HG - Finance Industry Career Search Panel

welcome back to higher ground this is yes it's kathleen ringmaster of higher ground at b-sides las vegas so happy to be doing summer camp at home this year where i can kick back and really enjoy time to understand what's going on in various different career tracks so we've always talked about what security is how to go about getting your degrees and your certificates but then there is so much more in our life that is impacted by security and what more impact are we going to feel than finance how are we impacted by our credit cards our banks our financial institutions that we get our mortgages from what are all these components and what is the impact of security on them that

opens up the door for so many different security careers so we have today a panel of folks that are well known in the community some are well known and some are people who we have not heard from before so i'm really excited to hear their voices talking about how they crafted their finance career what they think is important and some tips if you are interested in having a security career in the finance industry this is kathleen smith yes it's kathleen here at higher ground at b-sides las vegas virtual every time that we're part of higher ground we really explore the various different career options that are available within our industry and some of the great things that we

have in our industry are people who have been able to delve deeper into specific industries we've done healthcare and today we're going to talk a little bit more about finance security and what it is to be part of that security community so i'd really like to have all of my panelists introduce themselves and then we're going to delve deeper into their backgrounds and how they develop their career path so alyssa would you kick us off yeah sure hi everybody uh elissa beller i am the business information security officer for snp global ratings great mamani hi my name is monty older i'm a director at security risk advisors brandon hey everyone i'm brandon i'm a security solutions architect at amazon

web services and peter our long time career coach at besides las vegas higher ground thanks peter keenan i'm a chief information security officer at lazard wonderful so as you can see we have some really great information security finance security professionals as part of our panel today and i'd really like to have each one of them sort of delve a little bit deeper into their backgrounds and how they came to the career that they are at right now so brandon you want to kick us off yeah sure absolutely um so i actually started out my career at pwc it was pricewaterhousecoopers at the time and i was a consultant there actually working with peter and mamani

many many years ago and we were offering consulting services to help financial services companies particularly mostly the fortune 500 type firms really improve and use improve their security and use technology more effectively so it was a lot of consulting a lot of technical consulting work as i kind of progressed through my career there i was shifting a little bit from more of that technical assessment work more towards overall program design and program effectiveness and that's where i really got my start with helping organizations stand up security programs so since then i left and i worked at a variety of different firms jpmorgan i worked at a number of different startups across new york both in the healthcare health tech

sectors as well as media and finance as well ultimately i landed at my role here at aws helping our financial services customers really migrate and meet their security challenges as they're moving into the cloud which is a huge challenge that we're seeing across the board for our organizations within this industry so it's been a pretty exciting time and that's what i'm really liking that as people get more involved into specializing their information security that the opportunities seem to open up more alyssa you want to tell us more about your background sure so i'm you know i started pretty much my career path in financial services um you know when i was 19 i was enrolled

in a computer science program at marquette university and this was dot com era so everybody was kind of hiring programmers if you could do any form of programming at all they needed you and it didn't matter if you had a degree so at 19 i started working for a local company here in wisconsin at the time it was called m i data services and it was a subsidiary of m i bank and i started as a programmer i spent nine years there uh before one of the uh security managers reached out to me and asked if i wanted to join their uh security test team as a pen tester and by this point we were called medevante and i you know

it was one of those things where i was i sure you know i i didn't know anything about uh pen testing but she was confident that i could figure it out and so i joined that team ended up leading that team through our merger with fis which is a name that probably a lot of people recognize today in the financial services space so that merger took us from a company of 5 000 to a company of 35 000 and you know here i was sitting as the leader of not only their security testing but the complete vulnerability management program for that entire organization but after 15 years of seeing financial services i wanted to get to know what the rest of

the world was doing so i got into consulting i worked for a number of consulting organizations i started off at btins then went to fishnet and got to see some healthcare some other things but then um after fishnet merged with the accubot and they became optive i moved on and joined aspect security managing their app their program services practice so aspect security was focused on application security and that program services practice was really focused on helping organizations build a complete program around application security so through the fun turn of events i ended up working with a lot of financial services customers again you know it was my sweet spot anyway but it was working with

you know organizations like bmp parabola or the you know frb the federal reserve uh organizations like that and really doing a lot of getting back into that financial services space uh through another couple twists and turns through a var through a product organization i ultimately find myself now at s p global as the be so directing security strategy for their ratings division which you know is kind of a return home for me um you know after spending nearly a decade in consulting i'm now back to again a little bit different flavor of financial services less banking more obviously i work in the credit rating agency side of it um and of course you know most people

