BsidesLV 2025 - Hire Ground - Monday
Show transcript [en]
[Music] Down. [Music] Heat. Heat.
[Music] Hey hey hey. Heat. [Music]
Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. [Music] Hey Heat. Heat. Heat. [Music]
[Music]
[Music] Oo. [Music] Oo. Hey, [Music] hey hey. Heat. Heat. [Music] Wow. [Music] Heat. Heat. [Music] Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat.
Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. Heat.
Heat. Heat. N. [Music] Yeah, [Music]
[Music]
[Music] down. [Music] Hey hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down. [Music] Down
down down.
[Music]
Heat. Heat.
[Music] [Music] D. [Music] Here [Music] you [Music]
[Music] Hey.
Heat. Heat.
[Music] Heat. Heat.
Heat. [Music]
Heat. Heat. [Music] Heat. [Music]
You can leave it open on the stream or something like that. I'm good to go.
Is there is there
>> Hello everyone welcome to higher ground and our very first speaker Nicholas Carol is here to talk to you about from help desk to CISO. Let's give him a round of applause and get started. [Applause] Good morning and thank you for joining me. You guys are the early riser crew, huh? Because we got the nice morning talks going. So, uh, yeah, I'm Nicholas Carroll. Uh, I've done a little bit of everything in my career over the past 15, 20 years, and that includes going from help desk to CESO. And so, today I'm here to talk a little bit about my journey and the kinds of skills that I built along the way and how they helped
me get to that kind of role if that's of interest to you all. Uh, but as I get started here, I want to see real quick. We got a show of hands. Who here is in some sort of like IT support or help desk kind of capacity? One, two, three. See a few hands there for All right. Some hands on this side. Good. Who here is in security leadership already? Anybody at that level? Why are you here then? H, you know, you've you've completed today's homework. You can go home now. So, but uh, no, thank you. I when we get to questions and things at the end, you know, everybody's journeys are different in the way we do things.
If you've got feedback or things you want to share, please, you know, yell it out and share. I'd love to hear other perspectives on things and how they can help because everybody sharing can get people where they want to go, right? Because that's a nice thing to do. And uh final show of hands, there's been a lot of stuff in the news recently with layoffs and things happening and a lot of the layoffs and stuff that we've been hearing about places like CrowdStrike and Microsoft and things that you know they're saying like AI is making us more efficient and that's why we don't need these people anymore. Is anyone in here concerned around AI and the continuation of your
current jobs or getting jobs and how that kind of is going to impact things? We got some hands coming up so far. That's that's a good third or so of the room for hands there. So, I I I'll start with kind of the elephant in the room here, right? Like you all are you're you're in good company on that. You know, uh Pew Research has done a poll recently. And in their poll, they found about 32% of people were believing that AI would lead to fewer jobs. Right? And that is something that we may see bear out, but I I don't know if that's necessarily going to be the case on things. But also generally about half of respondents were
worried about the impact of AI in general and what it could mean for the industries and for their jobs and not just in tech and cyber, but in all kinds of jobs, right? There's there's AI for law now. There's AI for retail. There's AI for your lawn mower. Everything's got AI. It's kind of the way it's going. But I think that we're going to wind up seeing overall a bit of a a back swing and a boon in a lot of this stuff, right? One of the things that we always have to remember is that AI isn't magic. It's still servers and cables and data centers and all the stuff, the tech that we have to protect. And so there will be
jobs specific to these things that will be made out of that. But then there are places that are still hiring, right? Maybe not necessarily in the traditional space we think of when we think of tech with like Microsoft and Apple and all of the big exciting names, but there's tons of jobs still out there. Uh, so my company, I think, is a good example of this. I work for a company called Nightwing. We are technically in the defense space, right? So we support, you know, all kinds of federal contracts and commercial clients that are really interested in strong offensive and defensive cyber stuff. And we're investing heavily in AI and automation right now because we have to, right? Our
adversaries are doing it and we have to be able to answer that call. But my company is about two billion a year in revenue, a couple thousand employees across 36 locations I think across the country, right? Plus remote stuff. And we have literally hundreds of jobs on our job site right now. Even though we are investing in AI and automation, we're still trying to hire because we still need people to help make our AI and automation better and to help us staff into a lot of these roles in tech and cyber and tech and cyber adjacent stuff. And it's not just my company as a really good example here, right? The reality is is that there are tech jobs
in everything now. You know, a lot of people get kind of into the mindset of, well, tech is the big tech players and things like that, but realistically, tech is everywhere. Your local bank has an uncontrollable tech stack. Your local school system has an uncontrollable tech stack. Your local hospital has an uncontrollable tech stack. They are getting into this stuff. They're pushing forward on things and they are drowning because of it. Right now, uh, my team does a lot of cyber threat intelligence stuff. One of the biggest things we track is who is getting hit by ransomware. Manufacturing is the top impacted industry so far this year in ransomware attacks. Manufacturing, then IT, then construction finance healthcare
retail, government. All of these organizations are getting eaten alive from a cyber defense perspective and they know it. We're starting to see large investments into tool all kinds of positions and tools and things from health care clients from finance clients from government clients. And so the kinds of jobs that we're doing probably aren't going to be for like Crowd Strike and things like that. Realistically, it's taking Crowd Strike and stuff that's out there and making it work for these other industries, right? So there's a lot of jobs out there. We just have to dig a little bit harder sometimes. Now, the Bureau of Labor Statistics actually tracks and predicts like what are going to be the fastest growing jobs and
stuff. And they don't necessarily have like the cleanest titles for things. They have this tendency to put things into like giant buckets. Uh but if you look at the projected tenure growth and the median salaries for positions, the kinds of stuff that people in this room are probably interested in doing like data scientists, information security analysts, computer information systems researchers are still predicted to be some of the largest growing jobs because you still have to partner with AI and work with it to make it better and get it going good. And speaking of fast growing jobs, the Bureau of Labor Statistics doesn't really have a clean CISO category per se or information security manager position, but they do lump that under
computer and information systems managers. So your ISM, your CISO, all of those kinds of security management roles wind up in this bucket. And right now they're still predicting about 17% growth. Hundreds of thousands of jobs in this category over the next 10 years because somebody has to manage this stuff across all of the industries. Cyber security exists everywhere and it's part of our lives and everything we do. So if you want one of these kinds of jobs, there's a good chance that you will be able to get one. There will be jobs for you to do and go get. One of the nice things too is the Bureau of Labor Statistics includes a little tab
on their site that says how to become one of these. So if you're interested in becoming a computer and information systems manager, you can click on that tab and find not a whole lot of information. It basically boils down to get a bachelor's degree and then shrug your shoulders, right? Like there's not a clear path here. Uh and that's a little bit of a challenge for us then because it's like well how do we define your journey and your path to becoming an information security leader right like how do you get there just get experience and get a bachelor's that's it's not that easy right uh if you're familiar with NIST they have their nice framework for cataloging all
kinds of cyber security roles and jobs and putting them into neat little buckets and helping you define key areas that you'll have to understand in these different capacities and that's great too to look that and be like, "Oh, okay. What kinds of domains do I have to understand? What kinds of techniques and technologies am I going to have to understand?" But again, it doesn't really lay out like a path for you. It just kind of says like, "Well, here's some stuff, right? Get learning." There is a site run by a nonprofit called Cyersseek. Cyerssek.org does give you a little bit more of an idea of a path. For them, the CISO role would fall under the cyber security manager bucket,
right? Which they predict will grow and yada yada and all the good stuff. And they gave you some stuff that you can go here. But one of the nice things is you can actually dig through and get an idea of like, hey, what kind of certifications will actually help me achieve this role or what kind of roles and skills will I have to have for this role? Right? You can kind of pull these things together and you can actually navigate from feeder roles like IT support or networking or dev and into these parts of cyber, right? So from there, you know, IT support to cyber security specialist to cyber security analyst or consultant to manager. It is
this nice little linear progression of things that goes along the lines that you can follow to help get an idea of what your career trajectory might be. But, you know, it's one of the things that I find a little frustrating with the tool is that if you select the mid-level or the advanced level for a lot of this stuff or like manager and things, you'll notice that it highlights a couple of feeder roles that they recommend like networking or software dev, but it leaves out IT support. And realistically, IT support is a perfectly valid feeder role to go to CISO or anything else. Any of these feeder rolls, anything over here from the side is a great way to break into cyber or
break into tech and get your feet wet and get going. So you can actually start moving left to right and up the chain on whatever you want to do. And I would also let you know and highlight the fact that you know there are more than just manager titles at the end of your career progression. Becoming a CISO isn't necessarily everything and it may not necessarily be the thing that you actually want to do in the end. It's an exciting title and it's cool, but engineer, architect, all these other pathways are really perfectly valid and for a lot of people may be a lot more fun. So, think about that as you're kind of going through things and figuring out
where you want to go, whether management is actually the thing you want over doing something more technical. The other thing that I don't like necessarily about these tools is I think they're great for giving you a general idea and a mapping, but they're very linear, right? It's it's very left to right and those kinds they're kind of the way things go and it's good as a guide, but realistically most people's career pathways don't go so straightforward. You know, you've got ups and downs and lefts and rights and you'll bounce back and forth between different roles and things. It winds up looking like a family circus comic by the time you're done with it, right? It
goes all over the place. And being a CISO isn't necessarily the end of it, right? I held that title for a while and that's not my title currently. You know, you will move back and forth and up and down as you go and that's perfectly valid. There's nothing wrong with that. There's nothing wrong with deciding that you don't necessarily like something or something may be better for you. It's about finding what you enjoy and doing it so that you don't necessarily wind up in a situation where you run into burnout. So, I'm Nicholas Carroll. Uh as I mentioned on the first title slide, I have done a little bit of everything from help desk to CISO. Uh and before I
was help desk, I was not even in tech for a while, right? I've done all kinds of different things over the years. I work for a company called Nightwing, and I put our careers link up there earlier. And when I share the PDF of this on LinkedIn later, you can go look at that or you can Google Nightwing jobs. Uh and hopefully you don't get the DC comic carrier trying to like look at your resume, you actually get our jobs website if you want to look at some stuff there. But we support Fortune 500s and government stuff and things like that. and we're hiring currently. Uh but also there are plenty of companies here at this conference who are looking for
talent and hiring as well. So make sure you connect with them. You know there will be intuitits here. Adobe has a booth out there in the back. Every year I'm here. Adobe Adobe is out there looking for people and hiring and recruiting and it's great. Like it's a good place to be to connect with people and share and learn more. So how did I go from help desk to Cecil? Let me share a little bit of my actual journey and what I did, right? So, I was young and I got my AA degree, right? And I was in college and I was like, well, I want to do uh political science and foreign affairs. So, that's
what I was doing at Florida State University. Uh, and I started working at FSU in a couple research positions and OPS, like part-time jobs and things. That's where I finally started working. Uh, and eventually I decided that no, I kind of hate this. Uh, I burned out on my bachelor's degree and I bombed out of FSU for a while. And so I wound up with just an AA, which confused recruiters for the longest time of how do you have an AA from FSU. Like I didn't even know they did that, but it's like no, I I uh didn't finish, right? I got to year three and was like this isn't for me. So I left school and I got a job at Home
Depot and I pushed shopping carts for like half a year. And eventually from pushing shopping carts, I got to know some of the interior parts of the store better on electrical and plumbing and things. And I got promoted to actually working in those areas. And in those areas, I learned a little bit about being hands-on and tinkering with things. But I had a manager who was old school, the customer is always right kind of customer service. And so I learned customer service skills at Home Depot. We had to make sure everything was right and we were taking care of our customers and we were doing things well. Customer service is one of those skills you will need to build on your way to
becoming a security leader and manager because everyone inside and outside of your company is a customer. So, you will want to grow that at some point. After I worked at Home Depot and I learned customer service and things, I actually got a job at U-Haul and I took my customer service skills there and they were like, "Well, we want you to be a mechanic." But we want you to be a mechanic on our trucks and trailers, but also somebody who will service people's towing systems on their trucks and things that they bring to us. So, we want your customer service skills, and they're going to teach you how to troubleshoot and diagnose things. So, at
Home Depot, I learned customer service. And at U-Haul, I learned troubleshooting. So, customer service plus troubleshooting equals help desk because that's literally what that job is. And in fact, I got my first help desk job at the college I bombed out of at Florida State University. I actually wound up working there at that time. I got my job on help desk and that exposed me to networking because there was an enterprise networking team and we were constantly going around and it was always an, you know, an argument of is it the network or is it the computer? And so I learned how to do wire sharkark and all the things so we could prove who
was wrong and who was right. And eventually that got me into networking and I got my net plus and my CCNA and I got moved into a networking role with a state agency for a while and I did that there and then I went to work for a small company that had its own small data center doing networking for them and there I got into firewalls and things and it's like this is neat. I like this kind of stuff but I didn't really understand what those alerts meant. Why are we getting told that we've got 10 quadillion packets a day coming from China trying to do some sort of brute force attack thing? What does
this mean? What do we do? So I went from networking, I got my C, I got my SEC plus and I started getting more into security and I went to security administration, doing EDR work, doing firewall work, doing, you know, the actual security administration side of things and learning how that works and how to apply defenses to different systems. Once I learned how to apply the senses to different systems, I got into my first security management job. And it was literally a small company that needed somebody who understood like, hey, how do you apply this stuff for HIPPA? And I was like, well, I got my healthcare IT technician certification. So, I have some understanding of HIPPA and I have some
understanding of security automation and security pieces. They're like, that's great. We're going to give you a job in this. I didn't last very long there. Uh, that was not a great place to be, but I learned a bunch about management and actually what management means and how to do people management interactions in the short time that I was there. Uh, and that served me pretty well, but I was like, I kind of I kind of don't like this environment. And so I bounced out of there and I wound up in auditing. Uh, and I actually wound up doing auditing for the state of Florida in election cyber operations. So I was part of a team that actually was traveling the
states looking at elections infrastructure and trying to figure out what's good and what's bad and how do we make things actually look good and work the way we want them to. And from that position, I started doing that, looking at like local government stuff and things like that. And I then I was like I turned my eyes to the state government stuff and I was like, "Hey, by the way, if you guys want to match what we were doing there, we should do this and this and this." And so I was communicating and managing up a little bit to some elected officials and they liked the fact that I was willing to speak truth to power and bring them that
information and I was presenting it to them in ways they could understand because I was not using technical jargon all the time. And they were like, "That's great. We want you to be our security leader." Uh, and so I got promoted to being the CISO for the Florida Department of State doing the election cyber operations and I did a lot of the election cyber architecture for the state of Florida for a while. Uh, and this is fun and I did these things and eventually they were like, "Oh, we like what you're doing here. Could you do it for the rest of tech?" And I was like, "Okay, I guess." And so I wound up becoming essentially the
chief technology officer over about 50 employees doing dev, network, help desk, security for the state, everything. And at this point, the job stopped being so hands-on and fun. And it started being a lot of PowerPoint and budgets and arguing and crisis communication. And it's one of those things where it's like, wow, these are the skills you have to have as a CISO. I'm really tired of getting calls from the FBI at 700 p.m. at night. I think I want a break. And so a buddy of mine actually, you know, told me like, "Oh, we've got an opening and stuff like that." I was like, "That sounds interesting." So, at this point in the chain, I I actually went back and got my
bachelor's degree in cyber security. Uh, it only took me almost 20 years from the time that I originally bombed out to really do it. And then I moved into a more technical management role where I'm at now at Nightwing where I do I I lead a team of very self-driven people who are doing a lot of cyber threat intelligence and incident response work and helping to assist soft workflows. And now we're starting to get into doing a lot of AI and cyber defense projects. So, we're doing, you know, a lot of automation workflows and things that we're putting together. And we're working on training agents for things that we can incorporate into the sock to
lighten the burden of the rest of the stuff that we're doing. And that's what I'm doing now. And it's really interesting. I like it. I get to build stuff. It's more technical and it's fun. That doesn't mean I probably won't go back to a CISO style role in the future. I probably will. It just means that right now what I am like doing and what I am doing is a little bit more hands-on technical management with a team of self-driven professionals where I have to focus less on the budget or on you know employee relations and things like that. The kinds of things you'll have to do as a CISO but aren't necessarily always that exciting, right? So
