BSides LV 2023 - Hire Ground - Wednesday
Show transcript [en]
foreign [Music]
[Music]
[Music] foreign [Music] foreign [Music]
[Music] foreign
[Music] thank you foreign [Music] [Applause]
[Music] thank you [Music] [Applause] thank you [Music] foreign [Music]
[Music] you'll whip up my appetite don't leave me alone [Music]
[Music] baby you'll kill me giving me Wind and Rain some kind of butterfly baby [Music] [Music] oh but I don't wanna miss you baby [Music]
[Music] oh my God foreign [Music]
some kind of butterfly baby
[Music]
[Music] oh
oh [Music] foreign [Music]
[Music]
[Music] thank you [Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] [Music]
[Music]
move it up
[Music]
[Music] foreign
[Music]
[Music] thank you [Music] foreign [Music]
[Music] laughs [Music] foreign [Music]
[Music] foreign [Music]
thank you
good to go or you want to give a minute you're good to go all right I'm gonna start a minute early because I've got a lot to cover today and 45 minutes is not a lot of time so uh we'll get started so hey welcome to my talk management hacking 102. so how many of you saw part one of this last year at b-sides one or two of you okay all right cool so so this is actually the continuation of my first talk which uh was management hacking 101 uh where we covered kind of the basics of management and Leadership but this talk I wanted to go a little bit deeper into a couple areas that I
feel are really important for all managers whether you are new in management or leadership or you've been around the block a lot for a while topics such as personalities personality types so learning about yourself and learning about others we're going to talk about empathy and why that's so important to lead with empathy especially in this industry um and we'll talk about difficult conversations um which is a I think maybe the most important topic um that we'll cover but also we'll sprinkle in a couple other things around managing change so we'll go through something called the change cycle as well as we'll talk about motivation and what motivates you and your teams so just a recap of management 101 so we
talked a lot about your role as a leader and setting expectations listening communication giving feedback what's the components of a great team we also dived into kind of Performance Management so areas of like you know how do you manage the performance of a team just kind of from a basic level emotional intelligence which is extremely important in leadership and team management and then finally we kind of wrapped it up with coaching and we did talk a little bit about motivation and personalities but this talk really is going to go a little lot deeper into those two topics specifically so you can check out the full presentation it's up on YouTube it's also on my blog
spylegic.net so what is this talk about so like I mentioned we're going to go a lot deeper into people and personalities we're going to talk a lot about motivation the different types of motivation and motivators and what motivates yourself and your team and then empathy I think this is huge empathy is something that we need much more of in this industry and frankly the entire world so we're going to talk about how to be more empathetic and to lead with empathy um what's brand new so two topics in particular I added to this was dealing with change so how do we take ourselves and our team through the change cycle which we'll go through and then having
difficult conversations who likes having difficult conversations really well it's important to have difficult conversations but they are very very challenging so we'll talk about a framework that you can use for really any difficult conversation so even if it's outside of work you can apply these things actually more than difficult conversations all the things I'm talking about today will apply to your personal life and personal relationships as well which is pretty cool so just a little bit about me so my name is Tom Esten I'm the VP of Consulting and Cosmos delivery at Bishop Fox um I'm a United States Marine Corps veteran uh from back in the day I started my career over 18 years ago and
I just checked the other day I've actually been in I.T and technology for about 24 years so I'm like really old when I think about it um but it's been great I've I've started out as you know a help desk technician break fix you know laptops and that kind of thing and then ended up in security forming kind of the First Security team at a company that I worked at back in the day when it was called infosec before it was even cyber security and got a lot of experience that way and then just through the years I got into Consulting I led and managed various teams even before that I was a pen tester so I
kind of understood the industry and offensive 30 early on I became a director and now I'm a VP so I've had a lot of great experience over the years and I've got lots of stories that I'll be sharing in this talk as well and hopefully those stories will also resonate with you and then I'm also the founder and co-host of the shared security podcast I've been doing that for 14 years hard to believe so if you're looking for a security podcast you can find us wherever you like to listen to your podcasts so let's talk about personalities so why do we want to understand someone's personality well first and foremost it's really about discovering each person's
unique way of receiving communication so we're all different based on our personality type and so once we understand the personality type of ourself and others we can craft our message and our communication in the right way so those so the people that we're talking to will actually understand and comprehend what we're saying it also allows us to become more empathetic we reduce conflict we find common ground with each other once we understand personality types and honestly it's about your own growth as well so the more that you discover about yourself and who you are the better person the better leader that you can become so I kind of put this quote in here um and I've seen this throughout my
career once you understand people's personalities it's it's something magical will kind of happen on a team when everybody has had kind of training and understanding around personality types you really can start bonding with with the team you start seeing improvements in a lot of areas and it's mainly around communication you all just become better communicators so what's the first step in terms of learning about personality types well you have to start with yourself and that is really the first step here and how you do that is there's several different types of personality tests that are out there um and in this in this talk we're going to cover the four most popular types that you'll probably encounter so