recognize smp as the s p 500 or dow jones industrial indexes that we manage so so that's where i find myself today it's been kind of a crazy serendipitous road that sounds great i think that that's what a lot of people need to understand when you're really building your career strategy is that there is not necessarily the straight ladder that i like to call it more the jungle gym and you have to be able to assess the opportunities and risks at each different level what is your personal and professional opportunities and risk and what are your professional opportunities and risks and i think that that's why i wanted to share with many people these various different career

paths because all of us have had to make an assessment as to what our next steps are and you know there really is no true wrong answer you are going to learn something at each step it's just how you're going to take that gift of a failure or a problem and turn it into your next opportunity mamani how about a little bit about your background and your sort of career path sure and you kind of set the stage for you know how you kind of assess opportunities um so brendan already mentioned we worked together in big4 consulting i actually graduated with an engineering degree and although i had offers from traditional sort of engineering firms

they didn't really excite me so i went to the management school and i threw my resume in there and that's how i landed in big four so um this is i'll date myself before the dot-com days just as they were starting to get get um kind of going so it's actually really interesting to be part of a consulting group that was starting to look at sort of what you know e-commerce was going to look like and then overlay security over that so i spent about a dozen years in big4 consulting i did both public and private sector so it was great experience because you got to see so much you know multinational companies small startups in the

dot com heyday post.com bust you know recovering from that because i think all of us have lived through that um and then eventually um i came back to new york so i went down to dc for a while worked in the federal space came back to new york uh focused on finance because you know wall street so you had a lot of finance uh customers there um you know payments were going online um so it was always great experience i spent most of my time similar to alessa with uh pen testing and red teaming and then taking that and building on that to do kind of program development um governance processes more regulatory you know legislation was coming out um

so helping customers you know kind of address how to meet the that need eventually i left consulting i actually had two kids under the age of two and travel and two kids that young did not work well for where i was in my life so i decided to move into industry and being in new york you know was easy for me knowing finance as well as i did to land in finance somewhere i think what you've heard lots of different work experiences in finance i started in a sort of sock like an operations team you know basically managing the team watching screens raising incidents managing incidents um and then moved to a city group where i did tabletop exercises like but

they were for like latim or asia pack so what happens if there's fraud how do the different regions in asia pack address it what do you do for your call centers customer service which was really phenomenal being able to work with the different business units within within citigroup i was always fortunate to have a great team um so for me it was always you know fun and easy um and then somewhere to brandon wanted to see a little bit of not finance um went into media this is when gdpr was coming out so that was really cool going into an advertising firm when the first gdpr regulations were coming up in europe and trying to understand how

you know data is just so nebulous and let's be honest like knowing all your data is just near impossible but i mean you kind of have to with gdpr so uh i was a cso at omnicom and we started putting together strategies to address gdpr and then also like unless i i came home i had an opportunity to join security risk advisors i'd miss consulting it's folks i had worked with in the past so it was coming back to my friends and coming back to cyber and getting to go back into helping multiple customers awesome and peter let's let's hear about your career path yeah you you made me go last here boy do i feel old

my career starts a few years earlier than everybody else's so one o'clock back to say 1981 when my mom walked in and saw me and my brother sitting on the couch doing nothing in the summer and threw us out of the house and made us go take a computer program in class that was it started me i've been you know everything i've done has been revolved around that since then when i um let's say when i was 19 i started working for a defense contractor um working on something called unix which nobody knew what that was they said that guy looks like he could work a computer and i you know i became a system

administrator while i was in college back then we were still fighting the commies so i worked on a book called the annual report to the president and congress on soviet military power this is before the berlin wall came down and got to do a lot of interesting things it was really the only place where security was a profession you know cyber security was a profession anywhere right i mean there was a little bit of in banks at that point but even there it was it was still very rudimentary um and i did that for a few years um and then around uh say the mid 90s i went into business with a couple of the folks i worked with

on the military side uh building a consulting company doing technology consulting um there really wasn't like i say a discrete security business back then so yeah i predate the business um i like to say you know old school i've been doing it since it before it was cool um but yeah so so um we we didn't realize we were doing cyber security consulting but we were um in the say 94 when the internet went commercial and and anybody could connect to it it wasn't just military and universities the only folks who knew how to do it were you know folks like us who'd been doing it in those environments so um actually met somebody the other day who