technical skills aren't everything. Like I said, customer service, project management, leadership. Those are all the kinds of things you'll need there. In the how to become one on the Bureau of Labor Statistics, they kind of hint at this. They mention leadership skills and communication skills, but literally it's like a bullet point. They don't really give you a whole lot of guidance on how do I get those or what do I do? It's just kind of like, yeah, you'll need this. Figure it out. And the same thing on Cyber Seek, right? It's just a bullet point. Do you need project management and risk management? Again, not tons of information on how or why or where do we go to get those things. they
just kind of are. So, I'm going to tell you right now, if you want those kinds of things and you want to build those skills, you need an MBA. Everyone in here who wants to be a security leader needs an MBA and not the degree, right? Don't worry about that part. I'm not actually talking about that. What you need to do is master, build, and articulate. Right? The actual skills you will have to have aren't necessarily going to come from a degree. Degrees are great and you should get one if you want one, but it's not the end all be all. You know, they're not going to teach you the specifics of how to handle crisis communications for
cyber security in a degree program. You're going to have to learn some of that on the line in the line of fire doing it, right? But you will need to be able to go in and talk about things and really be a master a master of technical skills and domains. You're going to have to understand a lot of IT and technology and how it interrelates and how it works and what all those pieces are. And you're going to be able to master business and finance because you're going to have to be able to take those technical skills and translate them to people who don't understand them, right? They understand risk and dollars. And so you have to be able to speak risk and
dollars. You're going to have to build your network and your connections. Realistically, a lot of these jobs, especially at the top, aren't posted to job boards. They come from recruiters who find you on LinkedIn. They come from connections you make at conferences and things. Building trust and connecting people will get you a long way when you're trying to move into those highle positions, but not just outside of your own company, right? You need to build opportunities to practice leadership inside of where you're at right now because leadership is a skill and it takes time to develop. You have to work on it and you have to do that in ways that don't necessarily always happen at
the lower levels in IT and tech stuff. You don't get a lot of leadership things. You have to make it and articulate. Your ability to communicate and storytell is what's going to land you a lot of your higher level jobs in management and help you do these things. Right? I became a CISO because my secret weapon was PowerPoint. That's how it goes. And then eventually you're gonna have to get into being able to do things like crisis communications and proper executive presentations, right? Really, you're you're mastering business acumen. You're mastering all parts of the business, not necessarily from a degree, but from the kinds of skills you build along your journey. In my journey, I learned customer service
at Home Depot. I learned troubleshooting at U-Haul. I learned technical skills at each step of the way that I got a new certification or I leveled up a job. And when I combined all those things together, it eventually wound up putting me into a leadership role, right? Where I could be working with more of the overall business. So, a couple more specifics things then, right? So, mastering technical skills and certifications, you're going to have to understand a lot of tech stuff and you're going to have to be able to show that you can understand a lot of tech stuff. I know degrees and certifications can sometimes be a hot button issue or a little controversial, but they do have
their place, especially in your journey on these things. See, because here's here's one of the things that happens. I, as a security leader, write a job description and I hand that job description to a recruiter or an HR specialist who has no background in tech or cyber and no idea what any of these things mean. and they are the ones who do a lot of the initial screenings and they post the jobs and are looking through stuff. And so what happens then is they don't want to bring you people all the time to their security leaders that may not necessarily understand things or have some way to validate that you do know that thing, right? And
that's really what some of the value comes from from certifications. One of it is literally you learn stuff which is really good to do and you should always be doing that. But the other part of it is you get that credential that helps you pass those initial gatekeeping points for HR and recruiters because now they're more comfortable making the recommendation for you because you have a CISP or a SISM or whatever else, right? You have something that backs your knowledge in that domain. So that's where that value comes from is that it kind of serves as a checkpoint that non-technical recruiting staff can use to help feed you into more exciting technical roles. You're going to have to master a lot of
stuff in GRC too. Governance, risk and compliance, especially your frameworks, your NIST, your ISO, your COBIT, all that stuff because you're going to have to be able to manage the governance of your organization, right? You're going to have to actually be able to apply best practices and things. You know, for us, when we were doing it in elections, we did the CIS framework for critical controls. So, it's like I can map this to NIST or HIPPA or whatever you want, but it's an easy breakdown checklist that I can go through with everybody. You can take that same concept and idea and put that to any job you're doing right now. You can start dabbling in
governance a little bit. Take that kind of stuff to your boss now and be like, "Hey, by the way, have you seen this best practice thing or even you've seen this compliance thing?" Show them that you're interested in that kind of stuff if you want to grow that way. But I will tell you that when it comes down to it, experience does beat all. Securifications, degrees, and things will help you get your foot in the door. time spent doing these roles and your ability to communicate that you have done the role is going to be what helps you open and get the next job, right? And get you that next piece up. Being able to show that yes, I I was new to
cyber. I got my degree and I got a junior stock analyst role or I got a help desk role. I got a thing. You know, you have time in seat that makes you valuable and proves that you you're doing things that's going to go a long way. Business and finance, I hope you like Excel. because it's going to become a large part of your job. You're going to know pivot tables like nobody's business by the time you're done with this stuff, right? The CRM systems, the stuff the business uses, you're going to have to get familiar with that. You understand how to manage a budget because what's going to happen as a security leader is
the board is going to come to you and say, "Hey, you've got half a million dollars this year for salary and you've got a quarter million dollars this year for security licensing and tool sets." And it's going to be your responsibility to make it all work. And so you have to be able to track and show what you're doing and why. But then you actually have to be able to take this information and turn it into something that they can consume. Metrics matter. Things like meanantime to tech, mean time to respond. They may not necessarily sound exciting for things, but when the board comes to you at the end of the year and says, "How did you spend our money and
why should we continue to invest in you?" Being able to back that up with proper numbers on, hey, look, that firewall we bought, it blocked half a million things right here. It blocked half a million things right there. This analyst that we invested in training for, look at this incident response thing that they were able to do. They stopped the ransomware incident. So instead of paying $10 million to recover, we paid for one person's salary and we were golden, right? You have to be able to translate all of the stuff that you're doing into dollars and cents that they understand and then show it to them through metrics in easy to read and easy to understand bites so you can
speak their language. Build your network, right? You will have to build a network of people that you're working with on stuff. LinkedIn isn't just for shameless self-promotion. You can use it to actually find your local groups to connect with the people that you actually need to be working with in your area to get the next leg up on what you want to do, right? Find your local connections. Find your your chapter of like the cyber breakfast club or your Isaka chapter or IC2 chapter or whatever, right? Find those groups, connect with them, go to their meetings, meet with them. Actually start getting face-to-face interaction with people. When you want to be a leader, you have
to be likable. People will have to want to work with you and people want to work with people they know and trust. And so if they know your face and they've shaken your hand, they are more likely to want to hire you or promote you into doing something right. So do that around your area. Do that around wherever you're going for things. Build that network out, but build your internal connections as well. Start to build trust across teams. Make sure that other parts of the business kind of know your name, right? volunteer for cross functional projects or volunteer to go and sit with another team for a while and learn how they're doing things so
they know that you care and that you're interested and you can help translate things to their needs and you understand their pain points. And honestly, try to find a mentor in a lot of this stuff too, right? Like I did proving ground a couple years ago and they partnered me up with a mentor to help me prepare my talk on things and that helped a lot. Finding a mentor really works. It helps you kind of build a connection and grow, but it helps you understand different ways the paths work. My journey is mine. That other CISO's journey will be different. And the journey you might have to take to reach CISO in another organization is going to be completely
yours. And so getting outside perspective from multiple mentors and experiences can help you shape what you need to do to get where you want to go. And especially if you're on a lower level, build opportunities for leadership, right? When you're on help desk, they don't usually come to you and say, "Here's a half million dollar project. I need you to manage the whole thing." Right? Like that's not going to happen. You're going to have to find and make those opportunities for yourself to show that you can be a leader. So volunteer for smaller stuff, right? New APs come in, volunteer to lead deploying those. they got new desktops in, volunteer to lead actually imaging them,
right? All of those little things that you're doing, you're starting to build the leadership skills that you need to grow into a larger management or leadership style position. Leadership is a skill. You have to practice it. And it's built on a bunch of other skills like customer service, emotional intelligence, project management, flexibility, all kinds of stuff, right? It's the kind of stuff that you will learn and grow through practice in your day-to-day operations. If you're volunteering to actually take on stuff and kind of guide things, you don't have to be bossy. You don't get in there and be like, "This is the right way and we're doing it this way, right? You just volunteer to be like, "Hey boss, instead
of you having to have that mental load of putting out these desktops, I'll put it in a spreadsheet and help track it for you, right?" Like, show that you're interested in doing that kind of leadership and getting started on it and show that you want to do those kinds of things. But also be willing to embrace accidental leadership. There are going to be times where you're kind of standing on the deck of the ship and no one is at the wheel and while the ship is still going in a direction, it's starting to list in the wrong way and nobody wants to grab the wheel that's spinning because they're afraid they'll get hurt. Don't be afraid to just stick
your hand out and grab the wheel and help give some direction back to things, right? Don't be afraid to volunteer your opinion or your input on stuff. And again, you don't have to do this in a way that is pushy or mean. You can just raise your hand and say, "Hey, I've got an idea. You know, why don't we try this? Why don't we do that?" Volunteer some ideas. Volunteer some information out there and start showing that you want to guide things. Embrace those opportunities where there is no leader there and you can kind of step up and go, "Okay, I think maybe we should try X." Doing that kind of stuff will get you
recognition internally and it will help you build the types of stories you need to be able to tell when you're in an interview because when you're in an interview for a leadership position, they're going to ask you things like, "Tell me about a time you, you know, saved a project or whatever." And you need to be able to speak to that from experience. And those are the times that you can actually get that experience. Articulation. I I'm telling you right now, storytelling is the biggest thing in business, right? Your ability to actually craft a narrative and help people understand and be interested in something. You're going to be a storyteller in these types of roles.
You're going to be talking to people that have no background in security and no understanding of this stuff. And you have to take this super thing that they think is dry and boring, and you have to get them amped about it. You have to get them excited to give you a million dollars for a firewall. that takes a really good story. So, you have to be able to talk about things in ways they understand and things they want to hear and talk about and see, right? Um, there's a book and I've had some books on the slides that you've seen and I'll be sharing the slides out later, but there's a book called Made to
Stick by Chip Heath which is all about communicating things that can be a little bit difficult or things that people don't necessarily want to understand. I highly recommend giving it a read. It's actually not that hard of a read overall. was pretty quick, but it can help you kind of wrap your head around like how do I can start communicating some of these weird things or these extraneous things that people don't want to listen to, right? How do I get people to remember that security is important? You want to make sure you're communicating that stuff out and practice storytelling. You know, get up and speak at a conference. Like I said, I did Proving Ground a couple years ago. It was great.
They gave me a mentor, someone who had done Black Hat and Defcon before, and they taught me a little bit better about how I would make my slides better. and they taught me a little bit better about how to speak better and how to get in front of people, right? Don't be afraid to get up there and talk about stuff. Even if you don't think you have something to share, you really do. You have some different perspective or you've done something differently or you've learned something that you can be sharing. And by practicing sharing that, you're building your public speaking skills that you're going to need to be able to get up in front of a boardroom
and tell your story, right? Same thing with uh there's an organization called Toast Masters, right? And you probably have a local chapter. All they do is help people get better at public speaking. You actually write little scripts and things and you go out and you practice and critique and you get better at getting in front of people and being comfortable on stage and doing that because it is a very critical skill in communication to be able to stand up in front of a boardroom or stand up in front of a conference or stand up anywhere and speak your voice. That is something you're going to have to do a lot and you want to be comfortable with
it. And there's a book by uh Jeffrey Brown called the security leaders communication playbook. Another really good read too for helping to translate security things to other aspects of the business, right? Because they don't speak security, but you have to make them understand it if you want to defend them. They look at security as a cost center, something they don't want to spend money on. And you have to convince them that it is actually something that's going to either save them money or generate money through your defensive actions. If they understand that and you convince them of that, then they will open the coffers and fund your programs. And you got to be ready for the stuff
you don't want to do necessarily, crisis communications, executive common communications. Don't make boring slides. Don't give people a wall of text. There's uh if you ever work with someone who apparently came from a military background, there's a concept known as death by PowerPoint where it's like here's our PowerPoint slide and it's just like 17 bullets in tiny tiny font. It's like, wow, you tried to put it all there and it's going to take me three days to read this thing and I've got 30 seconds to read the slide from across a boardroom. It doesn't work. Right? Visualizing data, putting stuff into charts and graphs, making it things that people can see and understand, giving them reference points goes a long
way. And break your slide up a little bit too, right? Give some visual balance to things. When people see charts and things, they kind of start to understand a little bit or at least they can understand, you know, what is up and down and what's good and bad a little bit better. or even if they don't fully understand all the security concepts, you want to make sure they can visualize that data. I have a little bit of an unfair advantage in some of this. My wife has a BFA in graphic design and a masters in communications. Uh, and while she doesn't make my slides or anything like that, she talks about that stuff non-stop. And so I've had to like hear
about panone colors and all these things that it's like, oh boy, it just kind of starts rubbing off. You can just go out and find some really nice templates online for PowerPoint that will start giving you ideas of what makes a good visualization or how should I be visualizing this thing or how should I be showing it in a slide or how should I be breaking up my slides. You don't have to be married to someone uh who will not stop talking about art all the time, right? Like you can go out and just find some examples and start leading from there. And make sure when you put stuff down, you are translating it to risk and
dollars because the people who control the purse strings in the business understand risk, opportunity, and money. And so you want to make sure that that's the way that you communicate because that's the language that business speaks. So if you can communicate that to them, they will be understanding and they will be more likely to want to work with you on stuff. And then honestly, this one's a little hard, but you need to practice having difficult conversations because it's going to happen. A system is going to fail. A threat actor is going to get in. And you have to be able to get up in front of the boardroom or get up in front of people and say, "Whoops. Here's how
we're going to fix it." Right? Like, it just happened. You have to be comfortable and confident in that situation. And if you're comfortable and confident when the worst has happened and you're able to do that, they're more likely to follow your path out when you try to guide them where they need to go. So you want to be able to communicate to them. And you only really get that through practice. If your organization does tabletop exercises, practice crisis communications as part of the tabletop. Bring in your comm's team to help you, right? Run stuff by them. Work with them on stuff. get them involved in it so they're part of it and so you can see how it works and you can
try to practice some of it yourself so that when it eventually does happen because a breach is going to happen it's inevitable you're okay communicating that thing finally I'm going to leave you with this last little bit here that honestly being CISO isn't everything like I said architect engineer developer there are tons of amazing career tracks and pathways that you can go to and CISO and security leadership tends to be a very high risk somewhat highrisisk reward, but high burnout position, right? When something goes wrong, it's your fault and you're the problem and you're probably going to get swapped, right? That's kind of the way it goes for a lot of stuff. But you can kind of
help mitigate some of that through good communication and working through things. But think about what you really want and whether you want to be doing budgeting and whether you want to be doing people management and things or you want to be doing more technical stuff and more development stuff and apply that towards the actual pathway you want to follow. Uh, so anyway, that's my presentation. I appreciate you all coming. If you've got questions or things, you can feel free to shout them out. If not, I'll be kind of hanging out over here for a minute. Just come up and chat.
[Applause]
[Music] Hey, hey hey. [Music]
I do.