there's the Myers-Briggs which will go in depth about the Enneagram the disk and then my favorite which is the process communication model or also known as PCM now as I go through these what you're going to find is that there are some similarities between all of them and that's kind of the cool thing about this there isn't like one personality test that I would recommend saying yep you got to do buyers-briggs and that's it I recommend kind of looking at all of them and then seeing kind of which one resonates with you the most for me personally and for others I've talked to it's been the PCM but others kind of resonate more with the
Myers-Briggs which is obviously one of the most popular ones that are out there so as I go through these kind of look for those similarities you might find it really interesting so Myers-Briggs this is based on the theory um which is proposed by Swiss psychiatrist Carl Jung back in 1921 so Catherine Cooks Briggs and her daughter Isabel Myers-Briggs they created this indicator assessment which is known as the mbti this is back in 1943 during World War II because they needed women to enter the workforce because of the um the building of tanks and ammunition and guns and everything needed for World War II so kind of a historical fact that these two women were innovators getting
women into the workforce which is pretty cool so Myers-Briggs the Myers-Briggs type indicator is based on Ford dichotomies that match up to 16 different personality types which is indicated by a code with four letters so you've probably seen these codes and letters and people talking about them we'll kind of go through what those codes mean so the first one is called favorite world so do you prefer to focus on the outer world or do you prefer your inner world this is called called extroversion or introversion so we all have that type next is information so do you prefer to focus on the basic information you take in or do you prefer to interpret and add
meaning this is called sensing or intuition decisions so when making decisions do you prefer to First Look at logic and consistency or look at the people and special circumstances this is called thinking or feeling and then lastly structure so in dealing with things in the outside world do you prefer to get things decided or do you prefer to stay open to new information and options this is called judging or perceiving so when looking at your own personality type there's a test that you can take obviously that will kind of match you up but just by reading this you can probably figure out maybe where you land we all kind of know do we prefer extroversion or introverts or introverts
you'll look at your team you'll kind of understand is someone more shy or quiet maybe they're a little more introverted someone that talks a lot or likes to be involved in activities they're probably more extroverted so for me I am an entj which is organized confidence and sometimes impatient and stubborn but I also kind of float a little bit between ESTJ which is practical realistic sometimes insensitive and and I can be argumentative so um what's interesting about Myers-Briggs there's lots of different material that's out there too so um I'll have a link to all the notes from this with some good reference guides and books and other materials if you're interested in learning more about Myers-Briggs
next up is the Enneagram so the Enneagram is actually goes it's potentially there's a little bit debate in the community about this but it may go back to 4th Century Egypt so it's one of the oldest types of uh known typology uh around personality types that's been out there um so you may hear people talk about with the Enneagram I'm a three or I'm a six or I'm a one and we're going to go through all of those they go from one through nine and again this is another type of uh popular personality indicator that's out there so first is the reformer so these are people that are rational they're very idealistic they're self-controlled and may be a
perfectionist the helper this is the caring person the interpersonal type they're very generous people pleasing uh and sometimes possessive the achiever so this is the success oriented pragmatic type their Excel they're driven they're very image conscious so I'm actually an achiever that's my Enneagram type there's the individualist so this is the person that's maybe sensitive they're very withdrawn sometimes dramatic and self-absorbed and temperamental the investigator so this is someone that is intense there's a cerebral type they're perceptive they're secretive and somewhat isolated the Loyalists so they're committed security oriented type they're responsible anxious and sometimes suspicious the Enthusiast busy fun-loving type very spontaneous uh distractible and sometimes scattered the Challenger the powerful dominating type they're very self-confident decisive
willful and and often confrontational and then lastly The Peacemaker so this is someone who's easy going they're reassuring they're agreedable and complacent so there's different types of these Enneagram tests that are available but I do want to call out that the most popular one is called the Rizzo Hudson Enneagram type and I'll have a link to a really good book that talks about this uh in a little more detail next up is the disc so this was created in 1928 by psychologist Dr William Moulton Martinson and disc is really a behavioral theory that describes personality through these four Central traits so first is dominance so a person high in dominance wants to be wants others to be direct to the point open
straightforward and they want to focus on on results influence so they like to be emotionally honest friendly they have a sense of humor steadiness they want you to be agreeable cooperative and show appreciation from them and then conscientiousness these are people that are detail-oriented and they want others to be accurate and pay attention to detail and minimize socializing so kind of having seen all these personality types so far you can start seeing some similarities based on what we've already shown but back in the 1940s there was actually an actual test that was created for this to help identify what traits that you align with um disk is really popular in the business world I found I learned about