went on a road trip with me in 1994 to try and sell firewalls up in albany new york to the state of new york um so yeah we were selling these firewalls that were sort of home brewed tis tool kit things that you put together yourselves and i did that the company actually did fairly well we actually went public right around the time of the dot-com you know bubble and then you know like everybody else we crashed and burned and um yeah uh thankfully saddam hussein invaded kuwait and my old military friends called and said hey we're getting the band back together um so i i went again and did a bunch of uh security projects over there in the

middle east for a while um in in the consulting capacity um as that wound down i i came back to the u.s and i and like i like to say i joined uh big4 consulting uh pwc and it was sort of like a halfway house because it was sort of like you know what i was doing there but sort of like like a real job um yeah it's where i met romani and brandon we worked together i was there about six years i did all sorts of work penetration testing security assessments socks control work internal audit work which was fascinating for me somebody who hadn't had the experience to work in financial industry and in in big

businesses like that um you learn a lot of things when you work with the military but uh it's it's sort of a totally different experience doing it in a professional environment that's why i call it sort of a halfway house where i you know i could spend a couple hours in front of the client and be the business professional and then go back and go oh my god what just happened and there were people i could ask to sort of translate it back to language i could understand um yeah don't ask brandon to tell you any of those stories [Laughter] um the funniest part about that is ironically the three of us we i don't know how i don't know how

long you guys were there but it was we all quit on exactly the same day uh went across the street to my cousin owens bar and dragged for a few hours afterwards yeah true story um and then i ended up leaving pwc uh i went um to work briefly in the internal audit team at citigroup auditing their cybersecurity and disaster recovery practices and then uh went to the cyber security team at citigroup actually worked with mumani again so about five years and then i took this role as cso at lazar which has been a great experience i've been here about six years it was you know sort of a a greenfield opportunity which has been great for me

they hadn't had a security practice before and i've gotten to build out a global security practice at uh at a fairly large global financial institution awesome so when i'm hearing the stories of your careers i'm hearing technical and non-technical sort of uh skill development but also you know when you're talking about a finance career you're also talking about learning various different regulations there are regulations that impact you and don't impact you or impact your customers or don't so i just want to give sort of a snapshot as to your technical skill development your non-technical skill development obviously relationship development was really important you the three of you wouldn't still be friends but also you have clients that you've had to develop

their relationships so and then when did you start learning the regulations so it sounds like it may have been a mosaic as you've been building it throughout your career but i think people who are considering this as a career path sort of need to know what the technical non-technical and regulatory sort of goal posts are going to be throughout their career alyssa yeah so i mean it it's boy it's interesting right so because going back as far as i do in financial services you know initially there weren't a whole lot of regulations right we had the ffiec that were reported to the fdic you know those types of organizations government organizations that we had to report to

but there wasn't a lot else and then slowly visa started to you know get a little more controlling and then around 2006 right about the time i was jumping into security is when you know they brought together this pci thing and suddenly now it's like okay they're going to give this thing teeth and we're actually going to have to do something about this so that you know that kind of took on a whole new world of its own and then slowly you know we started to see other government regulations we had the big crash in 2008 which brought on a whole slew of new regulations for us um you know even even following 2001 though

i think back to even that and there was uh you know we got into things like olfact regulations and stuff from the patriot act and and so it's it it's kind of weird because you know my progression in learning it and i'm sure probably my peers here as well it's very similar as we actually grew up as a lot of these regulations were being formed um but now you know stepping into s p it's different right because a lot of these regulations exist and i've moved from a lot of that banking focused world to now as a credit rating agency you know we're dealing and of course you know being an organization that's involved in the

markets you know now it's dealing with organizations or regulators like the sec and esma and mass down in singapore and others so you know now it's not banking regulations it's these other regulations and when you've got you know you're doing business 138 different nations you you have to slowly kind of roll into that right there's there's not a way to say i'm going to just dive in and know all these regulations and it kind of comes up as you have to deal with them right i mean you know some some countries are more involved in it than others i mean i mentioned kind of the the big three for us uh the ones that we see most often the

fca now is formed in the uk and they're starting to become more hands-on but there's other nations too hong kong south africa russia those are all ones that i'm dealing with right now where maybe their regulators aren't as active but they're starting to grow so i think you know where it comes to learning the regulations um you know it it's a lot of it is just by necessity right it sort of comes up as you need it and i know even in the consulting world when i had to learn things like hipaa and high trust and ferpa and all these others um you know a lot of it just was you sort of gain that knowledge as