Doo.
[Music] down. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music] Hey, hey, hey. [Music] Heat. Heat. [Music]
down. Hey [Music]
Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat. Heat. [Music] Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat.
[Music]
[Music]
[Music] Hey. [Music]
Wow. [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. [Music] Heat.
Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Let's do the right thing and pose for that.
See, Steve's doing a horrible job taking a picture. >> He's like, "Now,
>> don't you bring him here to help you?" >> Yes. >> He just doesn't know how to use my computer.
All right. All right. All right. Okay. Without further ado, the one and only Heather Morris is going to talk to us about leveraging, aka hacking your network to help you in your career journey. Let's give a round of applause.
Hi everybody. I'm really excited to be here. Um, my name is Heather Morris. I am the director of recruiting for a company called Red Horse Corporation. Um, I have been in the GovCon talent industry for a little over a decade. Um, and today we're going to talk about networking, why it's important, why a lot of you are here today. Can you not hear me? How about now? Yeah. Okay. Um, I'll start over. Uh, my name is Heather Morris. I'm uh the director of recruiting for Red Horse Corporation. I've been in the GovCon talent industry for a little over a decade. Um, I'm excited to be here and be talking about networking. It's something that I'm
really passionate about. Uh, reason why many of you are probably here today at Bsides in Vegas. Um, so we'll kind of dive into it. Um, and yeah, if you have any questions, don't hesitate to stop me throughout. So the introduction building meaningful connections, relationships, it helps you stay informed about not only job opportunities but also industry trends. Um it fosters collaborations and really helps with your overall professional development. But why cyber security? Like why is it so important in cyber? Um, specifically, you know, cyber security is an industry that's constantly evolving with new threats, new technologies. It's it feels like every six months there's it's it's just a a change in in technologies that y'all
are utilizing. So, professionals need to stay up to date with the emerging tren trends and advancements. So, with that, there's also a significant demand for cyber security professionals. So networking helps you really tap into those job opportunities and the the market in general and and just help you stay ahead of those industry shifts that I I mentioned. Um cyber security professionals often work in team- based collaborative environments. So networking helps facil facilitate those relationships and enhance teamwork and enable knowledge sharing. So, it's really an opportunity to meet people face to face, shake hands, let them know who you are versus just somebody that they might see on socials, um, and collaborate. Um, last and my al my absolute favorite thing
that we'll talk about here is build building your professional network helps you not only with job opportunities, but also insights and mentorship. Mentorship is something that I think is huge within this space. Um, so we will dive into that as well. Overall, networking plays a key role in staying competitive and developing your career in cyber security. So, the why, yes, top of- mind is obviously job opportunities, but it's important to network because most roles in tech and in the saber community are really filled through referrals and word of mouth. So getting out there, meeting people is really going to help you have that competitive edge versus being one of the thousand people that apply to a
job that's on LinkedIn. Um, putting yourself out there and networking in the right spaces. You could gain a mentor that can help you support your career. Networking provides valuable knowledge um about the latest tools, best practices, emerging trends like I mentioned, and it could lead to new partnerships, new research opportunities or projects. um specifically with job enhancement um visibility in the cyber security community, power of personal recommendations um and internal referrals and continuing learning through knowledge exchange. So you're going coming to a conference like um besides and beyond. Many of you probably are going to blackhat defcon things of that nature. Um so it's important when you're coming to these events to try to have a plan in place.
Um so uh before the event, during the event, and after the event as well. So before you head to an event, first make sure obviously the events that you attend align with your interests or background. Um conferences and meetups are the ideal location to meet like-minded people. Um, you can find formal or informal opportunities at these kind of events. Um, it's a matter of your comfortability and how you get out there. Um, I think everyone in this room should be proud of their own personal growth by just being here. Honestly, um, how to ensure that you're getting the most out of an event. First, we want to prepare personally. Think about what you want to get out of the event. Um, is
it just to nerd out? Is it to uh meet more like-minded people, to learn about new technologies, find a new job? Whatever it is, come into an event with that mindset. Um it'll drive what kind of sessions you attend, what kind of breakouts you participate in. Um and really help drive your overall experience. Um, you always want to make sure you have your I like to call it an elevator pitch, but explaining who you are, what you do, um, and really what you're looking for. Um, and then research the event. Don't just show up to an event. Make sure you know who's speaking, who's attending. Um, plan on when and where you want to stop by
booths, listen to talks, participate in activities. This will ensure you're ma maximizing your time at the event and also um just being on the grounds. Uh during the event, you know, I strongly recommend that you approach every conversation with the aim to learn and connect versus what can I get out of this conversation. Um it's fair to have the m that mindset. Um but what if you could help them? What if you could make an impact on that individual that you're speaking with? Um, you know, you'll hear me talk about it a little bit more in depth as these slides go on, but um, networking is a two-way street. So, um, you know, the conversation could
also help change your mind, give you a different perspective on the way you want to take your career. Um, so definitely try not to be tunnel visioned. Um, and always come at the avenue or the perspective of how can I help or what can I learn from this? Get engaged, be present, uh participate in all the things. Get outside of your comfort zone. I'm sure everyone in this room has heard the the phrase, you know, learning uh learning and growing happens outside of your comfort zone. So, get out there. Even if you fail, it's still nice to to try and and challenge yourself. I know that at these events, they have a lot of different like hack
this, hack that. So, um get out there um and showcase your interest in specialties in general. During the event, every opportunity you get to is to to stop by as many networking lounges, mingles, happy hours that you could possib that you could attend within your time. They're really unique opportunities to meet people that are here specifically for networking. Um you and you never know who you'll meet after the event. Uh follow up with your connections you made during your time at the event. You know, I highly recommend personalized LinkedIn connections. It's a great way to solidify the connection that you made um and really bring it full full circle and open additional conversations. Uh when reaching out, be
sure to note some specific points that might help the individual remember you. Um I'm as I'm sure many of you here are, you probably talk to a lot of people. So, it's important to um be able to set yourself apart from all the other conversations and then stay engaged and continue supporting them through their socials as well. Like their stuff, share their stuff. Um and just ultimately be mindful. Um and that will come full circle and be impactful. Networking on platforms is a wonderful place to network and meet more like-minded individuals. First, let's talk about LinkedIn. Obviously, it's the number one. It's the the bread and butter of uh networking. Um, first thing, make sure your profiles are up to
date. Um, professional and showcase all of your skill sets. If you get a new certification, make sure that's on there and all of your experience. Obviously, um making sure that it's it's up todate is going to ensure that people can find you and know really what you you have to offer and what what you have going on. Um LinkedIn is not supposed to be a super confidential site. Um so ensure your settings allow people to share and engage with the stuff that you have posted as well. um you know or if you are open to the job market and you you turn on that badge, make sure that people are able to share your profiles
and your posts. Um that that's what what it's all about, networking. Um engage with individuals and their posts that you find insightful or you think your personal network would find useful. Remember that you are a professional in your field, so advocate for things that you feel are right and impactful. Um, engage with individuals and posts that you find insightful. Advocate. When I say engage, I don't mean just liking something here and there. I mean also posting your own content, being original. Tag organizations, groups, um, individuals within your network that may have helped you write the post. um that will having those tags and hashtags will really help further your reach within the LinkedIn community and participate in discussions and
comments. If you like something someone says, give give your your your two cents, your feedback. Um I think people really appreciate that. And celebrate your successes, celebrate other people's successes in your networks. As I mentioned on my previous slide, and yes, I'm going to say it again. When you send a connection request, ensure you personalize the message. Um, especially when it comes to thought leaders, recruiters, things of that nature, we get several connections that may not be relevant to our personal networks. So, by saying something personal, we're able to connect that and make and bring that full skirt. We want you in our network, but it we want it to make sense as well and kind of take out
all the noise that we might get. Um, on a final note, join LinkedIn groups. I feel like these this is an avenue of LinkedIn that is highly overlooked um on the platform, but there's no better way to find a group of like-minded individuals that maybe isn't a co-orker that you work with um or somebody that you meet on B at Bides, right? Um, but it's a a great place to find folks that have the core interests that relate to you. Um, and it's also a a good way to learn from thought leaders within your industry on other social media platforms like X or Instagram. Um, I really recommend taking these these platforms and utilizing them um as a meaningful
circle, right, that you can learn from. Stay engaged in conversations so that your name is out there in the community. Beyond connections, you can search related hashtags that will have posts related to the topic that you're interested. For example, infoscue team. Um, use it to keep up with trends and insights. Uh, these platforms are great for informational um, and really being able to grow in that way and also engaging with these people. I'm sure if you find somebody that you you connect with and and is is a great person that you want to continue um having a network with uh you'll connect with them on LinkedIn and I'm sure that's where the conversations will really flow but uh it's a great way to
meet new people. I have talked a lot about engaging and being active but how right it's more than just building an online presence. It's really about your personal brand. Um, within cyber security and really beyond, you know, when you have an online presence and you're connecting with people, you you have a brand, right? Yes, you're advocating for your organization that you work for, but um you as an individual have a lot to offer within your the space that you're a professional in. So when it comes to your expertise, I guarantee you that there's people out there that want to learn from you, want to grow with you. So there's several things you can do to stand out from
writing blog posts, creating your own portfolio outside of LinkedIn, things like GitHub, or simply, you know, contributing your own thought leadership through industry forums. Um, there's a lot of different ways to get your name out there and and and to make an impact. The more you stay engaged and share accomplishments, you'll see it come full circle and individuals will reach out to you with opportunities. But it's worth taking the time and putting yourself out there to engage in these communities. How to approach networking. It's so easy to go to a networking event or conference and immediately beline for the reason that you're there, whether that's jobs, partnerships, or mentorship. However, it is so important to remember that networking is so much
more more than that. It is about relationship building. Keep their approach to be building genuual relationships. When you meet somebody, it's it's it's so easy to just be like, "How is this person going to help me grow within my career?" Um, which is fair. I think that's a totally fair thing to think, but um building that relationship. Meaningful connections take time. listen when you're talking with individuals. Um, you know, a buzz word that resonates me um as a recruiter is by identifying pain points. Um, networking is not a one-way street. By understanding others and the challenges and their needs before jumping right into your personal self-game, um, offer to help, share knowledge. This adds value, builds trust, which can lead to
future opportunities. An example of that is maybe you're talking to somebody that's having a an issue with their code or, you know, can't figure out a certain problem. Um, sit down with them, talk about your experience, what's worked for you. Um, and that really will resonate with them and they'll remember that and it'll go a long way. Um, it's not a best practice to come to conferences with the goal of quote unquote pitching yourself or your business or whatever reason that you're you may be here specifically for unless you're a paid sponsor and you have one of these amazing booths out there. Um, it comes off as almost disrespectful to the community um and also the event
sponsor themselves. Um, if you focusing on listening and adding value, you'll organically be able to pitch yourself and an individual will ask you questions about who you are, what you're doing, what you're looking for. Um, so my biggest thing is be a person. It's not about the pitch. It's being mindful and being kind. Like I just said, meaningful connections, they take time. Leveraging mentor mentee relationships. um a mentor in cyber security space really any skill set is going to be by far one of the most influential and significant network connections that you can have. These are individuals in the industry um you work that can give you advice and guidance based on real world experience.
A mentor will not only open doors for opportunities for professional growth, they can also help give you exposure to new ideas, new skills, and strategies that you may not have come up with on your own. Um, it's someone who can really be a sounding board throughout your career. How do you find the right mentor? Finding someone you admire in your industry. follow along within their career. Whether that's on LinkedIn, whether that's somebody you meet at an event, whe whether that's somebody you meet speaking on a panel or on a stage. Um, you really just have to figure out the how to approach them and and to build that connection. Um, it typically doesn't organically happen. Um, you may
have to ask if they'd be open to a mentorship. Um, good people in the industry, I can guarantee you, would love the opportunity to be a mentor. Um, they typically love what they do and they'll relish the opportunity to quote unquote pass on the legacy or teach the ways. It's flattering and an honor at the end of the day. Um, I also want to note um that this scenario does not have to be a formal setup. It can be shadowing somebody, getting feedback on your work, asking questions. Um just ensure that you have you are being mindful of your mentor's time. Um you have a clear personal goals. You're communive. You celebrate successes together. And don't be afraid
to ask for questions or advice when needed. Also keep in mind that it isn't just bene beneficial for the mentee, it's also beneficial for the mentor. Collaboration and knowledge exchange are invaluable. For example, maybe a junior engineer may have experience with the brand new tech stack that just came out versus the mentor has years of industry experience with connections. A mentee can help teach the technology and the mentor can help with paving a career path. Um, I'm standing on the stage here today because I have a wonderful mentor who is Kirsten Rener who is um, amazing at what she does. she's running the hiring ground today and um you know it's it's amazing to to learn from people
within your specific industry. So any opportunity you have to do that I definitely highly recommend it.
All right. Maintaining longterm networking relationships because now I've said it a few times building relationships takes time. Maintaining long-term networking relationships are the key to successful networking in general. You do not typically come full circle right away. They require building and nurturing. Follow up and consistency is rule number one. Regularly check in with your network. Don't let relationships go stale. Share interesting insights or updates that might be of interest to your network. Celebrate your wins. Whether that's a certification, whether that's, you know, you you got a degree or whatever that might be. Um, celebrate your wins. That's one of the best best things you could possibly do. And help when possible, reinforcing the value of
your relationship. Um, take the time to meet up. Uh, the gentleman that spoke before me, he definitely touched on this, but having facetime goes a long way. um you know, it keeps the relationship alive whether that's in person or online uh virtually and and in and digital engagement. Um coffee meetings, love them. They're they're great. Just adds a personal touch and shows that you care and you want to make time for the individual. Last offer offer help. You know, if someone in your network has helped you, offer your assistance in return. Whether that's sharing your expertise, uh making introductions, or providing resources. Practical networking tips. Be authentic. People like you for you. So, if you're
genuine and not just a corporate version of yourself, it goes a long way. you know, it's the quirky quirky side of you that um is going to really resonate with somebody. Uh when you're passionate about something, it shows and people will will recognize that quality over quantity is imperative. While many connections are nice to have, it only takes one strong relationship to make an impact on your future. Stay updated on the stay updated. The tech space is always changing. keep up to date with trends and insights um so that you're cutting edge and you have something to that will give value back to the community as well. And be patient. I've already mentioned it doesn't come full circle right away.
So take your time, meet some great people, get out there, shake hands, and you never know how it will impact you. The summary of this is networking is about building relationships, not just job hunting. Leverage both an online and offline um presence for opportunities to connect with others in your field. Approach networking with the goal of adding value, not just seeking opportunities. Mentorship can be a gamecher. You just have to find the right mentor. Um and final thoughts, cyber security professionals who investig invest in networking will not only find job opportunities but will also build a strong support system for continuous growth. And that's all I got today. [Applause] [Music] Yep. Volunteering is huge.