disc many years ago at a job that I had and this is the one I kind of come back to as well because it's very simple to understand and again like the others there's multiple sources and interpretations of disk disk in particular can be interpreted in a lot of different ways but this is kind of the most common interpretation that I'm sharing with you here oh and by the way I am a d so I'm more on the dominant side but it also floats a little bit um with the c is is my disc type so the last one I want to share is and my favorite is the process communication model so this was created by American
clinical psychologist tablet collar back in the 1970s and it was created for NASA so this is actually the personality test that was used to determine who's on the flight crew for like the space shuttle and the other programs because you can think about it right you probably want you know whoever's the mission controller or the mission Commander to be of a certain personality type when things start going wrong in space right you probably don't want your social butterfly in charge of the uh the spacecraft so we're going to go through the six different personality types around this and these actually really resonate with most people once they see them for the first time and what's interesting about PCM is that we
all have a little bit of each of these six types but we are dominant in one of them and they call that the base so it actually goes from bottom to up and I'll show you an example of what that looks like so first is the promoter so these are people that are very action oriented adaptable persuasive and Charming their traits they have the ability to be very firm and direct the question they like to ask themselves is am I alive and some examples from movies or or TV so James Bond Sean Connery is the best James Bond by the way just my personal opinion um Captain Jack Sparrow and Tony Stark from Iron Man
the rebel so the rebel reacts to people and things with likes and dislike these are the fun-loving spontaneous they're creative they're playful they're always telling jokes everything's kind of fun and funny their traits are they like to see the humor in things and they live in the present so the question they like to ask themselves is is am I acceptable and so movie TV personalities so Captain Kirk from Star Trek uh Tiffany was played by Jennifer Lawrence in silver Lang's Playbook and then my favorites uh Jeffrey Lebowski which was Jeff Bridges in The Big Lebowski I love The Big Lebowski such a great movie thinker so this is someone who thinks first they identify and categorizes
peoples and people and things they're very responsible logical and organized their traits they think logically they take in all the facts ideas before usually making a decision they really want to think about things before moving forward with something the question they ask themselves is am I competent so movie TV person examples Spock perfect example of that from Star Trek Aaron Brockovich who was played by Julia Roberts and then Monica Geller for any of you that are friends fans that would be Courtney Cox uh on Friends the harmonizer so harmonizers are people people people people they love to relate to people instead of things so they're social they're creative compassionate and caring people right they're your Social Butterflies
they always want to work in groups and be around people they get energy from being around people and they're also really good at bringing people together and adapted those social skills of organizing teams so the question they ask themselves is am I appreciated and a great movie TV person example is Sam from The Lord of the Rings so Lord of the Rings again another great movie now the persister let's talk about them for a minute so uh these are your judgy people um they Judge first and they evaluate people on things with rather strong opinions sometimes they're very opinionated people they're dedicated though they're observant and they're conscientious so their traits is they will they have the ability to Give
opinions beliefs and judgments sometimes unwanted and you know that's okay but the question they ask themselves is am I right and am I valued so uh the movie TV personnel I like to call out is Dwight from the office any office fans yeah he's totally the persistor so last is the imaginer so these people are very reflective and they're motivated into action by things and people so they're reflective they're calm they're reserved they're kind of your quiet and shy type very introverted I find that we have a lot of imaginers in uh cyber security and it's not a bad thing it's just a lot of people like this like to work alone they don't like
workplace drama they're the type that says just leave me alone let me do my work um and they're very introspective right they they work very well with things like repetitive tasks we see this a lot in Consulting there's a lot of people just like to do the same type of work over and over and they're very good at what they do but the question they ask themselves is am I wanted and uh the best movie TV personality example I think is Forrest Gump just a perfect example of a true imaginer so here's my PCM results and like I mentioned it starts from the bottom up so I am a high thinker followed by a promoter and then a harmonizer and the
last personality type I resonate with is an imaginer what's interesting though is that I actually see myself in all of these and this week is a great example of that so I'm going to be in Vegas for five days of doing very extroverted things like what I'm doing now but I'll tell you what I'm gonna lock myself in a room for like three days after this and I just want to be my by myself I don't want any other distractions I want to kind of detox myself from just being so extroverted all week and that's okay right but it's interesting and and kind of think about where you hit and some of these levels and again I'll have some
links that you'll take you to where you can get the test for this as well as some additional reading materials if you're interested I think it's great so let's talk about motivation who knows of a guy called David Goggins few of you yep do you think David is crazy yeah he's kind of crazy um but he is one of the most motivating uh individuals that I have um I've read about and follow like on social media um he's kind of like a drill instructor in some ways he's a former Navy SEAL he's been through a lot in his life um but and he does crazy things like running 100 mile race on a broken foot
