Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

hey gang uh thanks for being here my name is ross flynn as you can see up here i am with this company echelon risk in cyber i'm a cyber security manager over there and today i would love to share with you about my passion for this topic you'll see why i'm so passionate about it but what we're going to chat about is how diverse backgrounds can mature your security program unfortunately i have to tell you a bit about me i go a little bit more into my history than i normally do just because it brings into context why i'm so passionate about this so i want to share about a bit about myself i put up there first and i'm a husband

because my wife is the coolest she encourages me to do these types of talks she encourages me to continue my knowledge in this field and i can't do this without her support so i always like to give her credit i'm a hot sauce connoisseur and by that i mean i loved hot sauce so much that i made a company it's called maestro sauce company talk to me about it afterwards if you love hot sauce because i would love to talk your ear off about it escape room expert it's a bold claim but i've done enough to say that i've done 20 and i got a 90 success rate so it's close enough to me um and i'm a musician

i played music through college to help pay my way through college which should go under my non-infosec history but it's not credentials some people this matters too some people couldn't care less but i like to throw them up there my non-infosec histories where things get a bit more interesting prior to coming into infosec i was a dorm mom which meant that it was my responsibility to be at the the house there were 16 chinese students and one korean student that lived in a house together and the middle of the state my role was to make sure they all got off the bus i made dinner made sure they were doing their homework checked in on them all of

that fun stuff and i was just responsible for making sure that they were doing what they needed to do after that i was a truck driver i did that for i think on and off for about five years for moving companies so i would put my moving numbers up against anybody here to say that i have done more moves than you and i hate moving more than you do we can challenge that later 20 states in four countries that sounds like a good july for me [Music] [Laughter] after that i was a logistics coordinator for a company called tough mudder so my role was to go tough mudder is a 10 mile obstacle course so a mud run so i would

go to the state whatever state we were going to i'd go to the set up for the event i would coordinate with vendors with djs with the the course crew all of that stuff so it's just event operations really which was cool had a great time saw 37 states in just under 9 months put 30 000 miles on my car slept in my car way more often than i should have and then finally when i did get my degree i became a family counselor i was in the child welfare system doing what was called family preservation so my role was to assess a family the children youth and families would get a referral my role was to see can that house be

become a safe place for a child i worked independently with kids worked with their families together worked with parents i did couples counseling um 10 out of 10 would not recommend 0 to 10 would not recommend being the counselor in that if if you want to do couples counseling i highly recommend it just don't recommend being the counselor in there but it was a lot of learning i have leaned on my experience as a counselor many many times throughout my infosec history and you'll we'll talk a bit about that but after that i decided i wanted a change um something that was a little less emotionally taxing a little bit more mentally challenging and i had no

no background in i.t no background in infosec i didn't know what i was doing and when i decided i wanted to make a change i had a friend that said hey you know it's always hiring i.t is always teaching and i didn't really know what the difference was between it i just thought of it as i.t and that's everything computer related and i had no experience with it but i started he said i can get you an interview setting up servers if you can show that you're interested so i said how do i show i'm interested and he said start studying for your a plus and i said what's an a plus um so he introduced me to comptia and i

started studying for my eight my a plus while i was doing all of my counseling work so in the evenings i would study during the day i would do my my normal job and so i went to go take my a plus so that i could go nail this interview failed my a plus wasn't thrilled about that but it did not deter me i went on to go to this interview and told them i didn't get this but i'm going to try really hard and i'm going to figure it out and they said that's enough you showed the interest so my first it role was in setting up these servers in the pittsburgh library system

and i was setting up servers removing old ones didn't know really what i was doing except just plug something in and unplug it but i had people around me that were willing to teach me and i started learning you'll you'll hear a theme about this uh throughout my whole talk but i think we need people that are hungry for this field and that are very interested in this field and that want to better themselves um and i tried to embody that so a bit about my infosec i moved from there into a cloud security internship um i guess my experience on this team was enough that it impressed somebody and they were willing to take a shot on me so i did a

an unpaid internship for a couple months doing cloud security um moved from there i got a my hisp certification up there and that was enough for ppg to take a look at me and i started my uh started working on their iam team did that for a couple couple or really about a year and then i moved into their internal audit team where i got to see more of the grc side which then turned into the risk management side and then following that all my experience my random different experiences turned up into me coming to echelon echelon we are a pittsburgh based cyber security firm we kind of we really believe in the we call it the every human has a right