you go and i think hopefully that landscape has changed a bit as more people are getting into this space there's maybe a little more proactive awareness of it because it's not so much that they're forming as you go but i think still a lot of it is going to be just as you get into spaces where you need to know them you you sort of just find that time that all right this is something new i've got to learn awesome so brandon can you touch a little bit on sort of the technical non-technical career progression that you had sort of you know was it all technical in the beginning was it you know non-technical at certain part

and if you could touch on you know which certifications you were really sort of going for it yeah so i think the interesting thing about starting your career in consulting is that you get such a broad range of experiences so one day we could be doing you know a technical assessment might be doing a pen test you might be doing some configuration assessments and then the next day you might be working on some sort of like policy development effort so i think for myself i had a lot of back and forth between the technical and non-technical training especially early on and i think that consulting provided a very broad exposure i would say though that very early on in

my career i was exposed to a lot of regulatory requirements so we had a very large long-term project with a large international bank and we were actually helping to build out some policy controls framework for them that kind of addressed all of these different regulations so you had to really marry some of the technical understanding of how things worked and what was practical with what the regulations were asking for which weren't always so prescriptive and being able to pull those two components together was really important for me at least i think as i progressed through my career though it was back and forth as well so you know i left pwc in that consulting role and i really moved more

into kind of standing up security programs in this kind of green field fashion so a lot of that was relationships and kind of working with other teams especially as the organizations were smaller they had less specialized teams so there was a lot of relying on other teams and kind of leading through influence and trying to drive change with the understanding of how the technology operated and what the controls were but really working with others in that kind of soft skill capacity to try to get that work done and i think that's fairly consistent across organizations it's just that i when you're working at like a startup or something you know you're much more resource constrained so you have to

really manage and prioritize the resources the best you can um yeah so i would say that today you know my my skill sets have been leveraged on both sides like we as aws you know i get a very interesting view into financial services organizations i work for a technology company but the customers i support are within this financial services space so in many ways we're helping financial services customers really navigate the regulatory landscape really trying to adapt their existing controls to meet the regulatory requirements when they're moving to the cloud so it's really understanding the fundamentals technologies and practices of how you operate in a cloud-native way when the regulations don't really keep up right they're not they're not written

for the current age so a lot of the controls and a lot of the things that regulators come in and ask about or even internal audit teams or external audit teams will come in and ask about you know they don't line up with the current day practices so part of that is kind of educating auditors and regulators educating our customers on how you can meet objectives through new practices so it's kind of managing relationships as well as uh kind of helping them understand underlying technical like operations which is really interesting in my mind and peter so you know as you said you sort of started way back when with this how have you seen your progression between

um you know technical and non-technical and you know it sounds like dealing with the regulations has been something that people have just had to deal dealt with as they've come up yeah and so um for me i've always had a technical base right that's what drew me to the field and i i enjoy it it's um it's where i'm most comfortable um i i mentioned before i got thrown into that internal audit role at city and and the backstory there and and is basically it was right in the middle of the financial crisis right and i i don't know if anybody remembers that but you couldn't buy a job in security during the finance because like the first thing everybody

cut was like yeah we're getting rid of all them security people they're just a cost center so um i took a job in internal audit and and it was not in my comfort zone right it was like it was terrible i hated it but it was a great experience because i i i got to see sort of the other side of that you know when the auditors come in and they ask you these questions they're not just doing it to be mean i sort of understand why what their logic is and what their motivations is and it made me have to really focus on understanding what those regulations are so i could ask the right

questions um like like alyssa said you know i was at citigroup which basically you know in in the same countries as as whatever the number is we you know we're probably in just about all of them and um all of those regulators they want to know what we're doing you know about this and you know cyber security technology business continuity that was the big topic business continuity and ironically pandemic was the big topic because the avian flu had just come through so uh all of those regulators came at us and and it was a great experience for me somebody who was i'll say mostly technical to that point to get thrown into that and being forced

to communicate with the written word um in a way that was really meaningful right so these audit reports had huge impact on people's lives right you know this was again during the financial crisis so if you wrote a negative audit report that guy was probably going to be walked out to the car walked out to his car at the end of the day right i mean it was it was that that sort of tenuous everybody's existence and and um being able to communicate a tough message in a way that was effective but still made it so that you could um you know they wouldn't be waiting for you outside with a sock full of pennies you know so like you know

