Staying Sane in Cyber - Keelan Knox

well my name is K right and I'm a security engagement manager for Al cyber security and I know a lot of you guys may not even know what that means but for the most part I operate um as like project manager for our security team if I'm not actively doing the engagements doing the pin testing social engineering so forth I pretty much oversee Advantage most of those projects um and kind of like what this talk is steeming from like so I have a QR code if anyone wants to connect with me

if anyone wants to never me phone number LinkedIn social platforms you name it welcome to stand QR code I know this cyber security conference we don't have to be we about any malicious codes going to your phone and stuff like that I promise you I won't do that to you um so this talk is going to be about mental health staying sa s um it stem from conversation I had with one of my Engineers can anyone hear me okay sweet it stem from conversation I had with one of my Engineers um he does a lot of go for music work and him and my boss got into like a real intimate conversation about some of the work that they were

doing and seeing and it kind of like some of what they were talking about St nerve with me and so I wanted to do some more research to understand okay what does this mean from a S security standpoint and why aren't there many people talking about this in particular and I'm going to dive deeper into this but it's more so I want to talk about how much does a ha cost not necessarily from a fighting management perspective but more so from a perspective of the professionals who operate in this particular field so according to I'm going to start by actually pretty much defining them where mental health needs from World Health Organization which I'm sure everyone in this room is familiar

with specifically since Co and everything has happened in the past few years and so according to the World Health Organization they Define mental health as a state of mental well-being that enables people to cope with right stressful moments to develop all their abilities to be able to learn and work well and to contribute to development of their community and when we think of that especially from a perspective of burnout it's not even specific to just cyber security specific to multiple across multiple Industries and sectors of business um they Define burnout as a syndrome conceptualized as the result of chronic job stress that has not been successfully managed okay so how does that translate into cyber

security well let's take a look at there some statistics 9% from a Global Perspective not just in specifically in cber security say that they are challenged their mental health has been challenged um where they don't feel as though they can operate in their jobs um effectively right their health is being affected by the thing all types of different factors from burnout from being overworked maybe the job of the company they work for is understaff and the other half 41% say that they're not challenged at all will of Misfortune so taking those statistics from the 59% I wanted to dive into better understanding okay what are some of the reports and surveys that have been conducted to basically better

analyze okay the situation the mental health of cyber security specifically and so 26% say that their mental health is excellent 21% that is very good and 20% % rank M of Health as just good 15% Fair 177% poor I wanted to show some statistics starting off because when I go and Diving deeper into this later long it'll make more sense so what does the stress look like stress level look like for them um roughly half St is either somewhat okay or fairly okay um what is what does that mean from a perspective for the Prof is working in this in this particular space well it can mean a lot of different things um the engineers that I particularly work

with some of them get into the mundane and routine task of doing the same things repetitive over and over and over um if you're a penetration tester let's say external internal or physical Humanity um most people who are interested in getting into the penetration pin testers they they ured by the idea of hey I have character that's this skill set where I can break into things successfully and our possession this fi said therefore it's exciting it's like an adren adrenaline rush but often times whenever you're going on these engagements participating in these engagements what people don't speak of is okay how many times do you not successfully get in how secure are these companies who are investing millions of

dollars into Ben Community organizations in their infrastructure to prevent those types of attacks happening well if you're a pinest and you hit a brick wall after wall after wall chances are you may even use self-confidence in yourself to the point where it affects you mentally so the sidence to mental health let's look dive deeper into okay what is the financial impact to organizations

right so the average cost per day breach just within the us alone it costs companies in the US roughly $9.5 million per year Based on data breaches and you can see just from the bar chart since 2006 that number has increased three um the global average cost per data breach in the US is 4.5 million her reach so if we looking at it from perspective from a Global Perspective we obviously see that the US is a huge Target in terms of cyber attacks what is the financial loss well the financial loss for cyber attacks in 2022 roughly a quarter of companies say that they spent anywhere between $50,000 to $100,000 per Cyber attack and if you add another quarter to

that then they're spending anywhere between $100,000 to half a million dollar her Cyber attack what does that mean to the professionals operating in a space who have to respond to with incidence if us is such a huge Target in this space when it comes to these cyber attacks that are happening how does that affect the professionals mental if they if with short staff and I'll that in my next slide nonform payroll so since 2013 to 2023 there's been a 350% increase in the demand for cyber Security Professionals in the US okay in 20 2023 alone there were roughly 750,000 positions open that never got filled that's about around 3.5 million jobs that don't get filled and in demand

currently for cyber Security Professionals think about it from that perspective when we think about us being a huge Target they pretty much more than half of the global average cost of cyber attacks that are happening when the US is the number one Target and there's also 3 and A5 million jobs that can't get filled what ises that mean in order to meet the demand and fulfill the role in better securing um these companies that need our help professional impost so I want to share a story when I was first getting when I was to get into cyber security I wanted to get involved into the social engineering I didn't even know cyber security was pretty much a a thing no