to privacy and security and when it was shared to me that vision i thought that was like the coolest vision because i've grown this love for security so we are broken up into our offensive security team and those are our pen testers i'm just constantly impressed with the level of knowledge those guys have they're always learning something new always developing and contributing to the infosec community we have our defensive security team and those are the guys that have uh hands-on keyboard they're doing the hardening they're doing um firewalls everything that you would kind of traditionally associate with the the blue team side and then we have audits assessments and compliance that's my side of the house

the best side of the house subjectively anything that you can imagine audit related assessments we do a lot in the healthcare space we do a lot with business continuity disaster recovery i really enjoy what i do comprehensively all of this we do a vcso service where we can we act as a cso for an organization or we just lay out what you want to accomplish for the year and how we can help you accomplish it so enough about echelon enough about me i want to talk to you about why does this topic matter what is why does it matter that we have these different backgrounds in the field and i think there are a few

reasons one is we have more applicants incoming than we've ever seen before we have unprecedented numbers of applicants into the field and there's a lot of reason i think for that we're gonna we're gonna talk about that um there's really great experience out there that we're not tapping into when we look at traditional means and one thing i want to point out that i usually say before i get started the argument that i'm going to make today i'm not saying that people that come from a more traditional background through a cyber security degree or i.t degree are any less valued farthest thing from what i want to get across really what i want to share is

just that we have a lot of opportunities for people that may not have that experience but there is great experience out there we really need in this field critical thinkers we need leaders we need problem solvers and we need lifelong learners people that want to be doing this we just need good people our current rate of growth in the field isn't sustainable for the deficit that we have the isc squared shows a 2.72 million person gap in the cyber security workforce another study from cyber security ventures shows a three and a half million personnel deficit and the numbers recently are showing about 45 000 graduates coming out of college with a cyber security degree each year

and those numbers don't add up so we need more people that are willing and interested in this field so i pose the idea that we should be looking in areas where we may not have before so let's hop into the agenda we're going to talk about why people are switching careers what can these non-traditional backgrounds offer what qualities can we expect from them and how do we support our industry transplants first thing i want to cover here is why are we getting so many new people in the field and i think that's a loaded question a big portion of that of course is the kobit pandemic uh covet has changed everything i don't have to tell you that but i think for

our field in infosec we are seeing the um way more remote work than we've seen in the past i think a lot of us knew that our roles could be done remotely and it may not be your experience that you're doing your work remotely now but there are way more remote positions than there ever have ever been and we're seeing it become more of the norm we have this integration of work and life where it often times now isn't a nine to five it's a uh nine to nine it might be a nine to eleven and then you take your dog to the the dog daycare center i just learned that was a thing recently uh you take

your dog to the daycare center at 11 and then you have lunch at noon and then you work from one to three and then you get dinner ready and then you work from five to seven and things are just becoming we're losing some of that work life separation which has good and bad to it but we're seeing this integration now of work and life and a lot of that is due to the remote work so i think that's a portion people are seeing that we they can work remotely there's some appeal to that it's not for everybody but a lot of people want to we have the great resignation as it's being called in november of last year there were four

million people that quit their jobs and that is the highest number i think in it's either ever or in 50 years i can't remember which but it is a very high number that four million people quit their job just in november of last year and of course those aren't all infosec people but they're a part of it there's a poll that i was reading about why are people specifically an infosec leaving their careers or leaving their roles and the things that kept getting brought up were work-life balance a lack of respect a lack of challenge and compensation expectations so we have within the field people moving we have this idea that i can work remotely

there's the potential for more growth so i think that's a draw and then societal changes we talked about the great resignation currently the last study i read said that 27 of degree holders have a position in their field of study which means good for those 27 percent but those other 73 percent i hope that math is right are not in their field of course me with my bs in crisis counseling i i fall into that so we're having a lot of career transition and then the rollback of requirements is another one that we're seeing less emphasis put upon degrees more emphasis put upon whether there be certifications just experience or willingness to learn so why this field i think because it's

