BSidesCharm - 2019 - Timothy Schulz - Technical Leadership: Its Not All Ones and Zeros

i'm going to start my name is timothy schultz i'm a cyber adversarial engineer at mitre and today i'm going to talk a little bit about leadership and how it applies to infosec and technical professions in general so as far as the inspiration for this talk so leadership has been a passion of mine it's something that i wouldn't consider myself an expert in but it's still something that i really enjoy either reading books or just understanding more on the topic and so i thought wouldn't it be great if there were more conferences and speakers that talked about leadership and so i was looking for some and i found a few resources but you know i kind of vented on twitter

that i was hoping for more resources and one of my co-workers sarah challenged me to be the change that i wanted to see and to actually give a talk on it and so that's sort of the overall inspiration for this is sarah so i want to give her a quick shout out so if there's one idea i want everyone in here to walk away with is that anyone can be a leader and so what do i mean by this a lot of people when they think about leadership think of it as positional you have to be a manager you have to be somebody that has people under you that report to you leadership is influence

and so whether that's helping a junior member of your team with a tough problem that they've had and maybe they don't even report directly to you that's something that anyone at any level of an organization can still be effective with and so that's the one idea i really want everyone in here to walk away with if you don't hear anything else so a common question with leadership is where do you start there's a lot of really great books out there and there's thousands of them everyone's written a book on leadership and i've read a bunch of them there are a lot of them are good some of them are okay but these are sort of the three points that

i would like to get across if someone you know when people come to me and ask how would you start leadership and the first one is get involved second is get humbled and the third is getting feedback we're going to dive into each of these so the first is getting involved so what does it mean to get involved i'm talking about looking for leadership positions and that influence that i talked about outside of work that's one way to do it obviously inside of work is is best because then you can actually apply the leadership for learning in your field but leadership transcends specific fields and that's where if you want to work on something that for

instance in cyber security you wanted to apply your or learn leadership while still applying your technical expertise you have things like cyberpatriot ccdc girls who code those are all organizations or as i should mention besides chart a local security conference that has awesome volunteers that are here studying up on friday and so that's those are all opportunities that you can take outside of your work that will still benefit your leadership building so learning to fall is another really important one this is where it's about identifying leadership traits that you find important that you you hopefully will you enjoy being led by good leaders and so understanding what leadership traits within yourself what you value and how people can use those

effectively are all things that you sort of want you always want to be assessing as you work through your projects as you work within teams and so with this networking is vital to success so we're going to dive into this a little bit more later but that's sort of a baseline you need to have a large sphere of influence people you know uh to help you solve problems and so this to to sort of touch on information security we often have a lot of turnover every few years you'll have people leave you'll have new people come in it's important to keep in touch with people even after they leave it doesn't have to be a lot just sort of

exchange contact info i know whenever i have co-workers leave they'll send out a final email out to everyone with their personal email and say hey reach out and i did the same thing when i switched jobs and i can count on one hand the number of people that have reached out since but that's something to just sort of keep in mind is that you always want to sort of keep keep an eye on each person that you interact with because they might be your entry to another job or they might help you solve a tough problem in the future so i said we're going to get into networking and now we're going to dive into that

so why is networking important well a good sort of guide here is treating every interaction like a job interview uh and so i say this is a guide instead of maybe a role because this is this is tough to keep up whenever you're talking to a lot of people for instance at a conference and it's it's a lot of it's a lot of work frankly to try and do that every time so that's why i say it's more of a guideline than an actual rule but businesses work through relationships this industry works through relationships and so as you interact with people i know that's something that i've encountered in my position is i am not

good at things like reverse engineering or cryptography but i know people that are and so whenever i encounter an issue with one of those areas or maybe i need a software engineering team or i need someone that's better that knows the financials of how our company works those are all people that i've built relationships with so that whenever i have a problem i can give them a call and so teams teams overall do better than individuals we all work on either ctf problems here that are occasionally at work we'll get maybe a challenge that we are the only one that's really contributing to but i'd argue that those are more the exception rather than the

rule most of the times you're working with people or the reason you're working on one of those problems is to enable someone else and so that's why you you need to be a good team player and as a leader you need to know how to foster good teams and so the last point i want to talk about here is how people open up their network to you i talked about how i know the reverse engineers and i know someone that's good at cryptography and so even if they're not this person that's going to solve my issue with either of those fields there's still someone that i can talk to that will know the people within

their field that might be able to solve my problem so the networks sort of continue to expand and that's why it's super important to continue to build relationships so talking about networking if you're an introvert in the room maybe you got a little bit tense when you heard that hey networking is really important and this this is something that you're going to need to jump into well that's why when i'm talking about networking it's more about building relationships than anything it's not necessarily the corporate banquet that has 300 people and you need to go work the room and talk to everybody so there are a couple different ways that you can sort of approach this