career but I was fascinated by a story Jason e stre is telling about breaking into the wrong Bank um a friend of mine was also a mentor to me out in Oklahoma City he was given a presentation about social engineering and I would ask him say what's some of the best advice that you give me and he shared fake te make act like you belong and often times a lot since if you would looked that just by looking at the numbers that I've presented right it tells somewhat of a story it tells a story about how there's so much happening there's so many professionals being overworked and they're being put into positions and roles where they may not even have all

the information or have all the expertise formform their job successfully or efficiently and whenever my mentor first told me to share this advice with me it didn't make sense to me at first but now that I'm in the position that I'm in and I have some experience it makes a lot more sense now especially um taking into consideration the numbers and the statistics that I just shared so how many in the room by show of hands are currently enrolled in school or students quite a few okay have any of you actually had an internship or work okay awesome um let me paint a picture for you real quick let's say for instance your internship what if you

don't mind me asking what was the internship for what position it was an Ami intern what is it what does that mean specific okay got you so imagine this right you just got your procedure internship it's your first de and let's say for instance you showing up to the office and you're preparing yourself mentally and you've been told okay you're going to operate there as a security analyst for a sock that's the role that you're going to feel and let's say for instance you got your backpack on you you're walking into the office and you start making your way to the sock it's like okay let me walk inside see where I'm going to Res set up

what duties or tasks are going to be assigned and let's go from there as soon as you walk into the sock right your supervisor approaches you and says hey we just received a call from a university they've been attacked by r they just Shar with us they receive a ransomware note we're going to send you out to respond to this incident with one of our Engineers how how would that make you feel considering St right okay how many show of hands students that raise their hands how many of you would actually be excited you would you would nice okay let's take it a step further now let's say for instance you got say that you're in University the

same answer that you responding to now you find out that this University they call is the University that you attend how would that make you feel now probably a little more excited a little more excited got you how many of how many of you actually shook up because hey maybe you don't possess the skill sets yet maybe it's your first time and so you don't even know what to expect it could go 50/50 right so this is what I mean whenever I said the advice that I would share by one of my mentors fake until you make it act like you belone where it comes into play because chances are in this field because there's so many Professionals in

high demand we have to pretty much find the details figure things out and think critically in order to assist and help organizations or teams that don't possess the same skill sets than you do shut up in hat so based on some of the the numbers and Statics that I shared earlier I wanted to dive into um some information and share about what it would look like from an engineering perspective or pentesting um based on conversations I've had with several Engineers if they operate in pentesting roles they're doing some of the same task over and over whether it's an external pen test some of them are just doing web pin test it really just depends on what employee

or organization is you're working for smaller companies you'll become more exposed to a lot more more variety of engagements um what does the leadership look like and how does that affect uh an Engineers mindset and mentality um if they're being overworked in their job or role is in high demand then maybe that means that they are starting to lose self-confidence it's just like what I was speaking about earlier um in terms of doing more redundant tasks over where if you're running into grip walls and you're not actually successful at gaining um domain admin on internal penetration test or getting the keys to the kingdom every engagement like you would expect to then chances are that could take a

little toll and cause you to lose self-confidence and if you're work over work maybe you don't have the time to actually continue your training maybe the leadership doesn't organize your task in a way to where you actually effectively um engaged with for assignment to tax digital forensics how many of you guys are interested in digital forensics I pray for you guys seriously I in my honest opinion I believe that it takes a special person and a spe person of special character to be passionate about working in digital fors and a lot of this stems a lot of this talk stems from the conversations I've had with forensic examiners and experts um I believe that forensic experts they serve

a purpose because for the most part they'll the work that they do it um it can save someone's life and if they're you're operating with attorneys and on legal cases the work that you do whether good or bad it it justifies the livelihood of whomever is involved in the case whether guilty or innocent um my phic expert that I work with he has had to ex in quite a few dicks in his life per se there's a lot of lot of dick pictures that he has to go through it a matter of fact there was a call that was made where someone hired him specifically hey I believe my wife was cheating on me I want you to

examine and go through all these images and see um but what's interesting is this I've never seen a forensic expert actually publicly speaking about the work that they do and not only that being good at their job can penalize them for the rest of their career which is OD so the reason I say that is this some of the things that they see are traumatizing when it comes to child exploitation when it comes to murderous acts done to other people um not only that it goes as far as law enforcement who are involved with the digital evidence of these cases mishandling that evidence and for a forensic expert to be good at that job and recognize that if

