BSidesMCR 2019: Increasing Security: New Recruits - Rachael Stos-Gale

you right so I'll stop I went to b-sides leaves in January of this year and when I did that I was in security I wasn't in IT I've been at home as a housewife for 7 years 7 to 8 and I've been reading about the CCN it's been reading the book doing some study was that but I thought security would be something that might be interested in I had followed people on Twitter and security accounts for years I never thought of it as something that I could do and the last minute I am managed to blag a ticket to definitely sold out B site leads by saying hello am i worthy cause I've got towel care if

anybody's got a free ticket let me know I'd really like to go and see the the keynotes you know please you know if anybody has well let me know so I tagged in the keynote speaker with that because I did want to see her she retweeted thank you very much and that and then I got him very kindly chat from Symantec said oh I've got spare one you know you have mine so as I thank you and I came I saw a whole selection of talks and I was really excited so Owens away and studied and not long after that I got my first job in security and doing exactly what I wanted to be doing so

this talk is really about how I came to be in security from the point of view of somebody who is completely outside the sector but hopefully there's something useful there for you if you're already in IT or if you're students and and this hopefully will have something in it as well for people do recruitment if you're thinking that's your standards passive recruitment aren't always furnishing you with the range of candidates that you'd like hopefully we've got somewhere and some ideas here about ten how to find other people so first thing we often hear if we can't get the people why not well we know that basically there aren't enough to go around that the figures on this or

something like by 2022 just in Europe this meant to be a shortfall of security professionals of about three hundred and fifty thousand people so it's huge it's a new sector but there aren't enough people to go around who are already qualified if you're going to recruit people for entry-level positions and we're in a good position to look for people who aren't already in security potentially go and see didn't I teach but the question then is will there be any good that's what you want to know and will they be ready soon because a lot of pathways and suggests you know yet you can do this come to our degree and I thought what I could do but I've

got you know but it's agree I've got a professional qualification and I can't really at that stage I thought I can't go back to uni and do it all again I just need to find a way in and so what are the barriers to peer to entry for people who contemplating their career change no these are my thoughts so time the investments of time are you going to you know I'm 37 now I didn't really want to spend three years doing an undergraduate degree in a completely different area money also I've got student that's already you know you've got to think how much is it going to cost you to get into the sector that you

want and the third point security in this case is it is a safe bet but the biggest thing I think that so a problem within security and recruitment is that nobody outside knows what we do they don't know the the roles of job roles they don't know how they fit together how that built into a career past even within the sector kind of we're all slightly Mavericks finding their own way to its you know great the job of time and now I'm an analyst I can go to be a senior analyst and as hecklers have passed there so that you know or I could go in a different direction but it's hard to tell from outside what it is what it

looks like even if you go on prospects start at UK you know Career Service website it doesn't really tell you very much about what the job entails so it's hard to know what to apply for it doesn't tell you very much about how the rules fit together and build into a career if that's something we can gets out then we're in a much better place to help people understand that it's worth coming in so my comments here is why take people from outside IT now this is a slide that's kind of focused it recruiters I'm jumping backwards on boards all the time between hopefully they're kind of applicant size and they're approved aside so my take people

from outside IT for the first points you've got more people to choose from good starts second career changes of extra skill the skills so my point there about since accents customers needs if you have somebody who's been working in the automotive industry or in HR or in everybody needs security some of your customers will have that kind of different world you know to you and if your team comprises people who know that sector or who know something about it then you're getting for the same price as your other new entrants you're getting some extra expertise that can help you home to your customers needs and different emotional and soft skills are honed by different roles now my

thinking here with this one is different roles need different skills so if you have somebody who's say been working a night shift in the care home they will look probably at some point how to do that make that decision don't call an ambulance now for this person do I alert my superior or do I do I just know Nightline right now if you're making that kind of life-and-death decision to look after some else you're an very well-placed to make the decision and feel brave about it when you think right I'm here on my own in the office of you know with a skeleton staff at like 3 a.m. on Sunday morning do I now wake up this director

and say I can't leave any kinda get through to anybody else on the calling tree but I think there's an incident you need to get up out of bed somewhere everybody up because that you know it takes some nerve so that's the next bit grave as can be if you are doing a career change that's so dramatic it takes nerve because when you learn anything new there's a lot of being wrong and it's embarrassing and it's hard especially if you've done something else and been good at it so then go back to the position of not being good at it and just you know doing all the stuff failing which is kind of the learning