the best job in the world of course according to google i actually googled this once and it says information security analyst if you can't see that from the way all the way back there is the number one best job and i'm sure we can all have a good chuckle about that but i think there's some very real things that draw people to this field the accessibility of information i'll tell you that was what drew me one of the big things if i were to stay in my counseling role i would have had to go get my master's next after i had my my counseling degree i would have had to get more licensed i'd have to go get my licensure

and then i would have in order to get that out to put in a certain amount of hours of counseling practice and i think those are all good requirements but it's a lot and it's a lot of money and me and my role at the time i was already burnt out seeing some of the worst of the worst situations with some of these kids i couldn't bring myself to continue doing it so when i was considering changing fields i saw the accessibility of information i just googled what is cyber security what is hacking and i found youtube videos um there are so many videos out there that you can learn from you've got the the john hammonds uh the cody kinsey's

professor messer there are just so many places to learn from that are free resources not even including the plural sites um things like security blue team like there are just so many opportunities the credentialing is another thing you can get a certification in this field some of them i mean i mean there's a cost associated but we're not dropping you know 40 grand into or 60 grand into a master's program there's a level of self-investment in some of these courses it might be a couple hundred it might be a grand but it's definitely more attainable i think there's also a perceived stability in this field because we're all over the news all the time people

hear about ransomware they hear about the latest hack it sounds cool to people and they just want to get involved and there's a heck of a lot of projected growth our field has a 28 projected growth through 2026 which is great for us but as we said there is this deficit of qualified professionals another thing i think that attracts people so i heard somebody say it earlier that they another speaker said that they were on another team like an architecture team or may have even been a legal team but infosec is so interdisciplinary that we're touching every facet of the company now your cyber security team has to work with complaints they have to work with legal

they have to work with finance so what i have seen through some of this conversation i've had presenting this is that people tell me they were an auditor that wasn't even i.t related but they were interested in it because they they saw the i.t aspect or they were a business analyst that just worked with an application maybe an erp and they talked to one of the cyber security people and they thought it was interesting so we're seeing people from these different backgrounds becoming interested in our field because they worked with somebody in the field and as i said it just sounds cool the other thing i think that is very compelling for this field is the

breadth of options this comes from henry zhang at diligent and it gets updated every couple years i get so excited when i look at this because i'll be like oh man i really know this this one bcpdr i know that and i know the crisis management and stock one suck two uh i don't know threat intelligence i don't really know this um well i do know that one i i i don't know certain aspects of this for sure and i get intimidated but i get excited at the same time because there's so many different ways that you can go in this field and it's just continuing to grow and grow so i think that's one of the things

that is absolutely bringing people to our field is how many options they have once they get in so of course you're going to ask well what are these people that don't have a traditional background what can they offer i think that's a very valid question i think that they will offer a couple things but the three that stick out to me are a new perspective they're going to offer a cultural impact and they're going to offer qualities necessary for success which is very vague but we're going to dive into it from the prospective side they're going to offer what we don't get to see as often the end user the the business as we call them i'm sure

many of you have had the it versus the business argument they're going to offer the perspective of the business they're going to offer why do these people keep clicking on these emails even though we go we've gone through the security awareness training so many times and they still click on it they're going to offer some perspective into that when we tell a business function you cannot use that app because they have terrible third-party risk management controls and they're insistent upon using it they're going to offer the perspective about why they want to continue using it now there's are very specific examples but i think they apply to a lot of different situations so one of the things i really value is

the level of perspective that they're going to bring i think we have historically and this is changing but we've approached our problems in a very just the same way over and over you know we've we've used the same controls we've used the same processes because they haven't been challenged and somebody coming from outside is going to have a different perspective on that i really love the if the only tool you have is a hammer it's tempting to treat everything as if it were a nail because we can't keep addressing things the same way that we've been so definitely going to bring some new perspective i think they're going to bring cultural impact and cultural impact is

that is loaded i frequently have conversations when i'm in the process of hiring or talking to people that are hiring about well are they going to fit the culture and what i'm not hearing nearly as much and i think we need to be considering is not only are they going to fit our culture but are they going to improve our culture i can reference a couple positions that i've held where continual learning was not the was not really encouraged it wasn't discouraged by any means but it wasn't encouraged to go get a certification it wasn't encouraged to go to a conference like these sides and network with people and see different sides of the field