right just masochist type stuff but but what I like about David is the message that he he brings which is about you know here he talks about motivation it's kind of crap it comes and goes but it's about being driven and I I take this as a leader is we're all here to motivate our employees so they become driven right so they literally destroy the things that they're working on right not physically destroy right but actually have that drive in them to be motivated so all of us as Leaders that's our job right how do we find out what motivates our teams how to get them motivated to do great things so everybody including ourselves has
different ways that we like to be motivated and we have to either ask them or we have to determine what those motivators are so and this is really how they are energized and how we achieve results but think for a minute what motivates you is it money is it promotions is it titles is it uh grandiose things is it gifts we all have these different things or is it just a simple thank you a lot of us just have different we all have different types of ways we're motivated so let's get into how people are motivated so there's two typical types of motivators there's intrinsic and extrinsic motivators so intrinsic is about autonomy so belonging curiosity they
want to feel love learning and Mastery and they want to have meaning in their work extrinsic people are more focused on competition they like getting badges they have a fear of failure fear of punishment in some ways so like if you're motivated by like those workouts where you got somebody yelling at you constantly and that works for you you're probably more of an extrinsic type of motivation person gold stars money points rewards those are all things that kind of fall into those categories so that kind of leads to talking about this Theory called mcclellan's human motivation Theory which is really based on three things which is achievement affiliation and power so what's interesting about this is just like in
the personality types everybody has uh a focus in terms of the ways that they like to be motivated so as I go through these three think about which ones you might resonate more with and your team so the achievements oriented person so how do you know you've encountered someone that is an achievement person so they're competitive right they're they're concerned about outpouring outperforming someone else they want to be involved in unique or very Innovative accomplishments and they want to advance their career or they have a long-term achievement goal so these are the people that say I want to be a director in three years I want to be the CEO I want to do this they usually have a plan in
place of what steps they're going to take to get to that next level the behaviors you'll see so they get energy from working towards goals and they take moderate risks they want personal responsibility and the big thing with achievement people is they want feedback right they want frequent and very specific feedback about their work they're doing how good of a job they're doing this is very important for the achievement-oriented person and they'll get very frustrated when they're unable to get data results and they typically will choose experts over friends to work with so how do you motivate someone uh with the achievement motive well you want to allow opportunities for them to work alone and be responsible for very
challenging tasks so some techniques you could use be a coach so Define those job responsibilities and those goals delegate responsibility negotiate on those performance outcomes and then provide access to experts next is the affiliation motive so how do you know well these are people concerned with uh they're about being disliked disapproved of or rejected so their interest is a concern for others belonging to a group is important and they perceive setting as setting as a social situation conductive to friendships so these are your people people right they love being in groups they love organizing groups and they really want to be around people so they're they get their energy around people they look to make friends at work
so these are the people that usually gonna go hey can we go get a drink after work with the team can we socialize can we hang out sometimes they put people before actual tasks so that's something to know about and they may take negative feedback personally so even if you're giving a feedback you're having a feedback session with with them they may be like ooh like that really hurts and then you as a leader need to kind of overcome that and tell them like it's not that bad um so they're very interesting people these are kind of your Social Butterflies how do you motivate them well obviously give them opportunities to work in groups give them the opportunity to
create groups where they can work together with others praise them for good work assign them jobs that allows them to help others and provide and provide group incentives as well so anything around social events parties these uh affiliation people love that stuff power motive so let's talk about people with the power motive now there's two there's two things about power people you have to understand there's good power and then there's bad power so that's kind of called positive and negative so power people on the positive side they kind of use that influence for the benefit of the greater good right these are kind of your historical great leaders right that have done amazing things uh in history right
um they're they're very dominant on that dominant side and they're very influential and they can do good things but on the negative side you'll see people that may be more selfish more narcissistic also very influential but have a tendency to go more on the negative side so you also may see Power people kind of play both of them so a little bit good a little bit bad and they're trying to find that balance this is a real struggle for a lot of power people um and unfortunately we see a lot of bad examples in the world I won't mention any but you could probably all guess who maybe in politics or other areas that may be more on the negative side so