process that's that's hard so the people that you get coming in a brave committed quite often taking it and a pay cut to go to your new sector not always depends what you're doing before but you know say the same prices are their entrance that's not unfortunately for people coming in that's from the employers side and people often don't don't really change feels to stand still from my own points of view having seen that so I was able to change fields you realize I've changed my life this was huge I wanted to do it and I've done it so what am i doing now so consequently you get motivated people who are ready to do

something else also I know people looking for more diversity in their teams if you think that IT is still really quite right to mail if you look in that if you're looking at pool you're going to get more of the same so look at something else at different sectors okay so this is also for recruiters what can we do right now this is all great thing needs the problems we know what they are how can we get people interested so my first point is have a low risk path that you can tell someone who expresses an interest the path I follow to get here in terms of the study was quite low risk in terms of money in put into

it the time that I spent on it but it was interesting so buddy it was one of these things where nobody was watching me I could put as much or as little into it as I wanted and do it at my own pace so this is kind of a low-risk entry thing so I'm going to show you I'll put my qualifications up on the last slide that's a sex talk so you can just if you if something interests you you can then take a photo or whatever but here we've got to open dates now I did have it I think we should have open things so people can see what we do and then it's

stricken with it I work in a secure environment you know keypad to back to education you think yeah this is yeah so I'm not sure quite how about that but maybe just go on in there there's some people or if you check them out for us I don't know but that's a thought the other thing is promotional material that explains what what the job actually is how they fit together and how you kind of work through it in a kind of pathway to a different career and this is the big one for me make sure you're not putting people off by asking for too much on the job spec so there's a well quoted report

the fueler Packard reports that was in Forbes in 2014 it's being referred to a lot women are less likely to apply for a job if they don't meet all the criteria so if you know it's after that anybody who's quite anxious because men can be anxious too so if you want to widen your pool of applicator applicants you know don't make it too overwhelming if it's an entry-level role if you're asking for something like I don't know security plus you could say fine or you know see you I say plus these are things that I'm looking at under I'm working towards the some of them will say oh I think it's about doing this after you've got three

years experience it's that catch-22 it wasn't meant in the last talk you know how do you get experience maybe what you need is not a set of qualifications but attributes for somebody to do the role so what makes a good analyst because this isn't this is my experience defensive side when I came to the talk it was by beside leaves the keynote was by some heroes and she was standing at the front telling how she German implemented a whole kind of security learning process as it engaged people and they you know improved their level of understanding and it's in a large firm I think it was a law firm and she was talking about how you got people to

engage with learning and how we get them to to learn take things in and it struck me as a former English teacher and from a secondary school sitting at the back I thought my experience is actually relevant here I know all this I'm you know I can I can I can do this I've got something here that can be useful in this career so this is some Bloom's taxonomy of them so we've got here this is kind of like the first lesson of pedagogy in your PGCE you know different orders of thinking so the idea is the higher are the top three of the higher order thinking skills now if you're going to be an analyst in a sock for

example you need all of these so we've got the knowledge level comprehension we understand it more deeply I mean these are broken down you can see apply it to something see if that was good and put it all together and develop your own comment on that so these are all our higher them or the thinking skills these are things that we need to work with analysts the other things ask my colleagues some more senior colleagues what actually makes a good analyst in your experience so um the response I got it's not about your level of knowledge or experience it's about your ability to gather information and cut through it to the juicy important bits and technical

skills are great but more valuable it's a sensible head for knowing how to approach any problem from a position of zero knowledge because we're all going to be looking at new threats if you're sitting in the top there's going to be a zero dare you haven't seen before that's replicating and you don't have to do with it so you have to know how to approach it even more than what it is also we're a new industry if you can do the part of working out your own path plotting all this because this is not something these are skills to have to learn and to get here float your own path you know you decide your own syllabus what's

the stuff that you have to learn you need to catch all that in how you can fit that into your life make it all happen by the time you've done that you can tell your room would be employers you have all these skills and it'll help you carry on with your career so what do you need to know to get a job this is just that's a bit tongue-in-cheek it's me saying this is what I did and hopefully this will be useful to you so as I say this will be up on the final slide I know you can't see these terribly well so don't worry about that this I started off with this so much the