so my hope and when i've when i've talked to colleagues from that those roles my hope is that i improved that culture by my desire to learn one role in particular we didn't we didn't really have anybody telling us go work on your security plus go work on anything but we decided to anyway so we would book a conference room over lunch and we would do study sessions together and my hope is that that is an aspect of us improving the culture while we were there because by the end we had more well-rounded security professionals we had people that were interested in it more than just what we had to do for work but we started to develop this

hunger for it so we talked about the the different ways to approach the problem the opportunity i think they're going to it's easy in this field to get stagnant because it's called always changing and we are it's hard to keep up i think in a culture especially that has some stagnating people if you bring in somebody that doesn't have the experience and they're already in this learning process they're obviously here because they want to be here they're here because they've started the learning and they want to continue it and i think that kind of gumption is the word i know it's an old school word but that kind of gumption is going to be a spark for some of your stagnating

teammates or even yourself if you find yourself you've been in here for a long time and you're starting to get tired of it the young blood the new blood that's coming in that wants to learn that's eager they're going to be looking for opportunities to take classes they're going to be looking for courses to take they're going to be looking to you for leadership and that kind of onus on you to be a leader and that kind of inspiration that comes from somebody else wanting to better themselves i think can make a crazy positive impact to a culture so outside of the perspective in the learning culture i think they're going to bring some methods they're going to

bring tools and some tactics habits both good and bad which is of course a double-edged double-edged sword an example for me i had a colleague that came from a manufacturing company and he i was in audit he came to the audit team we were talking about how to review terminated users and he said hey i have this excel macro it's a it's a version of a fuzzy lookup and i was like well how does it work and he showed me and it was the perfect tool for us to be able to test terminated users so after he left i still use that i used that for years after that because it was a perfect tool that wasn't developed for

audit but it had a great application so i think that's a prime example of somebody that didn't come from um they came from manufacturing like the the production line and they were able to teach me something good habits i tend to think that people that are coming into this field they have to have some a certain set of qualities and we're going to talk about that but i think they're going to bring in some really great habits hopefully and these are things to look for but communication skills it's a key one right we need to be able to communicate with people they're going to bring in potentially some organizational habits some of you i.t people are like the

messiest people i've ever met and disorganized and i say you to try to project because i mean it about myself we can often be very disorganized and i have met some people similar to me but came back from different backgrounds and helped me figure out how to organize my life so i think we're going to bring in some good habits i think there's some bad habits that they're going to bring in like not locking their computer when they walk away and things that we're going to slowly start working on and that's fine that's we're all human um but i think that they're going a lot of people that are going to come in from this field are going to be able to

improve your culture you just need to be intentional about who you're picking right so how do you do that i think you look for certain qualities and i think these qualities in particular are going to be consistent across pretty much any person coming from a non-traditional background into this field because you can't do that without these so perseverance refusing to give up on thriving in the field despite the rejection despite the failure on the roadblocks i told you some of my success stories i had a lot of rejections before that i had a lot of people that said i don't have any experience and they were right i didn't but i went on to show that given the

opportunity i can do this and i see this across other people that uh one of the gentlemen i spoke to at another conference told me that he was a professional trombone player prior to coming into the field i thought that was the most unique one until somebody else told me he was a hard rock geologist and some of the most ridiculous backgrounds but they all share the same story of i got a lot of rejection before somebody took a chance on me so somebody coming from that background is going to have perseverance because they wouldn't be here they wouldn't be at this level still trying if they didn't they're going to have discipline because if you have no knowledge and you are

learning from scratch you have to have that discipline to figure out what you're doing we all know that imposter syndrome is rampant in our field so i think that goes maybe even tenfold for people that don't have a background to begin with in order to combat that you you have to have the discipline to continue studying to study on your non-work hours um and to really try to catch up when everybody else is pretty far ahead of the curve there's a level of self-investment i touched on this a bit earlier i don't think that always needs to be financial but i think it often is i think through some of the certifications that i've had

that were not paid for i saved them saved up for them so that i could take the test and i could go through the course that was my self-investment the the time i put into that the money that i put into that i think you need a level of self-investment in this coming from this background to really show that you're serious about it as the rock says it's about drive and uh yeah i think drive is is huge that may be one of the biggest factors here is continually motivating yourself regardless of external motivators there are a lot of days that i'm not motivated to do my job there were a lot of days especially