Yeah,
>> that is great. He's saying that um getting involved in the community, whether that's volunteering at an event or speaking. Um it really helps get your name out there and also helps you get engaged with the community from that perspective as well. Thank you for that. Yep. Anybody else? Okay. Well, I'll go ahead. an example like what a follow. >> Yeah. So I let's say you did capture the flag, right? Just hypothetically be like "Hey oh, his question was um what is a good follow-up connection request message." Um so I would say something like, "Hey, my name's John Smith. We met at Bides. Um we both did capture the flag together. we were on the same team. Um, you know,
I'd really like to connect and and further these the conversations that we started, right? Because then it makes them remember where they met you, what kind of activity or what kind of conversation you had, and it really just kind of brings it full circle. >> I'm not a sales person. >> Yeah, I'm not a saleserson. I'm not trying to sell you anything. I promise. Yes. >> You mentioned noting like a Yes. >> Yes. >> Yeah. So it you know >> Yeah. So her question was what is a good elevator pitch? So I think and and what is an example of one? It really just kind of just here I'll give you my elevator pitch. Hi my name is Heather Morris. Um, you
know, I am I I've been within the talent acquisition uh GovCon space for about a decade. Um, you know, I am here and I'm looking to network and build my connections and really grow from individuals within the community. Um, I'm open to any kind of opportunities that would help get my personal brand exposure. Um, and also any way that I can support and impact the community. Um, and you know, I think people will will ask you, right? Like I don't think you lead with your elevator pitch, but it's when you're going around and you're shaking hands and people go, "Hey, what's your story? What are you about?" That that's when you'd kind of bring that up. Go ahead,
>> do a reminder. >> Oh, sorry. Kirsten has a reminder. Just real quick, uh, we keep doing Q&A, but before anybody leaves, I just want to do a reminder for anybody who doesn't know, we are doing resumeé reviews and career coaching today starting at 12. This will run all the way until uh Ricky's interactive uh talk at 2. Then we're doing it again at 4. And then we're having a networking mixer at 5. So, and then we repeat mix tomorrow. All right. Here. >> Go ahead.
I'm here because
>> So her question was, "Is it ever too direct to kind of just get out there and say this is what I'm here for?" Did I understand that question correctly? Um, I don't think so. Right. if they open the avenue for you to say, "Hey, like this is really what I want." Um, I think that that's completely fair. Um, but like this gentleman says, we don't want to ever come off like, hey, I'm I'm here giving a sales pitch, right? Um, you want to you want to be a person. You want people to approach you in that way of like, hey, how can I help you? You're smart. You you it seems like you you can
be impactful in the space. So, yeah. >> Yeah. Being normal. Be you. Yeah. All right. Um, I'll be around if anybody has any additional stuff. Um, I'll also be doing resume reviews and I will be part of the mixer later. So, I hope to connect with you guys. Bye. [Applause] [Music] Heat. [Music]
Hey Heat. [Music] Hey, [Music] hey hey. [Music] Woohoo! [Music] Woohoo! [Music]
[Music] [Music] Dumb baby. [Music] Fire.
Hey. Hey. [Music] Heat. Heat. [Music] Heat. [Music] Heat.
Heat.
Heat.
Heat. Heat. [Music] Heat. Hey. Hey. Hey. Heat. [Music] Heat. [Music] Heat. Heat.
[Music] Heat. Hey Heat.
Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
[Music] Woo! Wow! Heat. [Music] Heat. [Music] Heat. [Music] Heat. [Music] Hey. [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
[Music]
Heat.
Heat. Yeah, [Music]
[Music] heat. [Music] back. Hey, [Music] hey hey. [Music] Down yeah down.
[Music] Heat. Heat. [Music]
[Music] By far down. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Everybody. [Music]
Heat. Heat.
[Music] Heat.
[Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Hey Heat.
Heat. Heat. N. [Music]
Heat. Heat. [Music]
[Music]
[Music] Heat. Heat. [Music]
[Music] Heat. Heat. [Music] Heat. [Music] Heat. Heat. [Music]
Heat. [Music] Heat. Heat. [Music]
[Music]
Heat. Heat. [Music]
Heat. Heat. N.
[Music]
you. Heat. [Music]
Hey, heat. Hey, heat. Heat. [Music] Hey. Hey. Hey. Heat. [Music] Heat. Yeah, [Music]
[Music] black. [Music] keep it back. It works. Yeah, [Music]
down. [Music] Down
down down down down down down down yeah down yeah down yeah yeah down yeah yeah down yeah yeah down yeah yeah down yeah yeah down yeah
[Music] Heat. Heat. [Music]
[Music] [Music] Da [Music] da da. [Music] Hey, hey, hey. [Music] Heat. [Music]
Heat. [Music]
Heat. Heat. [Music] Heat.
[Music] Heat.
Heat. [Music] Heat.
Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat. Heat.
Heat. Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. N. [Music] Heat. Heat.
Heat. Heat. [Music]
[Music]
[Music]
[Music]
Woo! Wow! [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. [Music] Heat.
Heat. Heat. N.
[Music] Heat. Heat. Yeah, [Music]
[Music] yeah yeah. [Music] Hey, hey hey. [Music] Yeah,
[Music] down. [Music] Down yeah down.
[Music] Heat. Heat. [Music]
Heat. Hey. Hey. Hey. [Music]
[Music] Dur. [Music] Baby, [Music] daddy. [Music] Hey, hey, hey. Heat. [Music] Heat.
Down. [Music] Down.
[Music] Heat. Heat. Heat. Heat. [Music] Heat. Hey. Hey. [Music]
Heat. Hey, heat. Hey, heat. Heat. Heat. N.
Heat. [Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music]
[Music] Heat. [Music] Heat. [Music] Heat. [Music] Heat. [Music] What
are you? [Music]
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat. Heat. Heat.
[Music] Heat. Heat. N. [Music] Yeah. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Black. [Music] Hey. Hey. [Music] down. [Music] Down.
Yeah,
[Music]
heat. Heat. [Music]
Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] [Music] Heat. Heat. [Music] Heat. Heat. [Music] Fire.
Hey. Hey. Heat. [Music] Heat.
Down. [Music] Down.
[Music] Heat. Heat. N. Heat. Heat. N. [Music] Heat. Heat. Heat.
Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Heat. [Music] Hey, heat. Hey, heat. Heat. Heat. [Music]
[Music]
[Music]
[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]
[Music] Heat. Hey. Hey. Hey. [Music]
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat.
Heat.
Yeah, [Music]
[Music] black. [Music] beat it back. Yeah. Yeah. [Music] Down.
down.
[Music] Heat. Heat. [Music]
[Music] Down. Bye. [Music] Baby, [Music] hey. [Music] Fire. [Music] Down. Heat. [Music] Heat. [Music]
Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat.
[Music]
Heat. [Music] Heat. Heat. N.
[Music]
[Music]
[Music] Hey. [Music]
[Music] Hello. Heat. Heat. Heat. [Music]
Woo! [Music] Yeah!
[Music]
[Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Hey, heat. Hey, heat. Heat. Heat. [Music] Heat. Heat. N. [Music] Heat.
Heat.
[Music] Yeah. Yeah. [Music]
[Music]
[Music] Hey, [Music] hey hey hey hey hey hey hey hey hey hey hey hey hey hey. Yeah, [Music]
down. [Music] Down
down down down down down down down down down down down down down down down down down down down down
[Music]
[Music] By far
[Music] Heat. Heat. [Music] Fire.
Hey. Hey. [Music] Heat. [Music]
Heat.
Down. [Music] Down.
[Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. [Music] Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music]
[Music] Hey. [Music] Hey. [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Hey. [Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] hey. [Music] Hey, hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down down [Music] down down down down down Yeah,
[Music] Heat. Heat. [Music]
[Music] Baby, baby [Music] boo. [Music] Hey, hey, hey. [Music] Heat. [Music]
Heat. [Music] Heat. Heat. N.
Heat. Heat. [Music]
Heat. [Music]
Hey. Hey. Hey.
[Music] Heat. Heat. [Music] Heat. [Music] Hey Heat.
[Music] Heat. Hey, Heat. [Music] Heat. Heat. [Music] Hey.
[Music]
Hey. Hey. [Music]
[Music] Hey. [Music] It's [Music]
[Music] Heat. Heat. [Music]
Woo! [Music] Heat! [Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat.
[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] yeah yeah. [Music] Hey, hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down. [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. Heat. [Music] [Music] Heat. Heat. [Music]
Home.
Hey. Hey. [Music] Heat. [Music]
Heat.
Down. [Music] Hey. [Music] Heat. [Music]
Heat. [Music] Heat.
[Music] Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat.
[Music] Heat.
Hey Heat. Heat. Heat. N. [Music]
Heat. Heat. [Music]
[Music]
[Music] Hey. [Music]
Woo! Wow! [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat. Heat. Heat.
[Music] Heat. Heat. [Music] Heat.
[Music] Heat.
Heat. Heat. N.
[Music] Heat. Heat. Yeah, [Music]
[Music] yeah yeah. [Music] Hey, [Music] hey hey hey. [Music] Yeah, [Music] down. [Music] Down yeah down down down.
[Music] Hey hey hey. [Music] Hey, [Music] hey hey. [Music]
[Music] [Music] Baby, [Music] baby. [Music] Heat. Heat. [Music] Down.
Hey. [Music] Heat. Heat. N.
Heat.
Heat.
Heat. [Music]
Heat.
[Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat.
Hey, heat. Hey, heat. Heat. Heat. [Music]
Heat. Heat. [Music]
[Music]
[Music] Heat. Hey, Heat. [Music]
The thing about photos is the people have to opt into it. >> Um, I understand better to do it from behind
up in the picture, you have to make them aware of it. Okay? All right, without further ado, this is I've been really looking forward to this. Um, the one and only Ricky Berkeley is going to take it to a whole new level. And this is an interactive talk. So, I'm judging you. You have to sing. You don't. And I I I want you to interact and I want you to talk to him and and get his wisdom. And I'll be running the mic. So, take it away. >> Thank you. This is not working, Ryan. Or it is. >> Can you hear at the back? >> All right, cool. Uh, so no pressure. Thank you. Um, so who who knows what
this is? Might be a dumb question for some people, but others maybe not so aware. So we know what this is. And who has a profile on this platform? All right, so most people just out of interest, if you don't mind, hands up. Who doesn't? Okay, couple. So, it's an interesting thing. Um, all right. So, you have profiles. Have you ever actually looked at the reason why this platform exists? If you look, who would? Um, so this is if you look at the LinkedIn mission statement and then their vision, this is basically what it says. It's really dark. Is there anything we can do for the lighting at all? I guess not. T. Okay, that that's working properly.
So, do I have to hold this? All right. So, just have interest. Is there anything we can do for the screen at all? It's quite dark. >> It's okay if not. >> I'll just see if it's my screen. No. Okay. So, create economic opportunity for every member of the global workforce. What does that actually mean? So, LinkedIn is a jobs board. It's a jobs platform. Um, it's how the company originated. It masquerades as a business social media platform. The reality is it's all about jobs. But the thing is, if you can't get a job off this platform, quite frankly, what's the point? Um, and that's what it's about. So, if you feel like this, where's
Waldo? in other parts of the world we call this where's Wally um just out of interest so those people on LinkedIn who finds it helpful in terms of getting a job raise your hand okay cool and I just want to flip this because we said it's interactive who finds it not so helpful for getting a job 50/50 >> are we okay with this or is it a bit too Scary. All right. So, welcome to Jesus, that's dark. Do you know what? May maybe we can have the lights on. I'm sorry to be a diva. >> Oh, do you mind just It's only about 45 minutes long. Is that okay?
>> It's Let's Let's stick the lights on. It's okay. back on.
>> What? >> Okay, just blind me. Um, all right. So, why are we doing this talk? My name is Ricky Burke. I am not from around here. I'm from the UK originally, living in Australia for the last 11 years nearly. I run a cyber security recruitment company. >> That was better with the lights off, wasn't it? >> Can we turn them? No, I'm joking. I'm joking. I'm joking. No, no, it's fine. We'll make it work. Um >> I don't know what I'm doing. >> Do any of us? >> Um there's there's a talk in that. Um >> are you saying I'm not going to get a job as >> I I think you're doing okay with what
you what you are doing. >> Oh, [Applause] >> get this man a job. Okay. So, I I run a cyber security recruitment firm. Um, we help companies hire people. I've been doing this for a bloody long time. I'm very lucky to be involved in the security community in doing lots of stuff like this here in the US here today. I'm running a career development program at Black Hat later this week. Um, and do a whole bunch of stuff in Australia as well. So, I like to think I know what I'm doing in terms of giving advice u to people. And then if you want to follow me on LinkedIn, please feel free to do so. I do actively
share advice not just jobs. So now we're going to get interactive not just with the lights but with the audience. So out of interest, how do recruiters work? Shout out if you like. We don't need to be formal here. Okay. Recruiters get a job and try and match it to a person. Okay. Yes, like it's really simple, but then it's very hard. So, for context, you have different types of recruiters out there. I'm an agency recruiter. So, I get paid by my customers to help them hire people. We have amazing people like Kirsten who work internally for companies in talent acquisition and HR where they help their companies hire for themselves. Two different types of roles trying to
fulfill the same purpose. And then there's different approaches to recruiting. So you have, as you might be aware, job advertisements, which is where you fill in this lovely link, you get sent to a black hole and then you never hear from someone again. Um, or you get recruiters that approach you. Now, the thing is, and going back to where's Waldo and what this is about is what's the point being on LinkedIn if you can't be found? For me, yes, there's the there's the benefit of you can network with people, but ultimately you want to be found for different reasons. Yes, there's the job of to today, tomorrow, but what about the future? In terms of future opportunities, in terms
of networking, meeting people here, the easier you are to be found, the better it is for your career. And the sort of rule that I go by is the more people who know what you are, the more things will come to you, the more opportunities. And those opportunities can look so different. So, how do recruiters find people? Um, I've jumped the gun here, but essentially there's a little hint at the beginning. LinkedIn. Um, every recruiter uses LinkedIn. And have a guess. How many hours a day? We're going to put Kirst on the spot. How many hours a day do you put on LinkedIn? Let's guess first of all, anyone? There's massive prizes they're giving away as well.
>> 12 hours a day. >> Maybe not. Um, four hours, five. By the way, there's no prizes. I was joking. Um, um, how many hours a day would you spend on LinkedIn? >> It's non-stop. It's every second of the day. I'm just literally non-stop. >> Now, from a HR perspective, I can't say 12 hours because of legal rights and stuff. Um, but the reality is, yeah, like as as recruiters, we live on LinkedIn. It's [ __ ] sad to be honest with you. Um I've It's got so bad for me personally. I've ignored every other social media and I live on LinkedIn. Um I I don't want to do social outside of LinkedIn now just because ultimately I
spend a lot of hours on there. And to be really truthful, if it wasn't for LinkedIn, my business and myself would not be in the position we are today without LinkedIn, which is really weird to say out loud. But in terms of the business that we do, the customers that we have, the people that approach us, again, it's those those numbers of the more people that know who you are, the more things will come to you. But we want to help you get found. So, I want to be interactive. I'm going to jump up here. I didn't want to stand up here cuz I feel like it divides me and yourselves, but I need my laptop.