their behaviors they get energy from influencing other people and outcomes they want to influence they want to have an impact they love public attention and they do things to enhance their status right and again keeping in mind that they're not all narcissists necessarily right but they could easily float into the into that danger zone so to speak so for power people you want to give them opportunities to work through uh or give them abridges to impact others positions of influence Authority leadership um you know you definitely want to give them decision-making Authority in their area of expertise and oftentimes they're looking for titles offices Insignia public recognition very important for power motive people um they also provide inspiration through
identity of working on a great cause right give them something awesome to work on something that's really important for the company power people will love that so now I want to talk about empathy and this is really important because I think that and as the quote from Plato here everyone's fighting a battle you may not know it you may not see it but everyone has some type of personal struggle going on and for me in my career um this kind of came to a head at one of my previous jobs where I had I had an employee that was uh started out as a total rock star just an amazing pen tester totally just five-star individual
slowly his performance started declining over a period of a couple months and I couldn't figure out like what's going on like he was going dark I couldn't contact him we were all working remote of course so it was really hard to kind of follow up and have one-on-ones and one day I got uh we were literally at the point where we got to let this guy go we're gonna have to put him on a pip you know he's just not going to be working here anymore because of his performance and I got a phone call from his wife saying that his wife found him passed out on his desk and uh nearly dead and they called 901 got him to the
hospital and came to find out he was a diabetic he was having a diabetic episode and he didn't know he was diabetic and uh it was one of those things I realized I'm like wow I thought that it was just his performance that was going downhill but I didn't realize that he was struggling with his health and that me that for me taught me a little bit of empathy right like I have to see through that and once he got the help he needed he was again back up to being that star pen tester and I showed him a lot of empathy for his situation and talked with his wife um but like I said we just don't know
what people are going through and so we have to think about that and put ourselves in their shoes so what is empathy so it's the ability to sense others feelings and perspectives and it's really taking an active interest in the concern of others the important thing here is empathy is not the same as sympathy it's very very different um it literally is a Step Beyond sympathy where you're really feeling what that person is going through and by becoming more empathetic I think we can really build stronger relationships with in our personal relationships with our teams it really can go a long way and I think we all just need to learn to lead with more
empathy so here are some situations I've encountered maybe some of you have encountered as a manager or leader um you know there's obviously the typical employee history with a negative performance or they have a poor attitude they may have opposing views maybe on a particular project or something that should be managed and empathy gets really hard when like something triggers you right you have a personal trigger right that somebody has said something to you and you're like oh that's it I'm going off right or there's a conflict with something that you strongly believe in or you're emotionally drained you're overwhelmed or you're in a very stressful or high pressure situation these are all things that it becomes
very difficult to show and have empathy but we can overcome that so how do you become more empathetic so first and foremost perform active listening so active listening is about paraphrasing and restating how they're feeling where you ask questions and you summarize information back to the person so active listening is definitely one of those skills that definitely can be learned but it's so important that when someone says something to you you're telling them I understand you and you're repeating it back to them we all want to hear that we are understood put yourself in their shoes right ask them questions to talk about their family life talk about what's going on at home you have to try to open them up
to discuss like what is really making them tick and what maybe are the issues that they're having that then they might be bringing into the workplace um identify common ground if you can I know that's hard especially in this politically charged climate but we have to try to just find those those common ground and understand different perspectives on things people have just naturally different perspectives than us so we have to try to really understand that and again by act by asking questions and Performing that active listening is one way you can do that and then the language you use is important too so saying things like wow that must be challenging for you or you know I
know how you feel I've been through the exact same thing and then maybe telling a story of how something you went through was very similar to what they're going through can really go a long way and last you want to be curious right that's all about asking questions and don't be judgmental so hold that back right we don't want to be judgmental and we don't want to be the persisters or the Dwights in uh in these empathetic situations so I hate to break it to you all that um change uh is coming you cannot stop the change train right I think it's like death taxes and change those three things are always going to happen so
um especially now like I just heard about you know more layoffs in the industry there's lots of things going on so um I want to take you through the six changes of the change cycle and so hope this will probably help you as you go through change so change is hard right um everyone processes change a little bit differently um and honestly performance will suffer on teams your own performance will suffer as well um because it's your job to get you and your team through these changes so don't forget about yourself we all have to process the same change that maybe our teams are going through so I want to quickly go through the six