coming into this that i wasn't motivated but i figured it out i did it in in spite of not being motivated and when i talk to other people that have done this they they said the same it's almost like a kinship that we have and then of course the humility as we said imposter syndrome is just rampant but we also have a tendency i think in our field to throw out acronyms expecting everybody to know what we mean and throw out tools or different services and expect everyone to know what we mean when the reality is you know even at this point in my career i still ask a lot of the time what does that mean

i think that these individuals are going to have to have humility to understand that it's okay not to know everything and it's okay to ask questions

so the question comes to we talked a bit about making sure earlier that people are qualified what should we be asking to make sure that we're getting the right person the last thing i would want to send you away with is hey hire anybody off the street anybody can do what we do that's not what i'm trying to say there are not everybody's going to be a gem is the unfortunate truth so i think we need to ask diligently some questions and we need to be open to different answers so for example asking them what initially drew you to this field why do you want to be here you were a preschool teacher why do you

want to be on the sock and that's a friend of mine and be open to the answers try to understand their point of view and what is is it just financially motivating them is it somebody else did it and they thought it'd be easy so talk to them and understand what do they want to get out of this ask them about their experience outside of work what i love to see is when people have side projects whether it's um a couple raspberry pi's that they've connected they've built a pi cloud or you know they have a home server they bought and they've been setting up home automation whatever it is ask them about what have they been doing outside of

work since their work is not related to the field what are you doing to learn more who are you meeting with are you going to b sites are you going to meet ups ask them about why they're here um what are they doing and then ask what's your evidence of personal investment which i wouldn't worry to like that to them because they're gonna they're probably gonna laugh at you but ask them you know what have you done to show that you should be here if somebody asked me i would i would say these are the ways that i've studied these are the exact courses i've taken these are the people i've talked to and then i think some of the things that

we need to ask ourselves is what sets them apart for me uh coming from my counseling background i build trust very easily and i try to make my my clients now feel at ease with me and know that they can trust me and that even if we don't know the answer right now collectively we will figure this out because i have your best interests at heart i think somebody coming from a dis non-traditional background is going to have a couple maybe claims to fame or claims they say sets them apart so for me it's uh it's trust for other people it's attention to detail for others it's communication so while you're talking to them you know

you can post it to them but think through to yourself what sets these pers this person apart from the rest of the candidates how do they communicate the unfortunate part is that you have to communicate in this field whether it's within the team outside of your team you have to be able to communicate so something to be aware of is how are they communicating with you even in this interview or this initial meeting that you're having and then again we talked about culture before how will they affect the culture are they going to improve it are they going to detract from it or are they just going to fit in if the answer is fit it that's fine i

think that's cool i would hope to see that they improve it but you know i would much rather somebody that fits it than somebody that detracts from it but uh culture if you can find that person that's going to improve your culture i think that's going to set your team up for success uh one of the questions then comes up is how do we support and utilize these industry transplants uh one of the times that i shared this somebody made the comment that it seems like you just want to cater to the new people and you just want to throw new people into any role and that couldn't be further from the truth i think we just need to

position them well i don't think we need to change everything to accommodate them but we need to find where do we have gaps and then fill them this uh the the phalanx i think is how it's pronounced i had to google it because i thought i messed it up the phalanx formation from 300 where each person held the shield to the over themselves and the person to the left so that they were covering any gaps rather than trying to fill specific gaps with just one person let's get somebody that is holistic that has a different view and see how they can fill in some of the gaps we may not even know that we had

that said i'm not going to say grab somebody off the street and throw them in a senior role just be willing to maybe invest in somebody that doesn't have the level of experience that that you would want that you were always one i know that there are examples and times whenever you have to get a senior person i wouldn't say this is for that scenario but as you continue to hire and invest in new people these are where this comes in play but i think we should be encouraging them letting them know that it's okay that you don't know everything we're going to figure it out together play to their strengths if they are a big time talker then let them talk