So, I want to play a game, right? If are people comfortable me asking who's looking for a job or who's open to a job at least? Okay, that's a no. Only joking. Um, okay. So, if we're going to say you're open to a job or looking for a job, what type of job do you want? Shout out some names. >> GRC. >> GRC. Why would why would you do that? I'm joking. I actually once spoke to a pentester who said um I'd rather put a shotgun in my mouth than working GRC. However, let's be honest and although I do have a preference to the more technical roles, I feel like GRC is the bedrock of cyber security because
without the policies, without the frameworks that drives all the technical work that those vendors and all the other people do in terms of the tools and the people using the tools, I don't think we'd have as much security. So, fair play. Um, all right. So, you said GRC. I'll be honest with you, GRC is a little bit of a weird one to look for. I'm going to go for another technical role here. What's a shout out? >> Pentesting and >> junior. >> Junior security engineer. >> Okay, that's a really broad term. >> Um, let's go pentester because you were louder and then we might get on to security engineer next. Pentester. Okay, so we're going to do a live demo and hope
it works. Hopefully my internet hasn't crapped out. So, I needed to make sure my tabs were closed. Um, all right. So, we're going to get on to LinkedIn Recruiter. Has anyone seen or used LinkedIn Recruiter before that's not in HR? Okay. So, I can take you down this dark web of the murky world of where recruiters live. >> All right. So, sir, if you don't mind me asking, where which location for a pentesting role? Okay we're do >> Okay, I'm I'm going to jump ahead and just spoiler alert. >> Southern California. >> Southern California. Okay. Is that where you actually live or you just randomly naming a state? >> That doesn't help me with my exercise
here. So, yeah. >> All right. Only because I want to reverse engineer the situation. See if we can find you. Is that okay? >> All right. Sweet. Okay. So, um, we can all see this clearly. So, thank you for dimming this the the lights because now we can actually see it properly. So, all right. Location. You said Southern California. I don't think we can search Southern California. We're just >> Oh, okay. And which street did you say again? >> I'm joking. Don't answer. Um, all right. Losing. >> All right. Oh, no, not county. Hang on. Let's just go. So, this is where the where's Waldo thing comes into it. Essentially, we're looking for the person. All right. So,
now we're basically playing the game of the horrible shoes you're going to be in. We're going to be in a we're going to be a recruiter for the next 5 10 minutes. Why would you want to do that? Um, okay. So, just a simple 11 million people to try and get through. Um, now what? So, what what search terms do you think we should use if we're looking for a pentester in the Los Angeles area? >> Pentester. Okay. So, which job title should we go for? Pentester. >> So, job titles. Let's go formal and go put penetration tester. >> Red team. Okay. >> Ethical hacker. >> So red team ch have really muddied that that word for me. Ethical
hacker. They've ruined it. No offense. >> Um >> okay. So, red team, not T team. This is hard. Give me a break. Okay, red team. So, by the way, I'm doing in the recruitment language, we call this boolean searching. Other terminology or variations is I know X-ray searches or um whatever. But basically, recruiters say boolean, right? So, we got red team or uh someone said OSTP. And >> ethical. Oh man, that word. Okay. Ethical hacking. >> Are we happy with that? >> Start. >> It's a start. Okay. >> I was just testing. >> I'm glad someone's paying attention. You'll get the prize. All right. OCP. It's all right. The cap caps doesn't matter. All right. So, 127 people.
So, now we get to uh not just look at people. We're going to do some um constructive feedback as well. I apologize if anyone is in the room that I give constructive feedback to. So, we're going to just as a question out of interest, how long do you think a recruiter would look through a person's profile? >> Yeah, I'd say 15 30 seconds, which sounds pretty [ __ ] Here's the way that I would work. And maybe people have other opinions. Um, so you look at this list of what was it 127 people before that was 200 odd. Essentially, I want to skim through these profiles just to then shortlist people that I want to spend more time
with. So, essentially, I might shortlist 5, 10, 20, 50 people, put them over there, and then I'll go back and then try and contact these people. I'll reach out via direct messages, emails. I if I have their contact details, I'll call them or email them. Um, but essentially I'm just looking to, you know, if you imagine like a canban board is like just move through the sort of flow of shortlisting and moving forward. So, we're going to jump on this guy's actual LinkedIn profile because we're going to do some I say constructive feedback at the same time.
Now, what do we think initially about this profile? >> Lack of detail. Yeah, there's that. Um, we don't need to go more experiences. He's got licenses and certifications. Got a few projects, key skills, 45. There's a lot there.
Would we rate this as a good profile or let's say, you know, good, bad, average? What would we say? >> Okay. You had a question. Do you guys actually care about >> I care about the ones I care about? >> Sorry. >> The question was um about filling in the skills. So, do we do we care? I said I care about the ones I care about. So, do I care about in this context uh WordPress? Couldn't give a [ __ ] Do I care about shell scripting and web application security and penetration testing? Yes, I do. So, it's about what's relevant. But let's just jump back to Ryan's profile. I think it's a pretty decent profile. Look, we all have
room for improvement. Um, you know, there's some funky stuff you could do with a banner here just for aesthetics or visual purposes. He's got a nice friendly picture. Um, he makes it very obvious OCP. He does have C. In some places that might count against him, which is interesting. Um, so I can't speak for here or certain places, but in Australia I know a lot of pentesting managers that if they saw CH, they would basically disregard that person. Um, because not because it's [ __ ] no comment, but more because the person lacks the understanding of what the rest of the industry or community thinks of a certification like that. So having context awareness, I think, is really
helpful. Um, but it's got someerts. So, you can see this guy actually does it. He does mention ethical hacking. He does have offensive counter measures in there. Um, yeah, there's some other stuff in there, too. So, essentially, there's a lot of information there that he is someone very easily I would go, yes, I want to speak to this person. So, I would then shortlist him and he'll go into my list of people to contact. Um, there was a mention of there was a lack of stuff here. Areas improvement. Yes, he could do that. He could put some stuff in there about what he does like is he still a pentester or is he doing some other stuff? We spoke about the
vagueness of security engineer. Security engineer title could mean so many different things. Is it appse? Is it cloud sec? Is it dev sec ops? Is it whatever? There's like 10 15 different things it could be as a security engineer. Um interesting. Had a stint application security engineer. again, was it like proper ABS sec or was it more code review working with devs or whatever it may be? Um, but again, I like the profile. He got found. That's a good thing. There's a reason why he was number one on that s that on that list. Next person.
Okay so we've got some stuff there. We've got a brief intro, relatively active with some comments. Um, job penetration tester there, so it's quite obvious what he does. And then we'll check out the skills. Not much in cert in terms of certification. Okay, 38 skills first when you got um pen testing and red teaming early on there. What do we think of this one? Good bad average. >> Average to good. I'm curious. Those that said average, what do you think could be better? >> Theerts. >> You like Certs? You care about CS? >> Depends on the >> Okay, good responses. Yeah, it does depend on the C. Um, I couldn't care less personally about certifications. I
couldn't care less about degrees, university, and stuff like that. Ultimately, companies are hiring people because of their experience, their ability to solve specific problems. If you can't solve that problem, then quite frankly, you're not very useful. Um, question, >> what do you think about the about section and it all show?
>> Okay. Did we hear the question? It was what was the thoughts on the about section? What do you think about the about section >> in general? >> I think it's important to humanize yourself to some extent, but also show you like I'm a real dude that enjoys doing
I got a little bit >> cool. >> Yeah, I I think the about section is important because it gives you an opportunity to add some context. Ultimately, companies are hiring humans, not robots. And if you can describe Got some live messaging there going on. I'm not going to open it because I don't know what it's going to say. Um, but I I think the about section is really helpful. Um, look, there are some people out there who they're known in the industry. They're a known quantity. If you're not that, then you need every competitive advantage you can grab. So, you think about your your resume. This is your LinkedIn is your online resume. So, when you have that bit at the top
that you should have if you don't have it already, the summary part or the intro profile bit, this is your chance to tell the viewer who you are, what you're about, and basically what you bring to the table. >> So, you concentrated on experience, which I agree with. What happens when you don't have that? Okay. >> You're a new in the >> It's a good question. >> Can you hear me? Okay. So you mentioned experience. What happens? What are what would you suggest for someone coming into the industry who has no experience? Maybe a recent uh university grad. >> Okay. Who who's in that position? Um new to the industry, no experience. >> Okay. >> I have 700.
>> Um you're screwed. >> I know. Um, but there's things you can do. The fact that you're here is amazing. Now, I'm curious. Um, if you don't mind, raise your hand if you are on you've got a LinkedIn profile and obviously you're here today, so you can do that. Okay. Keep your hand up if you have posted on LinkedIn that you are at BIDES today. Look around you. security people. >> Yes, but you for those people that need a job, you need as much help as you can get. Um, and the picture doesn't have to be out there because if you take a photo, you'll get told off. Um, but it can literally be a photo of the B-side
logo. It could be of a presenter that doesn't mind social media. Hi. Um, it could be anything. Just to basically demonstrate you're at a place like this. So, this isn't part of the talk, but this is also just to give you general advice. When you go to something like this, this separates you from those people that are not here. So, when you need something like a job, you need everything going for you. So, your opportunity is you're here. The fact that you're here, you spent money time to be here is amazing. So, for those people that are trying to get in, fantastic. It's an amazing opportunity to actually meet people. Although it's quite scary when you don't know anyone.
Um, and I do mean that like it's I I was talking to D about it the other day. Like I I I find it intimidating going into a place I don't know anyone and it's like it's a little bit easier if I'm honest with you. I can go to an event in Australia and I will just people just come talk to me because they see stuff on social media so people feel comfortable. But if I have to rock up to an event like this, no one knows me and I don't know them. How the hell do you start engagement? And that's where just small things like a post or here or there connecting with people or an
actual engagement strategy of trying to build relationships is really helpful. If you can be brave enough, just general advice is like it's already gone lunchtime, but you've got this afternoon, you've got a couple more days if you're still here, is try and set some small goals. So in the morning or let's say this afternoon, try and speak to two people and just start with open questions. Don't rock up to a table full of 10 dudes and just go, "Hey." Like, no one's going to do that. But if you if you standing like you spot someone on their own, they're on their own. If you spot someone in a queue for drinks or coffee or whatever it may be, just ask
or the person behind or in front of you open questions. How's the day? What brings you here? Just see where it flows. You never know where it takes you. I I literally know people that have met their partner at places like this and a shitload of people have got their jobs through these sort of events. And if you have local community stuff as well, like you think of it as sort of small wins. The more things you go to, the more times you meet people. The more you meet them, the more they get to know you. The more they get to know you, they're like, "Oh, that person's cool. Like I know what they're up to. I think
we they they could be a good fit for our team." And I can promise you, you'll have more chance of getting a job that way than applying for a job with online where you're one of 500 or a thousand people applying for the job. If you can get someone to give you a warm intro to their boss, like that's halfway there. Obviously, you need to do well in the interview, but the fact is if you keep showing up, and that's the thing, like if you're trying to break into this space, it's hard. Really, really hard. But when you are here and other people are not like if you imagine you're at university and your you know whatever you want to
call them colleagues and you know whatever your peers if they're not here and you are you win keep doing that stuff when you post on LinkedIn you're at this event that event share some ideas it's all just building for a much bigger goal so Brennan I think not a bad profile um we spoke about the about section. I think it's really important because again it gives context to the human. If you're transitioning from one industry to another, talk about it. Explain what you're doing. If you see my profile, and I'll jump onto it in a bit, you'll see that I'm talking about all the events and the stuff that I do because quite frankly, it adds credibility.
So, if I mention I'm at Bides or I mention Black Hat, someone who knows those things be like, "That's cool." Like, that's my sort of person as opposed to they have no idea. So, you've missed an opportunity if you've not done those things in the past. In the future, do a post today, whether it's X, Twitter, whatever, when whatever you want to call it these days, or other social media platforms. Again, it just adds to your credibility. Um, but the interesting thing is just an observation by the way, and and I'm just seeing Brennan here. Brennan comments, comments, comments, but where's his posts? There's no posts. And if you like I've done this research because I've run um training programs on
this for like uh for people and it's really interesting observation because when you go looking at other people's profiles you realize hardly anybody posts. So it's not that hard to actually stand out and give yourself a voice because most people quite frankly are a bit nervous. >> I can't do you mind so I can't hear. So, I was going to say with um regards to the posting as well, like I in the past I I did that several, you know, I would do that a decent amount for >> I'm sorry, it's really quiet. >> Sorry. Can you hear Can you hear me now? I mean, I can I just don't want it to be too loud. Um so, in the in the past,
I've like posted a decent amount. It's just you get this sense when you look at the feeds that it turns almost into what Facebook's become in terms of like you know so should you be kind of selective with your posting so it's not spamming almost like what's the best from your guys' point of view as recruiters how how do you get a sweet sweet spot so it's not annoying to you I guess >> I don't I don't really think it matters if I'm honest with you uh look whe whether we like it or not LinkedIn have flipped the script in terms of it is social media but the engine behind it is a jobs platform. So, look, if you post
stuff, people don't like it, so be it. If you post stuff, people like it, then good for you. Um, so I I look what there's a fine line of, you know, posting too much. If you're posting 10 times a day, you're just going to annoy people. Um, but the reality is you're not going to post that because who the hell can think of 10 posts a day on LinkedIn. So, if it's more like one, two, five times a week, awesome. Um, and also LinkedIn, weirdly enough, doesn't like you posting too much opposed to something like Tik Tok where you're pretty much, it doesn't matter how much you post, every every post is sort of individual in terms of its engagement.
LinkedIn, and I've been penalized for this, if you post more than once in 24 hours, at least I can tell by my history. I don't know about the future, the the next post did not go so well. So again, you got to sort of spread out the post as well. Um, >> was there a question? >> Yeah. Uh, so I wanted to go back to the uh first profile um where you had mentioned you would pass over a profile that listed a certification that they may not be aware that the rest of the industry doesn't value as much. Um, unfortunately like the US government values those search that the rest of the industry doesn't. And so for folks that
are like getting out of the military and uh they don't care if they're getting, you know, a job in the government or in civilian sector, uh what advice would you give them to kind of find that balance to be seen on both sides? >> I I think I heard the question. Sorry, I was a bit quiet and I've got the air con is quite loud. Um so you talk about the certifications and the general consensus, but sometimes you need these things to get jobs. Ultimately, you you do what you need to do to get a job. So depending on what the employer or type of employer you want to work for is looking for quite frankly it doesn't
matter what other people are looking for. So if you want to work in government, government needs certain criteria then you meet the criteria. If you want a different type of job then you need to understand what that employer or that recruiter is basically looking for. So it is case by case if that makes sense. Does that help at all? Go on. Let's let's go deeper if you like for clarity. >> Uh no is I have a lot of uh friends in the military still and when they get out they they ask for advice and um they don't really you know care if they get a job on the government side or if they get a job in the civilian sector but
they have all those searchs that the civilian sector doesn't really value. So >> you get the best chance of being seen by both sides. And it that sort of goes to the thing of same as like entry- level people and and I heard this earlier from someone and I don't mean any offense by this or anything that I say. Um but the person was speaking to somebody else and I heard them say I'm just looking to get my foot in the door. No one cares. Like it's wrong to say that but ultimately that's not their problem. Basically you get employed to solve problems and if someone sees you as someone who can solve the problems they will employ you.
If you can't solve problems, they won't employ you. So again, it comes down to what is the criteria of what they're looking for to identify that you're someone who can solve problems. So there might be again if you've got pretends 10 certifications or training and it's spread across five different areas of security, my thought is well what the hell is this person like? What what are their interests? Because in in reality, most companies a lot are not hiring someone who's a oneperson security team. They're they're hiring them to come in and do application security, penetration testing, GRC, security architecture. These are specific skill sets that have then obviously certifications and training and experience associated with
that area. So my advice is think about the job that you want and work backwards from there. Hope that helps. Awesome. All right. So, again, I think a pretty good profile with this person. Again, they came up second in my search. Now, let's see if we can find our friend sitting in the one, two, three, fourth, fifth row over there. Um, out of interest, do you think we're going to find you? >> Oh, no. >> Oh, that was po This whole exercise is redundant. >> Oh, I apologize. >> Um, why why would we not find you? because I've been retired for about eight years. >> You I said people looking for a job. >> I'm sorry.