these you could work with these people afterwards um i think those were the skills that i picked up doing that role um hopefully they've carried forward a little bit and and um you know insecurity we we obviously have to deliver a tough message a lot of times i i like to say i mean you know we're the guys in technology who have to call the baby ugly i mean you know it's just sort of what we do and um being able to tell somebody their baby's ugly but still have them you know go out for a beer with you um that that's a skill that if you want to survive in this space you kind of have to develop so i'm glad

i took that role learned a little bit about regulations and and learned how to uh i guess a little bit better about how to do that wonderful so yeah thanks uh i haven't heard calling the baby ugly in a while so i i really love sort of the retro feel of you know bringing up some of these terms and i think people don't understand that the reason why we have so many great security professionals is because even before all of these attacks there were other things that are going on there were other global impact incidents that did impact our financial markets it did impact sort of con customer trust levels so i think while we were all

growing up in various different careers we all had these challenges going on so momana you want to touch on a little bit sort of the the technical and non-technical skill development that you've had to do sure and i think being in consulting as brendan mentioned gives us a unique experience um certainly started out you know with the pen testing i know when i moved back to new york one of my first uh jobs was working for peter for a telecom doing doing a pen test so um but as peter mentioned you have to take that work and try to explain it to an audience that isn't in cyber necessarily that could be an audit team

it could be you know not a traditional cyber team i think you've all heard all of us have worked in fields where cyber wasn't as mature as maybe it is now in certain organizations so um you have to learn how to explain the impact what it means why you need to fix some of these things and so you quickly understand how to understand what business you're working with and i think in finance relative to the regulatory when some of those regulations came in people kind of took notice and i think it kind of helped us um get that sort of acknowledgement like oh so this is why you know changing passwords matters or you know

encrypting your data matter so um it's it's always been start for me at least start with the tech but then being able to translate that and explain this so what of that tech to whatever audience you're with great i mean when i got my original degree in biochemistry it was i wanted to work at the medical industry to just sort of say i understand the tech and being able to explain it to people who don't understand medtech and it's interesting i think that translates so well into so many different industries you can be that technical expertise but that additional skill of being able to translate it into layman's terms being able to make it something that people can sort of digest

and use and that is something that we're seeing a lot in our industry is being able to translate give that information to sort of the c-suite so that they can make business strategy and i think this is a translatable skill no matter where you go you need to be able to be that person that can be the ambassador the tech ambassador or the tech liaison and if you find that you're really good at storytelling that this is this is definitely a role to think about so we're opening up this sort of career field to people in our community that may not have ever looked at it what are some of the challenges someone who is coming from

shall we say not necessarily the outside but a different industry what are some of the things that you encountered coming into this industry that would you would like to lay the path clear for other people coming industry what challenges should they be thinking about as they move forward so brandon let's start with you yeah um you know that's interesting i i again i started my career consulting for this industry so i'll give it kind of a different spin on it um i think leaving the industry for a while made me realize how different financial services is from a lot of the other industries that i i was in and i think some of the things that

stuck out to me are just the the heightened i think level of security because of conservatism due to these that that they operate within they have heightened regulations you know they're dealing with people's money there's like financial systems and transactions going on so there's a lot of risk involved within the industry that doesn't necessarily translate to other industries so because of that when you're operating within financial services i think the expectation is that you have much more tight controls and restrictions on what people can and cannot do and that was really surprising to me leaving because that's just i just assumed that all industries were kind of operating the same way and then working in other

industries i noticed that you know things were a lot more lenient there was a lot more um except like you could actually access things from your workstation and you could check your email and that was just blowing my mind right so i think people coming into the financial services industry that's something that typically catches them off guard and the other thing i would say is that we touched on the regulations and i think that people talk about it but and maybe it's kind of intimidating to some people to think about like all the different regulations that they have coming into it but i think that's a big difference between financial services and most other industries that there are some

exceptions there but the financial services industry i think is very complex from a regulatory standpoint there's i think alyssa you mentioned there's regional regulations in the different countries there's you know different regulators and then within the united states there's different regulators according to kind of like sub-sector as well so it becomes a very complex industry when you look at it below like the financial services umbrella right there's like payments there's insurance there's capital markets there's banking so when you think about that i think that that is always kind of surprising when you don't realize until you're in the industry how different even the sub sectors are between one another that's great so alyssa what were some of

the things that you see as challenges for people come in because you know when we talk about any regulated industry as you pointed out earlier and brandon touched on there are different regional areas but then you know there's also sub sectors so what are some of the challenges that people should just be aware of when they come into this industry yeah so i mean i'll i'll speak to two of them that i've run into um first is you know kind of to your direct question kathleen you know in the financial sector in particular there is a really significant understanding of risk but that understanding of risk is so much larger and so much wider than you