one is to make your conversations with people one-on-ones that help whether that's going out to lunch or just having a conversation maybe you know off to the side of a large group of people that can make make it easier to sort of have those connections without having to talk to an entire group so i say bring food right have a candy bowl and uh by previous office we had a dorito bar and i'm not kidding when i say we had six different types of doritos that people could all come and and partake in and so our office at times became almost rowdy with the number of people that were in it so it was it was sometimes

tough to get we'll say real work done but it it provided this area this community that i could i got to know a lot of people through their time spent uh when they would just come in to get a few doritos and 20 minutes later we were still chatting so this going to lunch is another one i sort of highlighted that as far as the one-on-ones but especially when starting a new job this was something that i encountered almost a year ago was i switched jobs and so the team went out to lunch every day so i went out to lunch every day to sort of get to know them to see what their hobbies were and whatever they

were willing to share with me and that was sort of important for the team building aspect and even if you're not going to eat what what they do right you know people have different diets that kind of thing but just going out and having those conversations outside of outside of work it does help build those relationships within your team so and that's where you know you keep hearing me talk about building relationships these are all about having a i'll call it a real connection with people and that's whether that's remembering what their specific hobbies are or whether or not they are you know attending a conference or how how something went all those types of

questions and especially remembering the answers to those are really important will help continue to build your network and relationships so networking for extroverts this is something that uh most extroverts would maybe work a room they'd be really comfortable building out their network but especially if you are an extrovert and you're in a technical field you're going to run into introverts and so you should use basic the previous slide as sort of a guidebook on what you should help what you should do to help enable your conversations with those introverts and so part of that is for instance science is golden that's really hard for me and so i like to fill silence with words and they might not mean

anything but that's just i like to fill and so that's something i've had to adjust whenever i'm talking to somebody and i sort of identify okay i'm sort of dominating this conversation because i'm just talking and so make sure you have pauses slow down ask questions and they shouldn't just be sort of meaningless questions that you're just waiting for the answer to come so you can jump back in you need to actually engage with the people that you're talking with try like i said remembering those small details is really important because it shows that you were actually listening to someone when you talked to them earlier and so they'll remember oh hey i you know can't believe i told so and so

about this hobby and they remembered it you know three months later so it means a lot and i like a stephen covey quote here which is seek to understand before being understood so kind of conveys it pretty pretty simply and that moves us into getting humble so just because you are a technical expert does not transition quite so easily into being a leadership expert one does not always equal the other you can be a technical expert and a expert or a great leader but there's still skills that have to be worked on independently so you wouldn't expect someone who you know was fresh out of school maybe to be an expert c plus plus coder you know you would

expect them to build that over years of experience and the same thing should be said of soft skills in general but leadership especially it's something that needs to be developed you're going to have to try things out you're gonna have to learn how you develop as a leader and then you're gonna make mistakes everyone makes mistakes it's all right and you're gonna iterate on that and so we'll sort of get into the feedback part of that in a minute so the next part of getting humble is learning from others everyone is a teacher including yourself so what you're learning from each individual is you can sort of categorize it if you're under a bad leader if you're under

people you don't agree with try and try and figure out why right is it a behavior is it their help on things those all will inform you and on how you can be a good leader later because maybe you are looking at a project and you don't agree with house b manage that's something i take notes and i say all right so now whenever i become a project manager or i'm running something i go back to that list and say what are were all my pet peeves that i had on other project leads and to make sure that i don't do the same things so that's another thing that's important in this is just because someone

isn't a technical expert in your field doesn't mean that they can't contribute to your project in some way so this is especially important in today's world where teams are more diverse as are as diverse as ever and it's it's interdisciplinary uh you you need people from all sorts of different backgrounds to help solve some of these really complex problems that we're talking about today and so if you're not able to humble yourself to get to a point where just because they don't have the exact same background and expertise as you that you can't have a conversation or can't work with them that's going to be a huge inhibitor to your leadership and just your career in

general so knowing yourself this is this is sort of a lead into some feedback but learning how you communicate and how you respond to other styles of communication is really important how we communicate is uh i feel like well for social engineers you have a breakdown of nonverbals versus what you say and so i don't remember the exact percentages but a large part of communication is in like body language and understanding what how the other person's responding to you so a way to look at this a sort of uh framework i'll say is disk you may have heard of it and it sort of it classifies uh communication styles into four different uh four different categories and depending