introduction to cybersecurity did it through future learn I think to do it with certifications about 40 or 50 pounds it assumes no prior knowledge if you end up not going into security it looks good on your CV anyway because it's something everybody needs to be aware of it's through the Open University on futurelearn approved by GCHQ was a good introduction good starting place next bit I'd say you need to know how the network side of things works so that you can fit it all together so before you even buy anything look at the OSI model and you know a bit of Wikipedia and whatever and make it all fit together and then I went to have

a look at the sea science which big book thoughts you know about 40 pounds and worthwhile to see how it starts from the basics and works up now this is absolutely my favorite this is a Coursera course it's a specialization in introduction to cybersecurity specialization and it has four different courses in it I'm quite keen on it introduction to cybersecurity so it hasn't it things like the first ones in it you look through more module it talks about the cybersecurity gen generally this bits on cryptography and there's stuff on there's a module called real time cyber threat detection and mitigation something about how you secure enterprises and infrastructure it's really a very good course and very

gently present it if you're feeling nervous the guy that you know on there all the videos or starts off hi there folks I'm Adam arrow so and it's really just like our thanks s you know a feel-good thing so and then I just topped it off with a bit of HTML because again just on online course through Coursera because I was trying to guess what sort of thing might you want if I'm looking at web traffic I'm going to need to know what normal looks like before I can detect anomalies so that's the plan so how would you know you've done some studying how would you get a job so be parts of communities I got my job

through Twitter after having done some urban studying I said I'm looking for it you know an entry-level job in a sock could you know if anybody knows of anything and okay I think using cameraman ever sit Portsmouth up limited somewhere very far away from me I said oh my company's got a stop near you send me a CV and they did and hopefully then the start of October you'll get some money now because before with them on TV to a tower and here we are so tell people that you're looking and where there's a lot of people say and looking for job in a saucony awesome what what you know where are you know like Texas

and less okay so say where DC 1 Phi 1 is the least DC I would say anything you can go to whether it's that kind of thing where they have the talks or whether it's CTF so have the box things that's a really good thing to look just cause you're building a community people might say to you oh I'll mention you are you know I know something that something that might be able to speech about this build your them things there if you're on Twitter you know after if you've seen something that you like remember to tweet at the person even if they're really impressive and thank them you know even if it's kind of I am head of

everything you know lift your top six pretty much back you know and then they simply might retweet it and say you're very welcome or something like that and also matically you know you can see that the people that like that you know you cannot follow each other you building a community in the interview itself I run this past the shop manager that was very stunning here is scary doing this into my boss's boss much scary so but he let me it's clicker so I feel I'm getting some good advice so don't try to black technical knowledge in my interview I could talk about three-way handshakes and you know this is in the header for the for the syn

packet and it's not that mean at blah blah blah but I couldn't tell you what my port numbers were which I don't think I could say I think I was asked what what you find on port 443 and I was like mmm so that kind of showed you you not meant to be the full product I still got the job be ready to talk about but it can really annoy people if you drag off oh yeah I know that I'm just not telling you today so be ready to talk about recent security events so that shows your commitment in you enthusiasm and what does not manager actually said to me is if somebody comes in they're really

enthusiastic you know for an entry-level role I'm going to be hard-pressed not to just give them the job because anything that they don't already know they'll learn because they care so in show your enthusiasm you in a really good position be ready to talk about recent stuff and have researched the company so if you can look at the website but maybe also the if you look at the website but also like things like a company report or anything you can find if people look up the people who are in serving you on LinkedIn before you before you go you know have researched a bit know the job that you're applying for speak to HR when you have that conversation before

before you get the interview ask what exactly did I do is this you know be ready to go in their last questions oh and also and be friendly because they're quite often there recruiting their colleagues so if you can remember through your nerves just like that a positive thing so how do we live happily ever after now so new starters keep being who you were in the interview because it's easy to go quiet the difference between saying I'm here I'm really excited I want to learn and being in a room full of like 30 people who know a lot more than you and you know they're not necessarily being funny about it they're just getting on with

their jobs which look really cool over their shoulders and it's kind of intimidating keep asking questions and don't just kind of tell it on yourself employers when you've got your new starters if their career changes particularly they might need a bit of reassurance I got welcome letter from the summer and you're saying you know preaching brick see you exciting times here you know see you in a week and oh wow it made a big difference to me starting if you can if can welcome people like that and schedule time to check in on them so you say okay instead of I'll just catch up with you later in the week say okay so I booked an