changes of the change cycle this is kind of a well-known thing you can kind of Google this and you'll find different versions of it but this is essentially the same so we'll talk about what you're going to see what you're going to hear and then what you should do for each stage of the change cycle so first first and foremost is stage one when the change happens this is what you're going to see you're going to see people avoiding withdrawing acting suspicious of others you're going to hear things like this isn't fair why me I don't know or who I don't know what to believe this can't be happening you're going to hear a lot of distress but the
things you should do is remain calm first and foremost and show empathy for the situation listen let them talk about their concerns clearly Define what happened and kind of like this is how you're going to move forward this is what happens this is the change address what's the worst that can happen and can we live with it and then ensure that ongoing two-way communication it's so important that as a leader you're constantly staying communication with your team as you're going through these changes stage two is you're moving from doubt to reality so you're gonna see a knee versus them mentality defensiveness blaming a lot of judgmental and negative comments you're going to hear this makes
no sense they don't know what they're doing management sucks they're terrible you're gonna hear all this stuff um do they know how this is going to impact us but what you should do again address all questions concerns determine what relevant information is missing Define that current reality right the changes already happened we got to start moving on but continue that ongoing two-way communication stage 3 is discomfort to motivation so you'll start seeing a little less frustration maybe some anxiety lowered productivity um people are really burnt out they're tired they still can't make sense of the change but this is where you need to step in as a leader provide some direction you may have to somewhat micromanage a little
bit at that time I'm very much against micromanagement but in a big change that happens sometimes you have to step in help out do more directive type things assist people in prioritizing their work create maybe some informal or formal distractions get the team together go out for a drink something like that and then continue that two-way communication now this is important there's something called The Danger Zone and you you and your team may actually go back to stage one where you're just gonna say ah I'm just gonna give up there's nothing I can do and you'll see a lot of things where people will say yeah I'm fine everything's good when in reality they're not okay and they are back to
stage one so you're going to hear some more negative negativity but what you should do is just help them identify um that root cause of feelings from Fear to discomfort encourage more dialogue and then be really sensitive to the needs right show more empathy and you'll get them out of stage one again stage four is a discovery to perspective so you will see people offering new ideas they're going to start identifying solutions to maybe some problems that were encountered during the change and you're going to see a lot more energy so you'll hear I see lots of options I'm actually excited about the new things that we can do and this might be the best for all of us right so we should do
keep encouraging that idea sharing and possible solutions identify good decision making strategies and then move away from that micromanagement don't need that anymore number five is understanding the benefits so you're going to see productivity increases determination teamwork Pride people will say I finally feel good about this this makes sense I couldn't see it before but I actually see how this can work now and then you should acknowledge results and productivity encourage mentoring and lastly to celebrate progress right everyone's doing a great job getting through the change stage six is now what's called integration so you'll see excitement you'll see mentoring positive attitude you'll know that you're through the change people will talk about what they
learned it was tough but we made it and it was for the best right so continue to acknowledge what happened acknowledge those good change skills note was done well maybe do a retro talk about what we you know what could do better next time and that's when you know you're through those changes so real quick just to finish up on change um one thing I want to call out from this slide in particular is oftentimes As Leaders we want to just charge in and try to fix things because we think we have the solution that would not be a good idea when your teams are going through change so kind of hold back right avoid being defensive avoid
assuming the worst kind of check your attitude at the door I found that um you know we're just trying to fix things when in fact we just have to continue to lead our teams through that change so the last topic I'm going to talk about today is difficult conversations and this is important so I love this quote and I have a link to this book which I think is the best book on difficult conversations by Douglas Stone often we go through an entire conversation or indeed entire relationship without ever realizing that each of us is paying attention to different things that our views are based on different information so how many times have we gotten into an
argument with somebody and we didn't have all the information or we made assumptions about their intents or we found something out later after the argument happened that damn I didn't know that like it happens all the time and this applies to any kind of relationship whether it's work or personal so I want to talk about uh how a strategy around difficult conversations and something that you can use to kind of get us through that so what is a difficult conversation well it's anything that you find hard to talk about right so this comes when we enter this thing called a difficulty dilemma so do you avoid a situation or do you confront it there's no easy answer but I
will tell you and I'm sure many of you know this that if you avoid a difficult conversation things are just going to get worse eventually so a great example of this is like a performance issue with an employee probably performance is going to continue to get bad if you don't have a difficult conversation about their performance personally like a new neighbor moved in and they have a dog that will not stop barking all night long do you as the neighbor go over to their front door and say Hey I want to talk about your dog do you avoid it hope it goes away typically the dogs are going to keep barking so you might just want to have