could possibly imagine from having worked in like other organizations you know so working in health care risk has kind of a narrow definition um you're working in startups if people even understand what risk really means you know so a lot of times in those environments you're the one kind of bringing that expertise and when you get into the financial sector in particular risk is such a strong topic and it has so many dynamics to it that a lot of times you're just one piece of a very large risk story and so if you've come from another industry in particular it takes some getting used to just realizing that like okay i'm talking about risk in terms of cyber

security but there's a lot of other risk factors here that i don't even necessarily understand and so you know that's something that you really have to come in prepared to tackle uh that learning curve the other thing i'll say and this is more on the i guess the culture side of things is quite bluntly there's still a lot of financial services organizations that hold on to that boys club attitude and and honestly that that demographic right um so being a woman in cyber in financial services can be kind of a challenge sometimes um and you know so a lot of those things i don't i mean i could speculate on a hundred different reasons why that persists stronger in this

particular industry than others but it doesn't matter why the fact of the matter is that is the case and you know a lot of the large organizations the citibanks the smps the jp morgan's a lot of the names that you recognize they're they're making very concerted efforts to address that but a lot of those just you know those attitudes still persist and it's just it's something you have to be aware of and and constantly working you know to try to work against or to try to work around as the case may be sometimes so you know i mean i hate to paint that picture but that is the reality if you're you know non-male and looking to

get into this particular very conservative space great so i'm just going to push it over to mamani and sort of you know what maybe you've experienced that same challenge what other challenge should people from the outside experience or be prepared to experience definitely echo what alyssa said um usually the only female and person of color in the room especially in cyber it just is what it is but i would agree there are conservative efforts happening um and i think i'll echo one other piece on culture um the culture is also very i'll say collaboration isn't always the most uh upheld value um and that you kind of have to work through as well like building those

relationships building the trust is not trivial and that's where the technical basis um helped at least helped me um gain that level of kind of credit you know that okay she knows what she's talking about but it's not um people are just instantly open in other industries i've been in or in like a startup type environment you automatically have a level of togetherness and we're in it together and i would say you know building trust and a relationship in financial services takes a little bit more effort and requires a little bit more uh work on establishing your credibility um the other thing i would say is the scale brandon alluded to the complexity of the

business in and of itself and it really is a i won't even like say that i truly understand all financial services and then you get into the types of financial services and products whether it's consumer you know investment banking or insurance like they each have their own business model don't be daunted by that but because it's also opportunity to you know traverse within one of these within the industry and and you know work on different types of projects um but it is i mean the scale of financial services is is pretty pretty broad um there's a lot of different types of uh work that happens and globally right i mean pretty much every financial service has some type of global

footprint so um it can be daunting when you're first starting out and like building those relationships um and getting to the boys club but at the same time once you do that you'll find yourself having a lot of opportunity to learn and experience some really cool things wonderful so peter i'm going to have you touch on this question and then kick off the final question which is so if you could address sort of a challenge someone should be aware of coming into this industry and then move us into your how does someone get into this industry and be successful so career recommendations all right so um the challenge i think we all sort of alluded to this it's a

really aggressive industry like people in this business they're generally just outwardly aggressive and me coming into it i've been around a lot of government people government people tend to be like passive aggressive and and you you know that's one way but no this is in your face what are you talking about you are an idiot get out of my in office like that's a that's a tuesday in some places in on on wall street it's just um and you you kind of have to get past it i mean you know it's better it's not nearly as bad as it was say in the 90s i think we've all gotten better at culture and um more tolerant and all of those things

but it's you know as a few folks alluded to that that is still you know sort of underlying a lot of this like you can i've gone into meetings where you could see people like and they're like holding all of that in while they're giving you um you know sort of more polite feedback but um you know i think the other challenge um is that the dollar values involved right so you go in there with a cyber security risk and you say hey listen we don't fix this this could be a 10 billion dollar hit and you know this and that and then there goes it's a you know it's a 40 million dollar profit deal if i don't

do this deal we definitely lose 40 million dollars you're saying i might lose 10 million if i you know there's not you know so um it's it's a sort of different mindset because the numbers are so big quite often um that you have to adjust to wonderful so i apologize we're we're running out of money i'm not running out of money we're all talking about finance and i'm thinking about money like you're talking about billions and millions of dollars here so um just some final career recommendations peter you kick it off and then mamani brandon and then alyssa so go final career recommendations yeah so i i'm gonna say don't be afraid i mean go