they speak out about that then the next case that they're involved in prosecutors will use that information against them how does that truly affect the forensic experts knowing that in the back of their mind that hey if I speak publicly and express my opinions about the work that I do law enforcement hears about it and maybe I'm I get hired for the defense of someone who's actually un child exploitation how do I eliminate my violence in this case and make sure that I effectively effectively perform my job well it just means that the data is the da making sure that the Integrity of the data stays intact that's what the forensic expert purpose and so Soul role

is involved in this so to end in this talk I wanted to share some things sh White things in terms of how we as Security Professionals can actually basically keep our sanity with all the work that we involv in especially with the demand and that is practicing mindfulness um this past this past month I actually took some time for myself to actually observe and participate for the month of R um at my job for instance we actually do we intentionally make time for each other in order to participate with our families bringing our F making sure our families are involved with the things that we do as you can see some of the pictures where my Engineers are with

their children and we're just basically virtually meeting with each other and just having a drink together um we also enjoy going to conferences and speaking and educating a lot of other people about the the cool things we do yes it's a cool job but at the same time it also affects us mentally in terms of the demand and also the things that we're seeing thank

you I want to share um a comment on that slide you made about fining it I work in higher education okay and um you mentioned earlier that there have been a lot of jobs that arrive in cyber security and you're 100% right I do travel a lot I don't give ATL Dall Chicago when I meet with others in high education we all trying to say do you know someone in your area who can teach for us we just can't find enough people um to teach in cyber Security Programs now I know you in private we not actually leave you a big $20,000 job but we need you to come in and bring your expertise to help prepare the Next

Generation we we do not have enough people working or I'm from okom City And We R across uh not for for take the Air Force Base and so we do get some people from there also um there who try to you know teach with us but there's a lot of college and universities and we are so if you know people please uh go to LinkedIn and um tell them to apply because we are trying to we're big you come in my talk but does anyone have any questions by chance to P you back off of that comment okay you know there's always this conversation about well there's not enough cyber security and all these open

jobs it's like well I'm definitely a firm believer that there's definitely enough but it's getting R past HR filtering go right that says well you're not Talent unless you fit this specific like myself for example I think security but it's an imense amount of effort I probably got rejected from 200 plus applications in my first year my job and I've heard nothing since then of talk of well we just can't find enough people and it's like well we can but you have to start with the made I agree um something that I find interesting is I've only been in s security for roughly two years right and I started in an internship position with the company that I worked for something

that I was intentionally ad of about was attending events like this and networking with people doing the jobs and Performing the roles that I wanted to to do which is how I I came across was actually doing social engineering and so if I if it wasn't for that I don't think I would have met many people in this industry or learn about any job opportunities it's like LinkedIn is a tool some people may see it as a social media platform different than Facebook I and so forth but um I use it as a tool because you can find those opportunities in specific regions specific areas and also do your own due diligence to study what skill

sets people are looking for um most of the job applications or job offerings they list all the skill sets certifications that you are in that you need in order to fill that role if you just study that and go through and just say hey what is this about ask the question what is this about and learn those skill sets chances are next time you apply for those jobs you'll be you'll get it to list can I make a just a point from this conversation I don't have anything we need to add sure um if you want a job just reach out to people on LinkedIn I've had people message me be like hey I see a position in your

Department open I don't know this person they're like I'm in college would you be willing to refer me and once you get that referral you're not going through that HR scanning system looking for specific keywords right you're going directly to possibly an HR phone call if the position lines up with your experience so that's like my recommendation for Ouran University right now same thing I've been a hiring manager for 15 years and almost everybody I hire is a recommendation in nwork so this kind of stuff really makes a difference yeah I've been in security for over 10 years um and there's two big camps she she mentioned one of them where you have to apply for 200 plus

positions did it and uh the other Camp is like they the the problem that I see is a lot of these companies um they just say they they you need the C certificates you need five years experience um you need some networking background you know but I didn't take that approach when I when I I just hired somebody six months ago right um he in information security you want to build them up you want to bring them in um when they don't they have a passion and not necessarily five Cs they might have one or two CTS and and some and that's something that's difficult to gauge especially if you're only looking at res we that

passion what you can do for some of them get ass you may testify with us keyw top your think like that time uh it you you hit and it'll help with the system right and if you want to be extra Le use AI CH ask it to give you the top five skills that used to be a recruit and what she just say um we didn't use AI I mean we we SC them ourselves but you are you're correct there's a box that would be checked as far as Sears and that's just mainly to gauge someone's um ability like can they get to where we need to be in the interview that's when we draw the actual

skill wom situation

filter mention you know the starting point you that you started with the internship I think you know finding internship is also very hard because um I am in a cyber security and uh it's because of my passion I was a MBA student and then I am entering into it field but still you know I think it's very hard for me to find internship because I don't have any experience in that field so what should do in that situation you know when you don't have experience but you have a to actually reach out to the companies that do some of the work that you're interested in can just ask to shout out for B that goes a long

way oh sorry I out of