on where you are in that it's going to influence how you communicate with those other three three parts now it's great to do this uh individually because it's a self-assessment to some some degree and as with a lot of these uh sort of leadership tests they are self-assessments and so you have to try and be as honest with yourself as you can when you go through them because otherwise you know your answers are not getting they're not going to give you as good of information so the cool thing about disk and some of that is we've uh what i've done in the past is done this as a team and so you everyone takes it

individually and then you get together and so the key thing here is because it is a self-assessment i see how others view themselves and it completely changed the way i communicated with one member of the team because i never saw them as analytical as they were and so that's where the power of taking these and seeing how you communicate versus how they view your communications is important and so that meant that whenever i talk to them or look for their advice in the future it's very deliberate with how i made that communication to match with their style so that we didn't have to jump around something because sometimes i had a bunch of filler words or something

like that they wanted straight to the point so that's sort of a quick example of that and then the last point is getting feedback so feedback can be intimidating from especially when you're going and asking for it especially if you're worried about it being negative so that's where i say i recommend starting with trusted peers here people that you know will give you the good and the bad if that's really what it comes down to and so that's something that i want to touch on as far as the give and take with feedback so getting feedback gives you additional data points in how you're doing how other people view you and just like when we receive negative

feedback and maybe you know tense up a little bit getting positive feedback feels great whenever we go you know you look on amazon the five-star reviews right at what everyone wants but that's where i feel like while we like receiving good feedback how often do people give it out it's just as important when you're giving feedback as a leader to give out positive feedback in addition to changes that need to be made so this is where interim feedback is much more important than maybe a once a year or once every quarter depending on how your performance review system works and iterative feedback allows you to tackle small problems as they arise in teams instead of have

having something faster and get to a point where you know the worst cases someone gets fired because there was a behavior or there was something that wasn't addressed early on so to give a story here one of my english teachers back in undergraduate would give uh she would give the uh the score to your paper and say we can we can talk about this score but we have to wait 24 hours and so that was to let people calm down especially if they got a score they didn't like and so this is where if if you're somebody that takes feedback especially negatively maybe you get angry because you you felt like that that was uncalled for because

feedback is it is personal and you're asking for someone's opinion on how you're doing and so that's why i say try not to take it personally especially the first few times when you're trying to build a feedback loop because if you react super negatively the first time then people are less likely to give it to you more often because they're like i don't want someone so to get mad at me made it you know made the team environment bad for two months and you know or we never recovered so that's something just to keep in mind is that say thank you and then walk away and you know you can you can roll it over and you can go talk

think about it and then you can sort of come back so as far as getting feedback we've talked about you have your self-assessments you have your trusted peers you've gone and asked now your peers might also be giving you formal feedback they might be feeding into information that your boss or the team lead is also going to be giving you as part of maybe your performance reviews and so that's where you want to create this culture of feedback where people are addressing these problems a healthy team is someone that can they can tackle all the small things as they come up whether they're good or bad and so if you're looking for more formal methods of feedback for instance

there's a 360 degree uh is a common feedback mechanism that books that looks at the people that you're working for the people you're working with and it tries to get a bunch of different angles of feedback on you and so a lot of times it's good to have a coach or a mentor that will help work you through this process because getting feedback from people can be difficult especially if it's not part of their job and that's why i again tie back to having a culture of feedback so that you'll get feedback even unsolicited and you're not going to have to hunt people down and sit with them and try and you know maybe that is a more

intimidating environment for them you want to make it easy for them to give you feedback so a quick little framework on how you can start with feedback people have heard of the compliment sandwich right where you you maybe give a quick compliment you throw in your negative and then you end with a compliment hopefully that's often the blow well start stop and continue is a it's sort of called a similar method but it's something that's meant to be done on a regular basis say every 30 to 60 days and so i've sat down with project leads and had this conversation that i'm looking for feedback i want to address things if they need to if there are issues that

arise i want to address them early and often and so i want one to two things to stop doing one of two things to start doing and one to two things to continue doing so this gives them gives them specific things when they're when they're giving you feedback specific goals for the feedback because oftentimes if you sat down with somebody right now and said hey give me some feedback they'd say like you're doing you're doing fine doing good what does that tell you it doesn't tell you anything you know that maybe confirmed what you already thought like hey i'm awesome but you you really want to get constructive feedback it's really important and this helps

create that framework for it so you can you for example uh some feedback maybe i've gotten is one the two things to stop will stop having brainstorms in early in the morning in our office because i can't get things done start engaging with sponsors more often because you're good at that and we want to make sure that they see they are able to connect with you and the rest of the team and then continue was continue to engage in hiring the recruiting process because that's something to not seen direct benefits from so a quick review of the the three points getting involved getting humble and getting feedback any questions thank you