put yourself up for the role that you think you you can do put yourself up for a role that you think is two steps ahead of what you think you can do um we need the help in the space there's a ton of open wrecks um there's a ton of um of people that we need to fill so i i would say it's an aggressive industry they will respect you more if you sort of go out and charge at these things aggressively and and don't be intimidated once you get here um and if somebody is does get in your face get right back in their face being a new yorker brandon what about you what are your

final career recommendations uh i would agree with peter and that there's a lot of opportunity and rex opened in the space and for people who are trying to get into finance i'm a little biased here but i think that all of the firms that we talked to are thinking about the cloud and it's very likely that if you're working in other industries in security you have as much you're probably more experienced than many of the people with cloud security so they're definitely looking for people with those skill sets and if that's an interesting place for you in terms of capability and you want to get into the industry i think that's a really nice way to

pivot into financial services firms amani i would say uh ask for forgiveness instead of permission um it's kind of to peter's aggressiveness uh just don't trust yourself go do what you think needs to get done um and ask for permission later great alyssa wrap us up all right i'm gonna go completely different and i'm gonna say get paid literally and this is probably because we're giving i've given a talk on that at def con career village but um literally get paid you know as was mentioned this is a conservative industry they're financially very fiscally conservative right and they are going to when you're in that job offer stage and you're negotiating your job offer they will push back on you but don't be

afraid to you know know what you're worth and and push for it because at the end of the day as brandon mentioned there's a desperate need in this space for cyber security talent and these organizations although they won't let on to you in that job search that they are they're paying top dollar to get you so know what that position is that you're walking into what it is worth and make sure you get yourself paid because if you're underpaid you're not going to enjoy working in this industry i can promise you that great wrap up well brandon mamani peter and alyssa thank you so much for joining us today and thank you for sharing with us your career paths and

why it's so important and interesting to go into the finance information security thank you everyone so thank you everyone for joining us for the finance security career panel one of the things that we like to do here at higher ground is really make sure that we open up everyone's eyes to the variety of career paths that are out there so i'm really thankful that our career panelists have joined us this evening on sunday we've had a great time here in the green room sort of sharing our career paths and our backgrounds and what we're drinking and one of the questions that came through on discord was if you're in a finance security career already how do you move

from sort of mid level to sort of pushing yourself up understanding that you know when you've established yourself in a career then it's moving to that next level how do you take that risk how do you evaluate the risk moving to the next level so peter is your long as our long time career coach here why don't you kick this off and then we'll move to mamani alyssa and then brandon sure so um i think the the first thing is sort of pushing yourself outside of your comfort zone i think we all as we move to that mid-level of our career we find sort of comfortable grooves that we can get stuck in and i think you have to challenge

yourself to sort of push beyond that um make yourself get noticed by kind of the extra assignments you're taking on and i most of the people i've talked to the mistake they make is that they don't give themselves enough credit they think that that's something that's a role i couldn't take or that's an assignment i couldn't complete um you're probably capable of a lot more than you think you are and and you know you should arrow on the side of being bold and and that's how you move forward i mean and you want to work for an organization that's going to tolerate you being imperfect because everybody's imperfect and you're going to make mistakes along that journey

but don't let that stop you amani um i would also say don't focus just on the kind of group you are in look outside that team i mean you can stay within cyber but you know it even if you're comfortable in one role push yourself to try a different role that's at that higher level and another point i would say is build relationships outside of your team get other folks to know who you are are know what you're capable of get exposure outside of your group um and put yourself out there and as others notice your name's just gonna float to the top great alyssa yeah a lot of what i was gonna say kind of mirrors that and that

is you know the more that you show that you can bring together the other areas of the business and unite and work across those lines that's something that really establishes you as a leader um and then you know to that end um it's really about understanding the business that's how you're going to do that and that's also what as you broaden and start to work with other areas just showing that you really understand the business side of things and can apply what you're trying to do from a security perspective into that broader scope and and bring those teams together those are the kinds of things that are going to ultimately get you you know on that list if you will it's a

horrible way to put it but uh you know for that that next leadership opportunity brandon yeah i would agree with what everyone has said before um the only thing i'd add though is just be don't be afraid to be a little self-promoting right it doesn't have to be a boastfest but just make sure you are able to highlight your accomplishments and just make it known to people that you actually are looking for that next step in your career because people aren't necessarily going to just do that for you so the one thing i want to add in here in any career is to look at that there's a difference between a mentor and a sponsor so a mentor is someone

