviewing you because you have a responsibility on at least 50% of that relationship is on your shoulders - sustained so the whole idea of just understanding your Worth and your self value and you know taking responsibility and ownership for that half of the relationship so the first one I've talked about talked about as a culture obviously this one's huge it's I like to tie this back to I don't have anybody's ever read Malcolm Gladwell but he makes points about big fish in a small pond some people prefer that some people prefer being a small fish in a big pond you don't have a problem being on a giant team for mega-corporation

where you're just invisible you go in you do your work you go home everything's fine personally I prefer to see that my work matters I want to see tangible results I want to know that I'm making a difference and making people's lives better that's very important to me too to have that type of feeling like I'm doing something with my time that's worthwhile and it's important to know whether or not you're gonna get like what kind of vibe you're gonna get from the company that you're going to whether or not you're going to get that type of rewarding sense out of it and I'm getting ahead of ours you know ahead of us here in the

presentation because the next one's gonna talk about that too but a lot of the other things I mean in startups kinda like we are there's a lot of processes and things that aren't rich or there's not a lot of documented procedures people just kind of make things up as they go in some cases that stresses some people out and they can't handle it whereas other people need like military types structure there's a procedure for everything you just follow the checklist and you you do your job and then you leave and you're done another one is team communication again this comes into play really big on remote positions I mean we're all remote I mean I'm in Baton Rouge she's in

Indianapolis we have people all up and down the East Coast so we use slack as a method of communication it's very important to us that people remain engaged and slack and that we come to these types of events because this is probably one of three times that we may see each other face to face throughout the year and that's really important I mean you you want to you want people to be familiar with the other team members skillsets that way if you need help doing something if you see something you're not familiar with if you know who to go to and those people have a relationship with you they feel comfortable helping you out and doing

those types of things so it's good to ask about those types of kind of interaction dynamics between the people on the team as well yeah I guess the key here and all these questions so this first one being how does each role a team contribute and communicate alright that's not going to unlock all the quite all the answers for you but it's to start that dialogue it's to have that initial conversation you're trying to pull up those key points that we listen below in the slide so you have to be very active in this you can't just throw that question out there and just hope that the interviewer is going to give you information you need so having that

conversation being very present in that dialogue and trying to pull out all those different pieces is it could be critical to your career in the future so the next one is a little bit I know I think it's interesting it's how would I contribute to the team right and it some of you seem like loaded questions but there's no right answer it could be very much on an individual level a lot of people drive what I would say energy and joy out of their work which is great other people derive that from family or from outside you know leisure activities or you know whatever that is it's a unique answer for every individual person but certainly this question is to

get you or to get the interviewer or talking about what that possibility and potential is in that role so having an idea of being able to come in day to day and tangibly see that needle move that way you're pushing against making a difference both maybe inside the team and then for what your ultimate work product is like in our sin are and what we do we're obviously working to increase the security of our clients right so being able to work through and partner with them to see tangible change in their environment after we do a red team or any kind of assessment coming back the next quarter or the next year the next engagement and seeing things

improve not seeing the same things over and over again that's something that I Drive you know personal reward from and that's what you want that's what you're trying to get from any kind of career hopefully is a sense of what makes you feel like showing up every day yeah I mean the flip side of that in a previous job as a consultant I mean you go on site you get the main administrator through after a week of hacking different things and then you go on-site to the same client the following year and the domain administrator you created for yourself last year is still active in the password hasn't changed I mean that's kind of demoralizing it's like

why did I even come out here to begin with so yeah that's that's really important to me I just want to see that I'm making a difference what are the team's most hectic times again you're just trying to uncover what the stresses are in that job so it could be one of those like Ed mentioned where you're you know a small fish in a big pond maybe that's something you're looking for maybe your current life objective is something like starting a family or maybe a side business or you're getting really good at a sport that you like or you're something like that maybe you just wants a job that has relatively low stress and low responsibilities but you can so

improve and find you know joy out of that that's that's great right maybe you're looking for that next challenge that level up that's something that you were just crushing ten hours a day working and just enjoy that because you want to improve because you want to get to that next level certainly that's an individual decision that the interviewer can't make for you so and it's probably not likely to come up in a normal interview so having a sense of what those hectic times are something like you know in our work people try to fit in their assessments at the end of the year you know after a busy year they're trying to say oh man I gotta get my

annual pen tests done so you know november/december tend to be really hectic times for us where a lot of people on the team are challenged to do things that at a tempo that's atypical for the rest of the year so understanding what those potentials are and what those stressors might be helps you again understand you know how you would fit in from that career workloads obviously important again this is kind of striking that work-life balance making sure that you're making time for for your personal life and hobbies and things like that at the beginning of my career in security obviously getting into this industry is a very steep learning curve gonna have to marry the

job if you want to advance really quickly if you if not then that's fine but recently I've tried to kind of start unplugging getting away from my computer in the afternoons and doing some woodworking and things like that so it's good to have that kind of breakaway and kind of shut off your brain every once in a while but it's good to ask about that sort of thing I mean if you're you're in the mode where you're just getting in the industry and you want to get your foot in the door and you're willing to put in the time and effort that it takes to go get certifications and just study and be in books and play