that difficult conversation so these are all situations that we're going to be in um and a lot of times it's around relationships so why do we need to have difficult conversations well we need to address obviously sensitive pressing issues resolve conflicts it really help us gain a deeper understanding of others once you have that difficult conversation you're going to improve relationships and you're going to have a lot of personal growth so one of the things I recommend is like if you're thinking about maybe not having a difficult conversation I'll walk you through a framework which will help you kind of understand if you should have that that conversation or not but oftentimes you're going to find
you probably want to have the conversation so what are some ingredients of difficult conversations first and foremost we all have different perceptions right we think we're right and the other person is wrong that's the big one right we have different information about the same issue and we also have different interpretations about that same issue there's also something about assumptions right about intent one thing that's important is like unless someone explicitly States their intention we really can't know their intention right and we may feel intentionally hurt by the other person but this also may be an incorrect assumption maybe that person really didn't want to hurt us right but often feelings and blame are involved so we feel very passionate
about a situation or about an argument that happened and we let emotion take over we get angry we yell we scream right those are all negative things right and then we make judgments right which we've already talked about being judgmental this never ends well in difficult conversations so here's a strategy for how you handle a difficult conversation first of all you got to make it safe to talk and the way that you do that is by embracing a mutual purpose and offering mutual respect to the other person and I know this can be hard right um one way to do this is by using what's called a contrasting statement so you state the message you are not trying to
send then State the message you are trying to send so for example I am not trying to say that my project is more important than yours I am trying to communicate that we both have high stakes involved in terms of the success of our project that sounds much better that is a much more safe entry into that difficult conversation second is listen right so seek first to understand and then to be understood is a great quote right that's about showing empathy and you want to quiet your own internal voice that angry voice inside that's saying like I know I'm right and that other person is wrong and you need to express how you are feeling that you need to do it in the
right way so for example you might want to say I I want to hear what you have to say but to be honest I'm feeling a little defensive right now that actually is much better to State and saying like something else that's going to anger the other person you also do this by opening asking open-ended questions so tell me more help me understand paraphrase I've already mentioned the importance of paraphrasing repeat back to them what you're hearing acknowledge your feelings say things like I can tell you feel hurt when I said those things to you those can all go a long way adopt the yes and so think about you don't always have to give up your
position even if you feel very passionate about your position you can feel hurt and angry but also think about that they can feel equally hurt and angry so you want to validate both views of a situation recognize your story and separate impact from intent so are we sure about what actually happened right could we be making conclusions or assumptions we might be so you want to ask yourself these three questions so what did the other person actually say or do right think about it what is the impact of this on me how do I really feel about it and then based on the impact what assumptions am I making about the other person's intent so those are the three
questions you always want to go into before you go into the devil conversation and really think about that iMessages so you want to start a statement with you never never want to start a statement with you this always comes across as accusatory and blaming and it always puts the person on the defense whenever you start with you so for example you just kept rambling on in that meeting versus I didn't understand you in that meeting help me help me hear what I'm missing is a much better approach and does not put a person on the defense and then focus on contribution not blame so there may be situations where both parties contributed to the problem we
want to call that out and identify it so how can we learn from it and not repeat what we did next time so conclusions so we all have unique way of receiving communication and that's why it's so important that we understand the personality type of others but also our own so I encourage everyone to go out and learn more about personality each person on your team has a different way of of being motivated so do we and we have to find out or we have to ask what motivates them individually showing true empathy very difficult but it's so important and we can all learn to be more empathetic it takes time it takes effort but we can all do it
change is hard there's a lot of change going on in the world there's a lot of change going on in our industry but we've got to navigate our teams and ourselves through those six stages of the change cycle conflicts are often because of a lack of information from one side or the other and we often make assumptions about intent so really go through that strategy you know Plan before you actually have the difficult conversation so rehearse just like anything practice it recurse it think about the conversation you're about to have don't just jump into a difficult conversation without preparing for it and lastly like I said we all need to have those difficult conversations just don't