figure out who they can talk to and how do you position them in the right place if they are more of the note taker and they take copious notes put them in a role where you need somebody that has attention to detail let them explore a bit because as we saw in that other picture this field is so massive it may not be that they be on that they're on this portion of the company or the field for their entirety give them opportunity to grow and then of course be honest and constructive with feedback this is um this can be really hard for some people and others it's just second nature to say you're bad at this and let's figure

it out it's not the case for everybody so be honest and constructive with your feedback give them opportunities to fix the things that you think they should be focusing on and help them realize that it's okay to ask these questions we talked about the humility before this is a perfect example of that i'd like to share a couple practical examples i got a new one from last night the gentleman uh jason over at black hills security if you get a chance um you can chat with him but he was i went to their meet up last night and it was nice it was really cool at east end brewing and he busted out uh black

or what it's called back doors and breeches the ir game it's a cool game if you've never done it it's a great example of how to walk through an ir tabletop but i thought he was a real natural at it and when i talked to him today we were talking a bit about what i was going to be speaking about and he said yeah i used to be a comedian i was like well that's cool like what got you into this field and he started talking about his interests and i so i asked him what do you feel like has gone from your comedian days to your infosec days and he said the ability to

maintain and hold an audience's attention and to jump into these ir table tops and i got to say i was floored was just how easy it was for him to just pop into different questions and not even knowing any of the people there he he just jumped in and asked great questions but it totally makes sense how somebody that was a comedian that was used to heckling and that's used to people uh trying to get a laugh engaging people's reactions prime candidate for running ir tabletops i have another friend that i met through a certification course that we had done together that was working at the prison the sheriff's office in his his county and he had no similar to me he had no

background in computers anything i t related but he started working through he was a at the the deputy's office he became a um he was a guard and then he moved up to leading the guards and then he moved into a program management role and somebody said to him you really know your stuff about how to keep everybody how to your physical security controls and he's like i don't really know what a control is but i know how to keep people in and out of their building yeah and they said well you know in information security there's a big need for people that can tell us how to physically secure things and he's like well i don't know anything

about cyber so he just started learning took the same route i did started asking questions going to meetups like b-sides or bar sides whatever whatever he has out there and so he's now a consultant leading the practice for a firm of physical security that's a such a stellar example and we want to go take this this certification course together both of us completely sure we were going to fail because we had a couple very technical guys with us and we were the only two that passed because we we came in with a fresh perspective so i think i always look back to him something that's totally seemingly unrelated it really benefited our industry as a

whole so what i hope you get from all of this today is that we need people that are well-rounded we need people with a variety of skill sets we cannot continue to throw the same tactics at the same problems and accept expect something different to happen we need to continue working with people that may not have exactly what we've traditionally looked for but they're going to improve us they're going to improve us as a as a field entirely as an organization they're going to add to the the value that your security team brings yeah i think that we just need to continue being open to the people that may not look like what we've traditionally seen

so just to wrap things up we already established there's a need for well-rounded information security professionals candidates i don't know how many more times i can say this these candidates have great tool sets that we can leverage and just be intentional about finding the right candidate not everybody's going to be a gem not everybody's going to be exactly what you need so be intentional as you're talking to people as you're figuring out what it is you are looking for maybe just have a different perspective as you're talking to a new candidate do you guys have any questions for me it doesn't look like it oh maybe

i heard a bit of that i think you said what area of security is a good one for somebody without this background to enter into is that basically it so i had this conversation earlier actually i think a great one and this i'm sure you there will be people that disagree with me i think grc offers a lot of opportunity and forgiveness i'm not going to say let somebody go lead an assessment but show them how controls are implemented and what kind of evidence are we looking for whenever we're doing a nist assessment or a high trust assessment you can show a junior person this is what that looks like and as you're going through it explain to them

this is what this system means this is what this system does i think another one is identity and access management if you have a team that's dedicated to that you can bring them in where and i'm of course partial to that because that's how i started but seeing how access is provisioned and having people alongside me that showed this is why we do it this way there's a lot you don't need to have prior knowledge of a system you can learn that as you're going along so i think iam is a great one parts of grc can be a great one i'm not going to say go throw somebody straight into your your threat intelligence

or threat hunting side but those are some good areas where you can start

cool if nobody else has any questions that's me that's my email that's my twitter and if you want to chat in person i'd love a firm handshake and an introduction otherwise uh that's been my time thank you so much [Applause]