on hack the box and do this and that all the time then that's great I mean everybody I think needs to go through that phase in their life but once you get later on in your career that may not be the case anymore you definitely want to experience burnout which this can also can contribute to another big thing especially if you're going into professional services role to ask about travel some people may not like to travel and some people like to travel some people's spouses like for them to drive so I mean it's good to ask about that sort of thing because that I mean if you've got kids and a wife like I said that's a huge lifestyle challenge

that you may have to deal with if it becomes too much of a burden over time and then kind of tie me back into what I mentioned earlier just doing certifications and what-have-you getting an understanding of what it's gonna take as far as time commitment outside of your normal business hours like how much time I'm gonna have to spend reading about this the captain up on Twitter looking at new tools like breaking down code and writing these scripts and things like that everybody has a different threshold for how much they want to accomplish in that in that regard so it's kind of have to know what your capabilities and your desires are and make sure you ask questions

appropriate with kind of setting at baseline and making sure your expectations align with with your potential employer anybody who's been in this business for long enough understands that keeping up with information security is a full-time job in and of itself right so that's on top of what your day-to-day is so understanding that okay maybe this point my life where you know I don't have a whole lot of outside responsibilities that's the time really gonna put pedal to the metal and understand a new technology or a new technique or become you know a subject-matter expert in some area or something and these things Evan flow over time so understanding how you know that team reacts to that how people

some people might really step up and and want to crush that new thing that new idea or maybe some people might take a backseat and just do a really good steady job which is totally fine that's as understandable as part of human life so getting at the root of that conversation and understanding how a team handles that dynamic is incredibly important we all know that information security can be incredibly competitive both you know from a intra perspective and then also inside the team itself you know hopefully that's a healthy competition one that drives people to be better at what they want to do and and just kind of increase that overall skill set but still it can be that constant

stress can get to you at some times so understanding how to take a timeout may be a break from that while still being a valuable member of the team is incredibly important and the people who you are talking with about that opportunity should have a good answer about how they address that

career trajectories that's I mean that may differ depending on what your aspirations are like I said if you're first starting out you want hurry up and try to climb up the ladder a little bit really fast and some people may be coming in the door they just want to learn at a gradual pace and just kind of it's a marathon not a sprint type deal that's a good idea to ask about that sort of thing what the expectations are gonna be and what your capabilities are what for whatever role you're coming into where do you go from there some people may want to go somewhere from there some people may just be happy I mean we've got guys on our team that

are just happy pen testing all the time they don't necessarily want to build policies or kind of branch off into writing procedures and doing management type stuff they just enjoy doing that work and that's fine we try to make people happy and there's a there's a book that our company kind of runs off of called traction and it talks about having all the right people in the right seats and I think it's very important because a lot of people have this there's like this unwritten expectation that you join a company and then you're just gonna progress from there there's a lot of jokes about government if you're not doing your job they promote you out

of that job so you can get further away from school and stuff up but I mean it really depends on what your aspirations are in that regard and it's good to know what the expectations are what the opportunities are for growth and where you can go from there whether or not it's gonna be just the stepping-stone or a place where you can build your career yeah absolutely I mean starting a career anywhere whether you're really early on just out of school or whether you've been in the industry for a decade already or more I mean that's it being limited to a piece of paper a resume and a few hours of interview is a really poor substitute

for who you are as a person what you can contribute to a team but it's the tools that we have and unfortunately that's what we're restricted to so having an understanding of where you're gonna come in on that team and then you know once the those things fall away and the team understands about who you are what you want to do what your capabilities are what your your capacity is then that's where you're really going to see either that movement maybe maybe you don't want to maybe you want to say still maybe you you have some outside commitments like I keep mentioning that you want to stay in a role or you're happy with what you're

doing and that's just where your content so understanding not only what your goals in terms of a career are maybe with that team urge in general and then what the capacity of that team is incredibly important and also what the requirements are I mean some places have specific certification requirements that you have to get before you get into a certain role and things like that so I mean if your expectation is to get into a specific position at some point then it's good to know what those requirements are there's also that opportunity and a lot of places to switch teams internally so start out doing like something that happens pretty frequently for us is our sock is growing

really fast so people start out the sock and then they move to a different area a different team of the company as they kind of build up their skills and get certifications on the side as they're doing their job it's good to know what those opportunities are as well in case you really like the company then you can stay with the company just move to a different team doing something that's more interesting to you this is a big one for me this is a big one for me when I came to guide point leadership understanding what their background is where did they come from do they know the challenges that you face or that you

will face in that role yeah I keep talking about you know our specific experience but you know my leadership chain when I joined guide point all the way to the top all the way to part owner of the company had been doing pen tests years before at someone who I still respect and can still jump on calls with our clients and under and help explain what sequel injection is I mean that's incredible to me I've worked at professional services companies before who you know there are no sales people or you know folks that just are so far detached from the technical delivery of what we do now they have a hard time you understanding that and you know maybe