appointment in four 12.com Friday and we can just have a run three way or up to that makes you feel a lot more calm I think as a new staff that you know when you've got something you can actually you know if something comes up there's some time you can address it people and invest in your colleagues if you can so new starters try and make connections within the firm if there's something that you know you need to ask somebody from a different team and you've seen them you had a little chat in the kitchen go okay it's specialist in the kitchen you know or whatever that's a positive thing employers for your career changes if you have a uniform it's just

polo shirts or something have it ready to go when they start when I started in the sock I think you're feeling a bit kind of Laura Ashley compared to my my colleagues in hoodies and jeans so if you can start you know that they might not know what the standard is there so give them a head start keep up the study when you've learnt all these skills to study by yourself big push and if you can keep going it increases your pain and your value in the market and employers in that case expect that they won't necessarily stay in that entry-level role for long because if they've come this far they'll keep pushing new starters big one monitor

yourself and be honest about your needs because if you're not their normal intake you might need some supports in places they're not expecting they might not just be denying you on purpose they might just blow okay yeah sure we'll help you with that and if you can do that instead of just running away and never coming back one day tell them give them a chance and again therefore employers expect the unexpected so you again same thing you might be finding things hard that you didn't know because the more diversity in your workforce the things will definitely change the feel of my work and how it goes so here's that final slide study resources in fact

if that's any use to I would say the Coursera ones the great thing about it's the one with all the hot Sun stars is you can audit the lot for free you don't you can't take the examples the qualifications if you are not subscribed the subscription is about 40 pounds a month but you could learn everything you know if you're ready to go and then just pay for one month subscription and hammer through the courses because you can watch the full lot so there we go I'll leave that up on the screen if anybody's got any questions it's time to mix imposter syndrome I'll tell you when I went into it an exciting week these

are my kind of suggestions that have you punched through it and I think for me when I first got to the sock I was I was struggling that a lot and people were telling me things I was like you know I understood what they were saying while they were saying it and then Zagon and I was just thinking honor so what I did then as soon as I got there was I studied for my Security+ and I took me in three weeks and then I passed it and when I passed it I was like okay maybe I just have to be here so I would say like certifications even it doesn't have to be the fanciest one

in the world make you feel like you're less of an impostor that's that work for me I think it's you know this is taxing with something looking it's easy and somebody said to me you get more fails on the see science than you do people do books courses and do this full CCNA because doing something harder also revises something easier so what I'd suggest is there's a repetition that was mentioned in our last course your than isotope you've got to kind of keep repeating it at regular intervals don't feel ashamed about going back over old ground give yourself you know people eat it yourself oh yeah look at me I'm revising things I'm doing it Sarah Lakewood me

you know and if you do that and you carry on with something harder even though you can't 100% remember that will help you revise the easiest attitude that's my experience it's got to fit in with your life so yeah I mean when I was in there sitting in the sock I was there all the time feeling really self-conscious because all my colleagues were there and I knew that everybody could see me even if they weren't looking particularly so I was like well I've just got to crack on with this study and I got really into just like slamming it off of hate every day and those the other thing is if you're doing a lots of studying eat lots of

protein think about it like weightlifting this is my advice you know just eating it loads of chicken in the afternoon let's put load of protein and keep it keeping it yeah that's my best advice how do you decide when you remembers anything which the the entry-level session which ones yes well I just finished my security specialization and I thought and also to be honest my husband's in nineteen not security and you know he's always been ya know so he suffer and his eyes be saying oh you're really good it'll be fine don't worry and so and he knows he does a lot of recruitment and he sounds like yeah yeah go for it so I

had that extra help to get me into the industry because otherwise I wouldn't have been able to see the pattern in the same way but he's like yeah you said you know you've got a good head on your shoulders go and apply for something alone so that's why but I've just finished the courses if you do that start playing anything else oh yeah totally I mean I think I did that and that kind of helped me understand what sort was aside from anything else because I think the last one the real-time cyberattack detection and mitigation that covers something and to do with the new actual Sox and the guys talking about having I've never I say there's telling about

how them you know they set them up in the first place so that thing but if that applied but after that I think the security plus and when you're doing it every day that helps now I'm good and excited so I'm I've got to for my target to work I've got to do the CEO is a plus by the end of the year and should be going onto crest of next year I'm hoping to become a senior analyst basically so I came in level one analyst past my security process became circuits at the level two analyst and the next thing is that I'm aiming processing it but I'm conscious that there's going to be somebody else on in the minute so I

probably ought to go so thank you [Applause]