>> Okay. Can Can we just go back 15 minutes? >> I apologize. >> I'm joking. It's fine. The idea being it's about being found. If you haven't got the right information, you won't get found. So, there's a a lot of people on LinkedIn, like LinkedIn likes to tell you there's over a billion people on LinkedIn these days. It's going to get harder and harder to stand out in some ways, easier and easier in other ways. Most people in this space are not posting anything. So, there's an easy way to to sort of stand out quite frankly. Um, but this is the thing. If I if I'm looking for a pentester, there's a whole bunch of stuff that I would add
to these keywords. You know, different terminology, different things depending on what my specific needs were. I would go a bit deeper. You know, if I'm looking for someone who's maybe a bit more appseac focused and maybe who's looking to do some code reviews or code scanning and stuff like that, I would put words in like that. But the thing is, the results are only as good as the information we put on our profiles. So, if the information is not there in the first place, we're not getting found. All right. I think the demo went okay. Didn't get the results I was hoping for. How we doing for time? We're running out. >> I mean, frankly, after this is just
resume reviews and career coaching. So, if people are still interested in doing this, I'm happy to let you keep going. >> Okay. >> Unless I get in trouble. >> We could just roll with Q&A as well. >> Yep. >> Um, >> one second. >> I'm sorry, my friend is Q&A's not finished yet or started yet. I'm only joking. Go on. >> Thanks. So, quick question. Does LinkedIn premium make a difference to you for hiring if you're looking to hire someone? >> I'm really is link >> Can you Does LinkedIn premium make a difference if you hire someone or that absolutely no difference? >> Massive. Oh uh sorry. Okay. Does it make a difference in terms of me me seeing
you? >> Um >> but I think it makes a lot of sense to have LinkedIn Premium even if it's just for your searching time frame for the next job. um you get it free for a month I believe and then maybe have it for another month or two if you need it. Ultimately what it does is LinkedIn is not just about having an online CV but then you have the ability to be proactive. You can actually do stuff in terms of helping you um be more active on the platform, build relationships and so you can sort of build a targeted audience of the type of people you want to network with, learn from and also try and maybe get
jobs with as well. Um, so I would definitely use LinkedIn Premium for a period of time. By the way, I don't work for LinkedIn. I'm not a I'm not being paid for this this this presentation. I wish I was. Um, >> by the way, I lied. There's a 3:00 talk. >> 3:00 talk. >> So, I completely lied. >> That's okay. We can go to like 255 maybe. >> Yeah. >> All right. So, what do we think makes a good profile? >> Experience. experience. >> Sorry. >> Detail. Yes. >> Keywords that can be easily optimized for SEO. >> Can we can we just That's this is basically the talk in one sentence. >> Keywords that can be easily searched by
recruiters, i.e. SEO for your LinkedIn profile. >> You've basically stolen my last slide. Yes. >> Well done. Um, my advice is ask yourself three questions. Is do you want to be found on LinkedIn? Some people don't. Some people like to go under the radar and they don't want to they don't want a new job, need a new job and that's okay. But if you do, what do you want to be known for? So, do you want to be known for pentesting, GRC? Do you want to be known for something else? Ultimately, the information you put on there is what you'll get associated by. And this is the other thing with LinkedIn as well is what you put out there you get branded
by. So an example of that is I I share a lot of stuff on the platform to help people basically get jobs in the industry, land themselves a new position. Um but I'm not that person in terms of I'm not the one who's helping graduates or transitioners get their first job in the industry. I just see a massive quite frankly problem and people need help, advice and support. So if I can give them guidance to help themselves, I want to do that. What's interesting, I speak to some people and they think I'm the guy who does that um in terms of I will help you land a job. I can't. I don't get those jobs. P companies pay me good
money to hire the ones they can't hire. Um so yeah, what you put out there you'll get branded by as well. So bear that in mind. So again, that's a good thing. If you keep putting out, again, you want to be a GRC person, you keep putting out stuff around frameworks, policies, communicating with stakeholders, you'll get known for that. Um, so think about it. Oops. Question on the back of this, just a raise of hands. Who's going to make some changes to the LinkedIn profile? How good's that? Okay, you're you're being pointed at, by the way. You're being told to make changes. I'm curious. What changes does he need to make? >> No, he started posting
>> in the middle of your talk. That's not my profile. >> Um, you started posting. >> Yeah, >> congrats. That people can be quite apprehensive with that. So, if you can get over it, good on you. Um, >> are you directly engaged? >> I'd say connect with me, but I can't. I've got I've tapped out at LinkedIn's limit, which is 30,000 connections. Um, but feel free to follow me and I will keep giving this and tips and advice where I can. Um, and not just for entry- level people, but for people that want to get into leadership roles, people that are in leadership roles. Like really interesting thing is I'd say the two hardest jobs in the industry is getting
your first one and then also getting leadership roles. There are so many leaders struggling to get a new position. And the reason is it's like a pyramid. The the the higher up you go, the less there are at that at that period at that uh spot in the pyramid. And the competition is fierce. This is where quite frankly having a LinkedIn profile, having a quote unquote brand, as cheesy as it sounds, people knowing who you are, what you stand for is so so impactful for your career. Um, so if you make those changes, again, be specific. Don't be that person, I'm just want to get my foot in the door. Think about it from the other perspective. The job that
I want, what do they want to see? What problems are they expecting me to solve? And that goes for your resume as well. So many résumés are [ __ ] I I'm sorry, but they're they they're useless. I see thousands and thousands and thousands CVs a year. And the thing is everybody or a lot of people especially experienced people some of the worst because what happens is people have their resume that's been open for many many years and then they want a new job or need new job so they update their resume so they simply bulk on to their existing CV and now we have a five seven 10page resume which no one's going to
read. How Kirsten how many how long would you spend do you mind me asking? How long do you spend on a resume? >> Five seconds. >> Okay. >> How long you have to compel me to continue to read? >> That's it. >> And that's it. You've There was a stat a few years back, I think, on Indeed. It was 7 seconds. I've used that slide before, but 5 seconds. That's a That's a new record. Um, but but ultimately, you will spend a lot more time on the ones that you think make sense. The reality is time is precious. We saw that first search and it was in, you know, would have been the millions, then the thousands, then we we narrow it
down to the hundreds. If we don't have time to spend 2 minutes, 5 minutes on each profile to look at every little detail and think, oh, did they mean this or did they mean that? No, you need to be very specific about your intentions. And those people that are essentially thinking like that will find it a lot easier to land what they want. I think that's that's me in terms of official Q uh presentation. Yes, let's do some questions. >> How do you >> 10 minutes I think. >> How do you balance keeping it short with um adding all those keywords for your SEO? How do you balance keeping it short with uh all those keywords for your SEO?
>> I wouldn't worry about keeping it short. >> Oh, but I mean you said but not five or seven. >> Oh, you mean do you mean your resume? >> Yeah. Okay. So that's another thing as well. So question for the audience. My Q&A to you now. What are the most important skills in cyber security? >> Learning. >> Networking. >> Networking. Which one? >> Oh no. >> Okay. >> Networking. >> Critical thinking. >> Storytelling. Sorry. >> Nailed it. That's one of the again this is my bias. So like I'm not what I say is not definitive but in my opinion there's two things. Communication is one of them. The other the other is the ability to influence.
Now if you if you think about a job whether it's the pentester GRC something else you are working in a business you are working with other humans. Now even as a hacker where your job is basically to hack [ __ ] you still have to produce a report for someone else to read and then the idea is you find some vongs, they read the report and then they make some fixes. If you can't communicate in a report to the development team in terms of what changes need to be made, why it's important, then what happens? You could be the best hacker in the world, but if you can't influence the changes from in terms of remediation,
then you failed. You could be an average pentester, amazing communicator, and you influence more change. So that's the the pentester, which is one of the more technical roles in the industry that obviously there's, you know, the other end of the spectrum. there's there's other roles that are closer to the business, but the reality is every role is connected to the business and you've got to influence someone else to make some sort of changes. So if you can demonstrate the ability to communicate and that's where in terms of resume without even think or knowing it or realizing it, the ability to communicate succinctly, precisely in your resume is another selling point. It shows that hey this person actually gets it. they can
they can be concise with their communication skills and get their point across in a small window. So, it's a challenge, but I know um Seesos >> Gandandy Graham. >> Oh, [ __ ] yeah. >> Oh, you forgot that speaker request, did you? >> I was joking. >> I know. >> Jesus. Okay, thank you. >> He doesn't have the brown ones, right? just blue. >> You are a nonspecific as to what shade or variety of blue, so you got a bunch of different ones, but they're all blue. >> Oh my god. >> Okay, I know what for what's uh for dinner tonight. Um amazing. Wow. Okay, cool. I've been thrown there. Um so, okay, now I'm struggling to
communicate on the topic of communication. Um, but ultimately if you can if you can be concise of your communication in a document, which is basically your marketing material, that's all a resume is. It's is you marketing yourself to a new job. Um, essentially you're trying to influence the recruiter, the HR person, the hiring manager for them to want to meet you for an interview. That's the job of the resume. And I know so many says soos that have one and two-page resumes. And if they've got 15, 20 plus years experience and they can do that, then someone with two or four years experience I think can manage that as well. Um, another question I'll go to
you. Um, I'll grab the mic. >> Have the mic. Sorry. >> Thank you. Yeah. Does the open to work uh or open to work for recruiters thing on LinkedIn do anything or does it actually hurt you? >> Um okay. So does the open to work banner help or hinder you? Um that's a really interesting one and I don't have a definitive answer because it depends on the individual. Some people have some bias to that and other people not. Um, look, I think you need everything going for you. Um, you can do things on LinkedIn like you're open to work anyway, like and then recruiters that have LinkedIn recruiter can see that. But look, if you need a job, you need a
job. The most important thing is you can demonstrate what value you bring to an organization. So, personally, I don't care like people's circumstances are not always in their control. So if you've been laid off, you've been laid off. Like it doesn't mean you're a bad employee. It just means bad timing with with an organization. Um so I would use it, but the thing is as always, we're dealing with humans and humans will always have different opinions. Um but look, use what you've got in my opinion. Um the most the more important thing is those key words and then how you communicate on your profile is my general advice. Um I'll cut down the end. >> Um so just one other thing kind of to
follow up on on um so you have the resume and being succinct. Absolutely. With the with the LinkedIn profile I've heard it both ways like you want to be as verbose as pretty verbose. Should you try to take a similar tact especially I'm coming from some experience related to uh the industry but some outside as well. How do you make it so that we're not wasting your time? Because again, you have 15 seconds or so. Maybe should you go succinct in there kind of like a resume just not as extreme or what do you suggest? >> Oh, did you want to answer? Um, you get to the point, but then you I think if you can elaborate with an
example or two, that's helpful. Ultimately, it's about outcomes. And that's the same thing for your resume. Like this is not a resume session, but I can't help but talking about it because I always see areas of improvement. So if you if you think about it um like a lot of people's LinkedIn or their resumes that they will basically look like a job description in terms of they just copy and paste a bunch of stuff that their job entails rather than talking about the underlying thing of the problems they've solved. If you can again comes down to communication rather than like let's say like the pentest for example like I there some of the worst CVs that I get because it literally just
say web applications uh infrastructure like yeah no [ __ ] like that's what you're hacking but what did you actually do what was the impact of your findings and when people can say they did this and the outcome was this and it links back to the business then you honestly you go from here to up here. So again, communication >> I did that achieved for Z or money or whatever that actually >> yes if you can put metrics and stuff like that on your resume or LinkedIn again you're elevating yourself to a very small percentage of people globally that actually think like that. So again elevate your thinking so other people can see that. Two minutes. One more
question. >> Can you speak to the importance of tailoring your resume, cover letter to each posting? And >> hang on a second. Sorry. >> Can you speak to the importance of tailoring your resume and or cover letter for each posting and also if it is detrimental in any way to use AI to assist with that process and expediting it? >> Really good question. So, I've got about what 60 seconds. Um, okay. So, I think in my opinion, and look, I say this as someone who's not in your shoes, so it's hard. Um, I've not had to apply for a job in a long time. I run my own business, but I I try and think about it
the way that I would approach it. So, you have a standard resume and then you tailor it slightly depending on the job you're applying for. There'll be a different opinion. I'd love to hear your opinion about cover letters. Okay. Cover letters, small ones. So, a cover letter. And some people say, "Oh, that's outdated. That's too traditional." Whatever. The thing is competitive advantage. If they read it, great. If they don't, so be it. If you can explain, if someone sent you CV, cover letter, explained why they would like to work for your business and the role they've applied for and how they're relevant for it. What would you say or what would your thought feedback be?
>> Just want to clarify what I meant by five seconds. It is the it is the amount of time that I'm going to spend giving you a chance to compel me to continue. You can do that in one sentence. It's not a cover letter. You're not putting it in an envelope, right? But you're saying, "Hey, I noticed this and I would like to do that, right?" And that's almost a direct quote from the advice that he's giving on his site uh on a, you know, on a regular basis, right? So, it's not a covered letter, but it is a statement that compels us to keep going, if that makes sense. >> It was sort of you're giving yourself a
warm warm intro. But if if p if someone and again I only speak myself but if someone or think about it yourself if you're an employer you're a hiring manager and someone basically says I want to work for your team or your business and these are the reasons why and the job I'm applying for I've solved these problems before and here's some examples. I think that's more compelling than trying to guess. Um, but ultimately you don't need like a new CV every single time because if you're applying for a hundred jobs over a period of time, then you don't have the time for that. But I think there's a lot of people that go, "Oh, but I've
I've applied for hundreds of jobs and not getting anywhere." Okay, but what jobs did you apply for? They applied for a variety of roles. It's not specific enough. Like, if they know they want to be a pentester and they're applying for pentesting jobs, fine. But if they're applying for like I there's a guy that I coached and he won't make these bloody changes even though I've said it so many times on his profile LinkedIn it's it talks about GRC and it talks about security operations like a sock analyst they're not the same yet he he won't make the changes like which one do you want to be because you're not going to work work in a job where in the morning
you're a sock analyst in the afternoon you're doing um PCIDSS assessments like so you need to be specific. Um, if that makes sense. I think that was the last question. Um, thank you everyone. [Applause] Um, and I'm if anyone wants I'm going to hang around for the next hour or so for resume review. So, I'll take Is that the case? Take a table or not? >> So, >> or or do you have enough? >> So, we have three and then my bad. >> No, I'm the one. >> Okay. Ignore me. [Music]
[Music] [Music] Baby, [Music] baby. [Music] Beckw with it partnered with her partner in crime Jake Lurs are here to give us some perspectives and wisdom called craps clout and career chaos.