that you're going to meet with who's going to be able to answer questions sort of help you think things through a sponsor and this is not a financial relationship but this is a person that is at a senior level who has taken an interest in you because you have proven yourself to them and they are going to advocate for you to be um moved up the chain so it's understanding that there are those two roles and finding out who they are now it is not like the military where there's you know insignia that tells you who is what but find you know building your network is a way to do that we've had a question in discord from

sort of someone who's in the beginning of their career who's done a lot of security uh profession but they want to know do they need to have finance or economics should they take those courses to move into finance security so mamani do you want to kick it off alisha brandon and then peter sure i'll start by saying i had none um and i went to engineering school we made fun of the business majors it's a thing don't ask um but i will say uh to alyssa's point um because i started out in big4 consulting one of the first kind of tenants is understand your customer understand the business because you can't solve problems unless you know what the real

you know problem they're trying to solve is so i think the nature of whether you're an infrasec or not i mean no matter where you are you do want to try to understand that business i think it's totally fine to learn on the job i certainly did in different industries um i think it does help to talk to people within that that are not an infosec that might be in like the investment side or the customer side um but you can learn on the job in my opinion yeah i mean there's not much to add to that really other than i mean you asked two questions i don't know if you realize that kathleen do you have to have it no should you

perhaps it will help but also understand that bringing a little bit different perspective can be just as valuable as coming in you know as somebody with a business degree brandon yeah i think understanding the business will definitely help so totally agree you can learn on the job i didn't have any real direct first-hand experience with finance going into my first finance security career but i think understanding the context and how the business makes money and where the business process flows are where the data is will only help make you better similar to every other industry but i think in finance it's very particular because there's a lot of very structured business flows and transaction flows that

that you should be aware of so peter i'm going to delve into our next question with you so a lot of questions are coming up in discord about regulation compliance and understanding regulation compliance and how that impacts your career so how how do you navigate that so so i think i i'm going to tie back to the last question and i think as you move forward in your career understanding the business becomes more and more important right if you're a stock analyst who's looking at is this malware or is this not malware the fact that you understand the you know financial transaction or you can quote the black scholes equation to you know to determine uh futures it

doesn't matter right it's it's not important but um as you move forward and you want to be seen as a business leader who's making security decisions to forward the objectives of the business you actually have to understand those objectives of the business and you have to be able to speak the language of the people who decide on those objectives so so so i think you know like i said the further you go in your career the higher up you want to move in that ladder the more it becomes important um you know and i think the regulations tie into that you know where um the regulatory requirements get pretty complex with finance right and in

one of my previous employers we used to like to say that we are far more regulated as a bank than somebody is who runs a nuclear power plant right and that's an enormous amount of things you have to understand and again the further you get in your career and the more you know the higher up the latter you go the more important that gets right again if you're at that is this now or is it not malware level it probably doesn't matter that much but if you're trying to explain to the ceo why he needs to spend this money to mitigate these risks understanding those complexities become more and more important so we only have a few seconds left i

want to have each one of you give sort of your parting thoughts for why people should consider this career so alyssa do you want to start off then mamani brandon and peter i mean it's a very stable market that's not going to go anywhere right i mean we are going to have money and deal with markets and things like that as long as there are humans on this planet so you might as well uh if you're looking for you know if security wasn't stable enough financial services and security makes it even more stable my money sure i'll say uh most financial services tend to have some level of international or at least multinational aspects to it so if that's something

you're interested in there is opportunity to you know travel and see different pieces of the business around the world so another another pro brandon i think working in financial services you really do get to see a lot of really interesting things right you're seeing all sorts of threats out there from you know undirected kind of opportunistic threats to really advanced nation state actors so i think that breadth of challenge is really interesting that you don't necessarily get in other industries and peter wrap us up yeah so i think alyssa mentioned this while we were recording the panel um like willie sutton said this is where they keep the money so that is probably everyone's number

one reason to get into finance but i think that also inspires a tremendous amount of attacker behavior and you get to see things in this industry that you won't see anywhere else it's also the most mature by far of any of the any other verticals out there so if you really want to test your skills this is the place to do it okay well i want to thank all of you i mean it's it's amazing that we're able to do this virtually i'm so pleased that we were able to bring this panel together and i thank you all for your time on a sunday afternoon when i know we have so many family and professional obligations thank you so

much and if you want to continue the discussion in the discord please feel free thank you bye