that's important maybe that's something you're looking for maybe not certainly it could help make your life easier when you're trying to fight for different resources or different ways of doing things it's a little easier when you have some common ground so understanding what that leadership background is and so even if they don't have that the best case scenario where they can talk about walking the walk that you're about to undertake but at least that they can understand where you're coming from so that you're not fighting tooth and nail for every little thing yeah I mean this is also huge for me as well my first security job I was reporting to basically a project manager

with no technical background and it was probably the worst job of her head I mean I got a lot of good experience there but reporting to them and having them not not only not know what the job required and what those pain points were but having no interest in learning what those things were was incredibly frustrating so yeah as Victor mentioned I mean we've got partners that have been doing this for several years they can still hop on report call report review calls and explain technical vulnerabilities to our clients if we get tied up with a conflict or what have you and just having somebody in that position that's authorized to to spend money and things like that if we need

more licenses for a tool or what-have-you we're not to go to war for it I mean we just tell them like hey we need this you know I okay go get it that makes it a whole lot well it allows you to focus on the things that are more important like getting work done writing new automation tools and things like that instead of having to build up this formal business case that you have to present to a bunch of people to get somebody to loosen the purse strings a little bit so just makes it a lot a lot easier to get things done in my opinion and then the last point there is also big especially for us as I mentioned an

inner moat position how the hawlucha engages with the team I mean a lot of physical like on-premises type positions people like to talk about the open-door policy and our management still uses that term but obviously we're we're not the same office as they are so it's more or less open slack policy but we've built relationships with them and we feel comfortable going to them with problems and we don't feel like we're gonna be attacked if we come with criticism like hey this is a working let's change it it's it's important to know what that receptiveness is going to be like whether or not because a lot of and a lot of companies I mean a lot of

people feel like if they bring negative things to their supervisor then they're gonna turn it around and then attack you and that makes you feel insecure while bringing negative things to people or providing meaningful feedback that might actually the organization better that giving you that negative response so you just quit doing it I mean going back to the reward like if I want to make the company better I want to make sure that it's not always gonna be sunshine and rainbows like we're gonna have to fix problems every once in a while and having that that openness and accessibility is very important yeah absolutely growth opportunities talks a little bit about some of the earlier bullets that

we had things about career trajectory but it's a little bit different because it's not necessarily career oriented obviously you have skill sets that you can bring to bear on a cybersecurity degree or a career or something like that but you know there are other things outside of that work-life balance anti burnout which is huge in our industry what does the team do to combat that when they see it we all have dealt with it does do they offer you know what's what's the PTO policy what's the time off policy what's uh what are some other things the team does to maybe take a break or you do some I don't know like bonding activity social events and so on

the things that would help you personally stay away from that whole idea of just getting lost inside the business doing that work too hard yeah a big one on this list for me is the the technical training aspect of unintentionally over the years become a sort of a certification collector so I mean having the ability to take that training and not have to pay for it there's a pretty big deal for me I kind of have to have that carrot on a string at the at the end of a stick to keep myself put myself on a deadline okay I need to finish this by the by this date some people can just open a book and

force themselves to read I can't do that so having that ability to acquire those training resources take the training I need go to sans courses or whatever that's right that's that's really important as well to kind of know what what the expectations is because I mean you're all over the you may find a company that has no training budget whatsoever and any training you want to take it's all of your responsibilities on on the flip side of that a lot of the guys were that I used to work with not work for company in Baton Rouge where they require you to go to a sans conference every year and they pay for it like top to bottom so I mean you have

very very different sides of the spectrum there so it's good to know kind of what the expectations are to make sure that if they expect you to go to Sands conference to pass an exam every year you're prepared to do that so absolutely so overall I hope you left you with some questions ask for your interview to start that dialogue and to make sure that there's a it's a relationship that you are starting to build from day one that's probably the biggest red flag for me other than you know not knowing you know basic TCP anti jokes but things that just indicate that their interviewee is just sitting there kind of passively taking this all in I

think from day one I want to understand that you're engaged that you're gonna take take control of your career in trajectory as much as you can that you're passionate about who you are what you can contribute what your self-worth is I mean at the end of the day we're still in a negative negative unemployment situation where people who are looking for cybersecurity degrees have a lot of power right again as we mentioned earlier this doesn't give you the right to be snobby or to be standoffish but just hopefully you realize that there's ways for you to be engaged so that you're looking through this job process you can build on this relationship for both sides and

hopefully find the right fit for you or whatever a team or organization that ends up being yeah I mean from my perspective whenever we interview people and they don't ask questions they're like any questions it makes me start to wonder like okay are they really interested in this job like are they gonna stay here for six months ago stay here for six years like that it makes me start asking those questions too so it's good to at least if nothing else demonstrate that you're interested in the position if you truly are and to make sure that there's to reduce conflict later on I mean if you walk in knowing what your expectations are and as long as your expectations match what

reality is then I mean building a good spot thank you so much for your time is anybody have any questions [Music]

[Applause]