Thanks all. >> Let's see. Just uh Okay, you guys can hear us, right? >> Test test test >> test. Okay. >> So, uh good afternoon or you know if you go by the gambling Vegas slides, I guess maybe I could say good luck. Uh welcome to our presentation on the career side of things called Craps Clout and Career Chaos, the game that they forgot to explain. My name is Jake Lurs. I've been in the IT and cyber industry going over 25 years now. I started off on a technical help desk and then worked my way up the ladder. Now I'm currently a CISO for our large Fortune 500 corporation and I've been CISO a couple times over at this
point. I'm really happy today to be with my friend and industry peer Nicole Beckwith. >> Hey everybody. Uh nice to be here today. Uh Nicole Beckwith I've been in the industry a lot longer than I like to uh admit sometimes. Right. So, for those of you who are nerds and have been around a while, um to put it into perspective, my uh first computer was a Tandy 1000 from RadioShack. So, we'll just leave it there, right? Um so, Right. Yeah. If you know what Tandy is or RadioShack, you're in the right spot. Um yeah, so uh we're not going to talk about corporate buzzwords or talk about um the latest zero day exploit today. So, what we're
here to talk to you about is, you know, something that's a lot more chaotic, right? Your cyber security career. So, we're going to walk through some personal stories of ours, dig into some tips and some tricks that we wish that we would have known before we got to this point in our career. >> Yeah. I mean, the whole point of this particular session, as Nicole said, it's not on the technical side of things. It's got to be more on the soft skills side of things. So, like if you've ever felt that your career is a bit stuck, if you're ever tired of the long hours of jumping around from fire to fire, putting out this dumpster fire or that
dumpster fire, but more importantly, you feel like you're not being seen, that's really what this session is about. >> Yeah. So, we've both navigated the unpredictable waters of, you know, security operations. We've fought the battles in the boardroom and now we really just want to um give our opinions and advice to you all. So, uh, you know, we're going to share our wins, our losses, and we've all had those days where you just throw your hands in the air and say, "What the heck just happened, right?" So, we're going to talk through some of that. >> And definitely also interested at the end of the presentation, we'll take some questions, but interested in your perspective, see if some of these things
kind of hit home, resonate with you. >> Um, the I will be just completely transparent about it. >> These slides were generated by Genai. Um, although they're fun and fantastic, there are definitely spelling mistakes. Yes, we're aware. We were gonna take some low pops and throw them out to people that actually reference the spelling mistakes, but they're out there. So, but anyhow, we're here to have some fun. Uh, let's go ahead and kick off. >> Yep. So, the first uh lesson we want to talk through is speak human, not jargon. So, this is one that we've all, you know, uh, witnessed, we've probably done ourselves, right? Um, I used to pride myself on the ability to explain
concepts, uh, you know, deep dive into the technical using 16 different acronyms. Um, you know, referencing a MITER attack framework or some threat matrix, right? But then, uh, I would get the blank stars back at me like, what the heck are you talking about? Um, and it wasn't until I I was a little bit later in my career that I realized that perfectly explained or what I thought was being perfectly explained was not perfectly understood by my audience. I was just, you know, throwing stuff out there expecting that people were going to understand what I was talking about. >> And there's a reason that this slide is kind of the first in the presentation and that is because it is key. It's a
fundamental key to everything that you do in your career. You have to make sure that you are understood depending on who your audience is. If the board can't understand what you're trying to tell them as a cyber security leader, they're not going to fund you. So, I can walk into a senior leadership meeting. I can walk into an audit committee or board of directors meeting and throw out three-letter acronyms or four-letter acronyms. I can start talking about multifactor authentication or MDR, MFA, start talking about TPRM. But if I don't explain that TPRM means third-party risk management, but more importantly, I don't explain from a business context what thirdparty risk management is and how important that is to the
organization. My leaders, the the board, they won't fund my program. >> Yeah. And if you're not funded, your security program isn't going to move forward, right? So the lesson here is clear is better than clever. You really have to understand your audience. Whether it's a an industry peer, whether it's the seauite, you need to know where their technical abilities lie, right? And as Jake said, even if they are technical, you still need to understand or and explain the what and the why so that they understand what you're talking about. So, um, you know, really knowing your audience is key here. So, going into the next lesson, we're going to talk about showing your work strategically. So I remember early on in
my career I would send out you know these exhaustive reports. I thought I was being incredibly detailed. I would you know have these charts and graphs and send out a 47 slide deck where I would you know work tirelessly on for days. And I thought that I was really excited about this report, right? And I thought that everybody was going to see how much work I had put into this project and they were going to see the return on investment that I had provided. Um, but again, I wasn't get the getting the feedback. So, I wasn't getting emails back. I wasn't getting the excitement. I was excited about this, but didn't understand why others weren't excited about this. Right. Um,
so from my perspective, it was just frustrating to me to not get that back. >> Yeah. And I actually meant to ask a question to kind of start off this session, but a quick show of hands, like who is on the individual contributor side of the house and then who's kind of more on the leadership management side of the house? >> Okay, we can kind of tailor our presentation around either side, but it looks like we have a good mix of both. On the leadership side, when somebody sends me a 10-page report or they send me a 47 point slide deck presentation, I know a lot of effort went into that, but candidly, I'm not going to read it.
I'm not going to go through all 47 slides. I mean, it has to be extremely extremely important for me to take the time to do that. And it's not because I don't value the effort and the work that went into that. It's just I don't have that amount of time in order to consume the point, right? So, what I learned early on as I'm trying to communicate something that's important upwards, I might write a 10-page report. There might be an incident that requires a 10-page report, but I'm going to start off that report with a maximum one-page executive summary. Even better, if I can condense it down into two paragraphs, that's a win. A key a critical component of the career
path for me was learning that I needed to be good and be better at summarization. So when I'm talking with my audit committee or I'm talking with my senior leadership team, there are really three things that I only ever need to convey. What is the issue at hand? Why is that important to them? And then what do I need from them? Am I seeking more funding? Do I need them to make a decision point or something? Or is this more for just awareness? I might give them that 10, 15, 50page report on the back end that says, "Hey, if you're super interested, here are all the details. Dig into it." But as long as I
can convey that upfront, give them that what we call the bluff, the bottom line up front, I'm going to make sure that I get their buy in more easily and that that my message is easily understood and easily consumed. >> Yeah. So, one of the pivotal points in my career and learning this lesson was, you know, I had put together one of those long reports and when I was preparing to present to our executive leadership, the person that I was working with was like, "No, no, this is not going to work. we need like two paragraphs tops. Well, I had like 14 pages, right? It was a big project and all the different budgets and line items
and why we needed it was all in there and he threw up co-pilot and threw my entire document into co-pilot and it summarized it in like two paragraphs and I'm like there is no way it conveyed everything in this document in those two paragraphs, right? And so I was a little disappointed. Um, but what I realized was those two paragraphs really is all an executive needs to make that decision or it should be, right? Um, it's all the other stuff behind it that maybe if they want to dig into later, they can. >> Yeah. I mean, the lesson here that we have on the screen is that visibility doesn't equal verbosity. And I think what we're trying to convey here is that
we understand that there are times within the career where you're just not getting that feedback from your senior leadership team even though you're putting an extreme amount of effort into it. take a moment to kind of self-reflect and say, "Am I giving my leadership too much information to the point where maybe they don't understand the technical details and I could be a little bit more concise in what I'm trying to give them. So, the next lesson we want to talk about is bring solutions, not problems." So, again, there were times early in my career where I thought I was being really helpful, right? And I would bring some problem that I had found or some
gap or or issue to my leadership and I would basically throw it on their desk and say, "Here's a problem." And I expected them to magically fix it, right? Like I was just going to walk off. It was their problem. Now I had said what I needed to say and just moved on. But now being a leader myself and having people do that to me, I realize I was probably being incredibly annoying and um you know wasn't offering a whole lot of assistance to my leadership. >> Yeah, I think this is a point that probably everyone in the room has already heard of at at some point in their career. We don't need more problems, but we definitely need more of
those individuals that are out there trying to find a solution for the problems that they're the ones to identify. Sure, leaders need to be aware of the problems, but we don't want to be kind of put on notice to fix the problems. That's where we're look really looking for those solutionizers, so to speak. And solutions are sometimes rare as the lesson says here. You know, to identify the individuals in the organization that will take the initiative to solve those problems. We need people that are going to help us. You know, you need to be able to uh stand up, find the solution, help your leaders so that they don't have to make a decision. We all have a lot of problems. We all
have a lot of daily tasks that we're jumping from. We're multitasking like crazy. I don't need another problem dumped onto my desk. >> So, you're expecting your team to be empowered enough to give you a solution, right? >> Yeah. And that actually dubtales nicely into our next slide. Yeah. So, don't wait for permission to lead. I think that in my experience throughout my career, a lot of the people on my teams didn't realize, and that's probably on me, the level of empowerment that they had. We're looking again for people to find the solutions. And typically, it's going to be that person that doesn't even have the title, but has that natural ability to be just a natural leader. Uh the type
of person that's others will look up to. >> Yeah. So, quick story. Um, for myself, there was a moment where I was trying to provide return on investment for building a threat intelligence team. We had been sending out, you know, executive summaries and and notices to to senior leaders and we were getting good buy in there, right? But we really needed to prove ourselves more. And um it just so happened that during the Russia Ukraine the start of that war um I knew and and the team knew that we were going to be asked to provide value and a summary on one what was happening what the um impact was going to be for the company and we would probably be
asked to to give that in the next day. Right? So we stayed up overnight. We created this beautiful report. We gave the bluff the bottom line up front, right? The summary. And sure enough, it wasn't even 8:00. we were going to send it out 8 am the next morning. I was already getting pinged at like 6 am by senior leaders asking like, "Hey, can you give us a summary on this? Luckily, we had already come up with that, right?" And so that was probably the the key catalyst for the team on uh building our our what is now threat intelligence team um that I happen to lead. >> Yeah. So because Nicole took the lead,
she identified that there was a need. She stood up the team behind her to satisfy that need. Now she's in a position where she's actually leading that threat intelligence team. And that's also a key point or a key takeaway from this slide. When I'm looking, if I have a new or an open position and I'm looking to fill that with the leader, I'm not going to promote the individual contributor that hasn't just stood up without being prompted to, without being tapped on the shoulder. if they stood up and they took the initiative to actually do the work and take the lead on something, they're the ones that are going to be shortlisted for that next role.
>> So Jake, if you had two options, you're a CISO and you had, you know, one person who brought, you know, from the previous slide brought you 10 problems and then you have another individual that brought you problem solution and you see them take the initiative, which one are you going to promote? >> Yeah. So, um I think there's two answers to that particular question, but I didn't ask this question. Is there anybody in the room that has an internal audit team? Okay, so you all probably work mostly for public companies. Is there anybody in the room that works for internal audit? Okay, then I will tamper this response. Our internal audit partners, and I will
call them that because there is a definite need, tend to bring us a lot of problems. They're they're helping to identify those technical controls that aren't working exactly quite right. So if I had somebody on my team that was bringing me problems all day and not solutions, I would probably identify that person as a high performer for an internal audit team that's not on my team, you know. But if I identify somebody that's really taking the lead to find a solution to my problems, those are the ones that I'm going to promote. >> Yeah, absolutely. All right, so >> you skipped >> I skipped a slide. There we go. All right. So, next uh lesson, and this
is a big one, and one that we have to continually remind ourselves over and over, you need to learn the business and the risk, not just the tech. So, for me, early on, you know, as an individual contributor and even now in leadership, um especially in cyber security, we tend to be really focused on mitigating risk, right? Um, so you know, there's a a CBE that comes out, there's a a problem, you want to fix that problem, right? And we're really uh myobic on, you know, good versus bad, and we want to mitigate that risk. So, you know, being on the operations side, um, you know, think about incident response or think about the CVES or vulnerability management
that comes out, right? You know, if there's a a CVE classified as a nine or a 10, you really want to mitigate that risk. Your first response is we need to go patch this system, right? But what we don't think about oftent times is how that's going to impact the company. Is it going to affect operations? If we have to take systems offline to patch that, how is it going to impact the company overall? Is it going to, you know, cost revenue? Is it going to cost, you know, engineering hours and time? So really learning the risk behind the technology and partnering with those other, you know, uh, teams and the business is really key here.
Yeah, I mean there are so many different ways that we could go with this particular slide, but I think it comes down to this. Cyber security is a business function, right? In order to be a business enabler, you as individuals, we as cyber individuals, cyber practitioners, cyber leaders, we need to understand what our business is first. If you work for a public company, the easiest way you can do that is to go out to the SEC and read your company's 10K filing. That will tell you what market you're in, who your customers are, how you service those customers, and how your company generates revenue. Again, understanding that cyber is a business function. Uh you want to
understand that cyber security risk is just one component, one small slice of that overall business risk pie, the enterprise risk pie. And the cyber risk to your business leaders probably is nowhere near as important as say what's the latest acquisition that we're trying to go for. Yeah absolutely. >> All right, >> moving on. We're going to pivot a little bit in our concepts here on on the next few slides. The title of this one is to be coachable and not defensive. So, I was super guilty of this early in my career, and I'm sure I'm not the only one. Um, whenever somebody would give me a compliment as a feedback early in my career, I thought they were kind of
patronizing, right? And then whenever somebody would criticize and give that constructive criticism, I took it as a personal attack. I thought I was the best. I knew everything. But again, we had some Dunning Krueger kind of going on at that point. It wasn't until I had a leader tell me, "Hey, listen to what I'm trying to tell you, not the actual words that are coming out of my mouth." It wasn't until I got my ego out of the way, so to speak, that I was able to take constructive feedback that I was able to actually personally grow from it. Yeah. So, if you're not able to take that constructive feedback, you're not able to grow is essentially what Jake's
saying here. And as a leader, if I'm coaching somebody over and over again and I'm realizing that they're not taking that feedback and they're not trying to adapt and change, at some point I'm just going to stop giving feedback, right? Because our time is too valuable to waste on somebody that's not going to um take that and try and learn and grow from it. On the flip side, so for me personally, and my boss is in the room today, I ask every one-on-one for him to give me constructive feedback, right? And sometimes he has something, sometimes he doesn't. Sometimes I get the same feedback over and over again, which is my key to, you know, hey, you
didn't listen the first time, maybe you need to hear this again, right? Um, so for that feedback, and it goes both ways, too. Like you can take feedback, but it's also good to give feedback to your leadership as well. Y >> so the the lesson here is feedback is a gift and growth starts where ego ends and it really is about getting your ego out of the way. Um none of us like to hear feedback, right? Sometimes like Jake said, you take it personally. Um or you're just misunderstanding the intent. As leaders, we are are taught to to give you feedback. We're taught to ask those leading questions. So a lot of times if your leadership is giving you a leading
question or asking you in a different way, they really are trying to help you grow. And I know it's a novel concept, but we really do want to see you succeed right? >> Yeah, great points. >> So this ties into the next lesson, and this is one that's near and dear to my heart and one that, you know, I have to work on consistently. We all do, which is build allies, not just a network. So for me um whenever I start a new team or go into a new company my first focus is on understanding uh the network internally externally who are my partners who do I need to work with some of the first teams that I partner with
are going to be legal HR our internal audit team or compliance team right those are the teams that you really need day in and day out to help you do your job and then secondly like you know focusing on building a network is great but understanding building allies is even better. So within those contacts and that network, you want to identify key individuals that you want to take out to coffee or to lunch or you really want to focus on that trust in that partnership at a higher level than just a connection. >> Yeah, I think it's pretty well known at this point that the importance of networking. Like I was late to the game
to try to build a network. Um, but I definitely had those roles where I found it was a lot easier if I had crossf functional allies that were kind of more horizontal in my organization that I was able to get things done. I was able to be more successful. Uh, one anecdote of this in a role a couple jobs back, I worked for a shared services umbrella organization that was over these 13 rank one multi-billion dollar organizations in their own right. They all had their cyber teams. They all had their IT teams. They all had their operations teams. But my role at the shared services was to say, "Hey, we as an example, we want to replace all of our
Cisco firewalls with Palo Alto firewalls." So that meant that I had to convince 13 CISOs that it was a great idea to do it, secure idea, convince 13 CIOS to somehow pay for it and then work with dozens or even hundreds of country and local managers to make it happen. It took a long time to figure out that that wasn't actually my job. My job became a lot simpler once I figured out I needed to make friends with three of the CISOs and and convinced them that it was a good idea. So that when they went and sat down and had dinner with the other 10 CISOs, they could be my advocate. They could help me succeed on
whatever that initiative was. I didn't get I didn't need 13 CIOS to agree to buy in on it. Let me get two, you know, let them sit down over some type of board meeting and be like, "Hey, Jake's trying to push this initiative that's coming top down. I didn't really want to do it. If I can get those two to agree on it, there's a little table cross talk that starts happening, then they start buying in. That made my job a lot easier and made burnout less likely. >> Yeah. So, I I want to push on that topic of, you know, building your network with your peers. We tend to focus on going upwards, right? in building our our
allies upwards, but at the end of the day, the folks that are in the foxhole with you and are really building those projects and doing the work are your industry peers and peers across your your company. So, building that network is also key and we tend to neglect those relationships quite a bit. >> When you come into an organization, right, it's very quickly to easily identify who you have some common ground with. You know, who is basically an ally out the gate, right? as as you say the people in the foxhole, but I always like to say these are my ride or die folks. Those are the ones that the relationships are easy, but it's the
ones that maybe you have some just like natural conflict with the ones that you don't get along super well with in the beginning. Those are the ones where you need to establish and nurture a relationship. You know that to your point earlier, you know, maybe invite them out for coffee, take them out for lunch, try and find out what their family or or kid situation is about. Trying to find that common ground. Once you're able to do that and you can start building the allies. >> Yep. And speaking of battles in foxholes, so choose your battles and know when to fold. Uh trust me, I have picked the wrong hill to die on more times than I'm willing to to admit to.
Um you know, early on in in my career, it was one of those things and and we've all done it, right? Where we think that our cause or our issue or our project is the most important project. And so when we go to leadership and we're trying to get by and we are pushing, we're trying to succeed, right? But we forget uh often painfully and and find this in painful lessons that we're we're harming those relationships as we go and we're killing political capital. And a little bit of a spoiler alert here, neither of those grow on trees, right? You have to work on your relationships and your trust and you have to earn that
political capital. And it's kind of like PTO days, you know, you build it over the year and then it's gone before you know it, right? And you can spend it really quickly. >> I really like on this slide how there's a little call out that says energy is currency. You know, that's definitely can't be any more true than that. Some fights just simply aren't worth the political capital or the energy you have to expend to win. In my uh scenario earlier where I was talking about the 13 CISOs and 13 CIOS, I would wake up in the morning, I'd put my suit on and I knew that I was going to fight for whatever this initiative was for the
next 8 hours, 10 hours, 12 hours going into the evening. I would think of that suit in the morning as kind of like my battle suit, my battle armor, and it was exhausting, right? After a period of years, it almost led to burnout. That's why to go back slide, the relationships are so important. There are times when yeah that fight is necessary like that initiative has to be won and you have to go toe-to-toe with somebody that doesn't necessarily agree with you. You got to win them over. There are other times when it's a bit cliche to say, but you don't really need to sweat the small stuff. There are a lot of small problems
that if they're not your top priority, you put them over into this corner, they normally don't bubble back up. Like they somehow automatically solve themselves. Like I don't have to actually worry about it. It's being able to understand and identify what are the big ones that are actually needle movers that I want to invest my time. I want to burn a little bit of my political capital in. I want to waste a lot of my energy on. Those are the important ones. >> So Jake here. So what happens if all of your direct reports come to you and they believe that their problem is the best problem or the biggest problem? What do you do in that situation? So I think
it's every leader's opportunity to acknowledge whoever's coming to them with a problem that yeah we understand that that problem is important to you then that problem is like probably your number one initiative number one issue but I I try to take some time to show them at least maybe more complete fuller picture of all the other problems that the team is dealing with that the company's dealing with and help them understand that that's just a little slice of everything. So showing them the bigger picture, some education, some feedback there, right? And making sure that they understand the bigger umbrella. And this for you, um, if you are coming to your leader with a an issue and you think that your battle is
the biggest, this is also an opportunity for you, right? If your leadership says like, "Hey, this isn't the most important issue. We have three issues that are our top priority for this quarter or this, you know, sprint." That's your chance to say, "Hey, that's great. These are great opportunities. How do I get plugged into those and how can my team help? Right. All right. So, going on to the next story. Um, you know, this one again near and dear to my heart. Uh, bet on yourself. Show of hands. How many people in here have ever had imposttor syndrome or thought that they weren't good enough? Yeah, exactly. We've all been there. Um, so one of the things that I I like to
reference uh during this slide is um think about that job posting that you saw that you really wanted, right? And you looked at all the skills and the qualifications and you're like, "O man, I might have 30% or 50% or 70% of those and you think to yourself, I'm not good enough. I'm not going to apply for this role or this position." In reality, you know, you are good enough and you probably have more than enough qualifications. So for me on one example it was exactly that I wanted this job really badly. Um looked at the the job posting I'm like there's no way I'm going to get this. Maybe I was 70% qualified if that. But I decided to take
a chance on myself to bet on myself. I applied for the role and I ended up getting it anyway. Um so you have to take that leap of faith. >> Yeah. I mean, honestly, like 70% I think is a little bit high, but I think that's kind of the guidance that you're going to get from some of your career counselors and your your job head hunters, that type of thing. But, um, I've never had 100% confidence that I was going to get the role. I've never been 70% qualified in any role that I've ever tried to achieve. In fact, early on in my career, I identified this role that was open that I wanted to apply
for, but I figured I was probably only about 50% there. Um, I had a friend of mine, a colleague, a peer of mine at the time say, "Well, go ahead and apply." I'm like, "But I won't get it." They're like, "I won't succeed." And he's like, "Well, Jake, look at yourself. You've been successful in everything that you've ever tried before, and you've always been uncomfortable on that first day of the new job because you weren't sure that you were going to succeed. You have to believe in yourself. You have to believe that if I if I get this role, I know that I'm going to do everything. I'm going to move heaven and earth to
make sure that I'm successful in that role." So if you believe in yourself, if you understand that you are good enough, you will likely hopefully get the role. Um, >> yeah. So Jake, you're a CISO. I'm a senior manager. Uh, you know, we both are uncomfortable in a lot of situations. Are you comfortable speaking on this stage right now? >> Yeah, obviously you can tell that was a loaded question. I'm not comfortable speaking on the stage. Um, but the reason that I do it is because at some point I I've well, let me start over. The reason that I do it is I've recognized that's a personal deficiency and I want to get better at it, right?
But at some point down the road, I want to speak at a larger conference and perhaps maybe even do a keynote somewhere someday. So in order to do that, I put myself out there in front of all kinds of audiences. I'm talking all the time. I'm leading panel sessions. I'm hosting dinners. I'm trying to get out there to get more comfortable because I believe that I can, right? And I know that I'm going to going to succeed in that. >> Yeah. And it's a little cliche, but you hear the saying, you know, be comfortable with being uncomfortable. And that's so true. Um, you know, I speak all the time, but every time before I get on the stage, I get
butterflies. I'm I have butterflies on the stage, right? We all second guessess ourselves and and you know, have that imposttor syndrome, but that's okay. It's okay to have that and it's okay to continue to do the things that make you uncomfortable. Um, and as the lesson says here, growth happens outside your comfort zone. So, um, you know, test yourself. It's the best way to grow. If you take on a new job and you're 50% qualified for it, you have the imposttor syndrome, you're 70% qualified for it, you have that imposttor syndrome, you're going it's going to be a lot, right? It's going to be a lot in the beginning. You're going to have new people that
you're meeting, new parts of a program that you're building, new new processes, new technology that you're unfamiliar with. And it's going to be a lot. You have to understand that you have to be uncomfort. You have to be comfortable being uncomfortable. But it's only going to be a a lot until it isn't. There will be some random Tuesday when all of a sudden you wake up and you're like, "Yeah, this job is easy. I've got this nailed." You're at that 100% comfort level. That's when you need to be like, "Okay, what's what's next? What else can I do?" You know, you've reached that that period in life where you're like, "Okay, maybe it's time to jump on to
volunteer for something else." >> Yeah. Absolutely. All right. So, this leads us into our next lesson. >> Yeah. Which is don't just survive, build something that lasts. There's a small spelling issue on this one, but the point being is that as you're progressing through your career, if you're in a leadership role as well, and you've built a program, you've built the processes, you've built a team, but you can't take a day of PTO without the whole thing crashing down. You haven't actually built anything. You haven't built that team, you haven't built that program. You've built a trap for your organization. >> Yeah. So, I used to be that hero. I used to be the one that would jump in and um
volunteer for everything that got thrown my way. I wanted to be the person that solved the problems. But what I realized really quickly was I was stressed. I was overworked and I was getting burned out really quickly. So I wasn't building a sustainable system, right? I was building a reliance on myself. And it sounds backwards, but the whole point in building a high performing team is so they need you less. Um, you know, you want your team to be able to get those wins without you. And it may feel good in the moment to solve those problems, but I can tell you what feels even better is seeing your team get those wins. >> Yeah. I mean, it's also cliche to say,
but you want to work yourself out of a job, right? I want to move up at some point. I want to be comfortable that I'm going to have somebody from my team that's willing to step in and is able to step in and succeed. But beyond that, I think there's sometimes a perception among cyber leaders where um they want their leadership to understand how valuable they are. So they're kind of comfortable like boss, I have to be there. I have to be involved otherwise it's not going to go well. And from my seat, I see that as like no, no, you're failing and I'm failing that allowing you to fail. Like you need to be able to
step away and your program should last. And if you've done that, then I know that you you're a good leader. You've taught your team the right things. They can respond without you being there. Yeah. And learning to delegate tasks, right? So, um, you know, being as handsoff on the keyboard as humanly possible, right? And giving those delegating those tasks to your team. You want your team to be able to solve those problems so that you can focus on the larger strategy while they're focused on the technical and day-to-day operations. >> You know, I uh I remember my first role without admin credentials and that was that was that was a hurtful day. That one hurt. Yeah.
>> Yeah. I I I feel that. Um so you know the lesson here is sustainability trumps martyrdom and you know you really need to focus on the processes and the people and the technology behind you know uh what you do so that you can build a legacy. Um you know your legacy in cyber security isn't about what you accomplished but about how you enabled other people to accomplish things and leaving the organization stronger. Right. >> Yeah. Exactly. >> All right. And then our final slide of the afternoon here is uh you have to acknowledge that you need to be willing to play the long game. Um a cyber career, you're not, let's say you start
in GRC, you're probably not going to retire while you're in GRC. Hopefully not. Hopefully, you have that internal passion to want to learn as much as possible because it cyber security, they're both careers that require lifelong learning. You know, it takes a it takes a passion within you to be able to do that. You might get some quick wins like you see up on the slide there, but those quick wins are lowhanging fruit to what should be a really long and wellestablished career. >> Yeah. So, playing the long game takes patience, right? And it takes intention. So, all of the lessons that we've talked about today, they don't come overnight. You have to work at them and that's
okay. You have to think past the promotion. You have to think past the next incident response to be able to see that larger picture. And that's how you play the game that they forgot to explain. >> All right. So, with that, >> so yeah, we're almost done. We we've covered a lot of ground today. Um, we've talked a little bit more about the soft skills side of things, how you need to be able to get good at summarizing important events, break it down to those three things, you know, like what's the issue at hand, what do I want people to know, what what do I need from them? Yeah. So, with this, you know, um like I
said, playing the long game takes patience. Uh we've obviously covered a lot of stuff here today, and we want you to remember that your career growth isn't just about your technical prowess. It's really about those relationships and that political capital and the communication and the influence that you might have internal and external. >> Um we are going to answer questions now. So, I know you're going to walk around with a mic. Um, we will be around for the resume reviews afterwards as well and and we'll stick around if you have questions that you don't want to ask uh on the mic.
Okay. Um, is this thing working? Okay. >> Okay. Oh god, I'm usually I'm usually pretty loud. Um, so you mentioned something I thought was kind of interesting about like, well, if you're trying to apply for a role and maybe you only cover like 70 or or 50 or 70% of the qualifications, you should do it anyway. But of course, there's always what what I hear from other career counselors is like, "No, you need to match up 100% otherwise they're not going to even look at your resume." And you guys are saying, "Well, because I I kind I I tend to trust you because >> you're the ones actually doing the hiring." Yeah. >> As opposed to somebody who's just like a
consultant trying to tell us lowly engineers how to like get our, you know, make our next step. So, I I just wanted to point that out. >> I appreciate that. And I think um you're you're right. They're they probably have an agenda. Um, but if you can get past the ATS, that applicant tracking system that says that I need to match 100% up on the qualifications, then from my seat as a hiring manager, hiring executive, I'm not looking for that unicorn that matches up 100% completely. I'm looking for somebody that can match a lot of the qualifications, but also has that passion to that can convey a story of why they want to do the role.
>> Yeah, same. So when I'm looking to hire, I'm not looking for the person that has 100% of the skills because listen, what we do is not rocket science, right? I can teach anything to anybody. So as long as you have that drive and the desire to learn, that's what I'm looking for more so than anything else.
>> Any other questions? >> All right. Well, thank you all. We appreciate it. >> Thanks everyone. [Applause] [Music]
[Music] [Music] Down. [Music] Here. [Music] Heat. Heat. N. [Music]
Heat. Hey, heat. Hey, heat. [Music] Heat. Hey. Hey. Hey.
[Music]
Heat. Heat. Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music]
Heat. Heat. Heat. Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
[Music] Wow. [Music] Heat. [Music] Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat. Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
Heat. Heat. [Music] Heat. Heat.
Heat.
[Music]
Heat. Heat. Heat.
[Music] Heat. Heat. [Music] Heat. [Music] Heat.
[Music] Yeah, [Music]
[Music] down. [Music] Hey, hey hey. [Music] Yeah, [Music] down. [Music] Yeah, down.
[Music] Heat. Heat. [Music]
[Music] out of town. [Music] D. [Music] Doo doo doo doo doo doo doo doo doo doo doo doo. [Music]
Black. [Music] Tingle. [Music]
Heat. Hey. Hey. Hey. [Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat. [Applause] Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. Heat.
Heat. Heat. N.
Heat. Heat. [Music] Heat. [Music] Heat. [Music] Hey,
[Music]
hey hey. [Music]
[Music] Woo! [Music] It's true. [Music] Woo! [Music]
Wow! [Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat.
[Music] Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. [Music] Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
down. [Music] Black. [Music] Yeah. [Music] Yeah, [Music] down down down down [Music] down down down down down down
Black.
[Music]
[Music] [Music] Heat. Heat. N. [Music] Hey, [Music] hey hey.
[Music] Heat. Heat. Heat.
[Music] Heat. N.
[Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. Heat. [Music] [Applause] [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. [Music] Heat.
[Music]
[Music]
[Music] Hey. [Music] Hey. Hey. [Music]
Wow. [Music] Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat.
[Music] Heat. Heat. Heat. Heat. [Music] Heat. Heat. N. [Music] Heat.
Heat.
Yeah, [Music]
[Music]
yeah yeah. [Music] be back. Hey Yeah, [Music] down. [Music] Down
down down down down.
[Music] Heat. Hey, Heat. [Music] Heat. Heat. [Music]
[Music] [Music] Baby. [Music] Hey, hey, hey.
[Music]
Heat. Hey, heat. Hey, heat. [Music] Heat. Hey. Hey. Hey. Heat. [Music] Heat.
Heat. Heat.
Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat.
[Music] Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. N. [Music]
Heat. Heat. [Music]
[Music] Hey. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat.
[Music] Heat. Heat. [Music]
Heat. Heat. N.
Heat. [Music] [Applause] [Music]
Hey, heat. Hey, heat. Heat. [Music] Heat.
Heat. Heat. N.
Heat.
[Music]
Heat. [Music] Heat. Heat.
[Music] Heat. Heat. N. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Hey, hey hey. [Music] Yeah, [Music] down. [Music] Yeah.
[Music] Heat. Heat.
[Music] [Music] for [Music] da doo doo doo doo doo doo. [Music] D. [Music] D hey. [Music] Heat. Heat.
[Music] Heat. Heat. Heat. [Music]
Hey. Hey. Hey. Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. N.
Heat. Heat. [Music] Heat. Heat.
Heat. Heat. N. [Music]
Heat. [Music] Heat.
[Music]
[Music]
[Music] Oh. [Music]
[Music] Heat. Heat. Heat. Heat. [Music] Heat [Music]
up [Music] here. Heat. Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat.
Heat. Yeah,
[Music]
[Music] yeah yeah. [Music] down. [Music] Down. [Music] Black. [Music] Yeah. [Music] Down down down down down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah down
[Music] Heat. Heat.
[Music] Heat. Heat. [Music]
[Music] by [Music] Baby, down. [Music] Here [Music] you go. [Music] D hey. [Music] D hey. [Music] Come
on. Yep. [Music] Heat. Heat.
[Music] Heat. Hey, heat. Hey, heat. Heat. [Music]
Hey. Hey. Hey. Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
[Music]
[Music] Woo! Heat. Heat. [Music]
[Music] Heat. Heat. [Music]
Woo! Wow! [Music]
Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat.
Heat.
Heat.
[Music] Heat. Heat. [Music] Heat.
Heat. Heat. [Music] Heat. [Music] Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Black. [Music] Yeah. [Music] Yeah, [Music] down [Music] up down down down down down down down down down down down down down down down down down down down down [Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51