ignore them they often just end up getting worse so a few recommended reading and listening of course this is the book I mentioned difficult conversations how to discuss what matters most I think it's the best book I've read on difficult conversations highly recommend it the other uh podcast I recommend is cyber empathy podcast with the wonderful Andra zaharia I have gotten so much out of this podcast she really talks about empathy as it relates to the cyber security industry and it's fantastic highly recommended you could scan this QR code it is not malicious I know this is a hacking conference but I promise you it goes to my blog and nowhere else but this has a full list of all of the
links book references everything in the uh presentation that you can check out so with that I think I'm right at time so I'll take questions kind of I'll be around here mingling a bit but uh thank you all for for coming out um you can find me on x it's it's not Twitter sorry I didn't change it Elon did but I'm probably more on Macedon but I'm agent 0x0 on both and then that's my blog and my podcast so thanks everyone appreciate you
oh
hey um
see November
[Music]
thank you [Music] foreign [Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music] [Music] I know
[Music] all right [Music]
[Music] foreign [Music]
[Music] foreign [Music] foreign [Music]
[Music] thank you [Music] thank you [Music]
[Music] [Applause]
[Music] thank you [Music] thank you [Music]
[Music]
[Music] thank you [Music]
baby [Music]
[Music] don't leave me alone [Music]
[Music] I overthink it baby [Music]
giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]
[Music]
maybe you'll be fine away [Music] baby [Music] don't leave me alone baby
[Music] thank you all for being here really appreciate it my name is Steve lazinski I in my day job work as a consultant critical infrastructure cyber security that gives me the opportunity to come out here and what I really enjoy is the Aerospace Village so if you're over at Defcon please come by and visit what I also enjoy is having spent time in and out of government military time which I kind of count as Government because I got to see all that the government offers in that respect but also in my other job since retiring looking at what's going on out there what really is or isn't happening when it comes to working in the government so
then because I have friends who know other friends that are now my friends Ayan and I damn it I knew it Ian and I were talking about this last night if you caught us in the uh Cavalry track but being able to bring to this audience folks who are new to the industry who may have been in government and you're questioning do I want to go back or you've never been in government and you're thinking about it here's your experts and so again I appreciate you all coming here today and listening to us so I'll start with a quick brief introduction go through some questions for them to be able to talk and have a
conversation we're going to open it up to questions and answers at the end so definitely think about if you want to ask something we may or may not have bribes up here for really good questions and things of that nature that we can offer uh but we want to be able to make sure that you can get your questions answered of what you want to know about folks who are working in government and what that is really like compared to what you may hear on a you know we'll call the stereotypes that are out there so let me start over here on my right Ann Islam she works in the office of the national cyber director on Workforce issues
formerly at sizza I have known her for several years this is not her first time at b-sides or in a talk and again we got to I had the privilege last night getting a talk with her but very familiar with these issues from a Workforce what the government's dealing with and from having worked in in government for several years next to her is Chris Paris from the Department of Veterans Affairs again working his title as acting director of cyber workforce management at the VA again as a veteran I especially appreciate that work so thank you first time joining here at b-sides and on stage and another first timer over here on my left Arun viswanathon he is at the
jet propulsion Laboratory um and he leads their cyber defense engineering and research and also a number of efforts that again I know from the Aerospace Village that getting to work with Arun on and be a part of and again welcoming him as a first-time attendee and then finally but not last but not least Tim Weston he is with TSA he's the director for strategy and risk also cyber security policy coordinator he's got law degrees he knows a lot of things and a lot of experience in government and absolutely not a stranger to this community active and again the things and support with the village and other Villages you'll see him at a number of talks at Defcon if you're
there also so again I really appreciate you all being here thank you for the time and uh and you know everything we've done to get ready for this so let me start off with the this one I actually I meant to tell you this one I'm going to ask all of you to go through so how did you get into your role how what made you want to go into government and and get started there so I am please start us off no thank you for having me here um so my pathway into uh first and foremost the cyber security field and then into government was being brave enough to leave my good old government job in DC government and I'm
actually mid-career changer and taking the time off which I recognize not everybody has like the opportunity and the time to do so to like go get a master's uh in in law because I was thinking originally I was just going to be a regular government attorney and come to find out I just saw a lot of really interesting problems from multiple data breaches and incidents and really interesting hacks and seeing how it was impacting communities and regular citizens like you and I who are presuming that our data is protected and that we can just go about living our our lives but recognizing that there are a number of organizations that we trust with our personal identifiable
information so part of me wanted to explore that a bit more and I was fortunate enough that first and foremost being a grad student and learning about cyber security policy hackathons through the Atlantic Council and engaging there to then finding out that there was also a summer internship uh working very closely with a lot of members within I'm the Cavalry Community who are also we're leading the Cyber statecraft initiative at the time and from there on building the resume and portfolio to Showcase that my pre-existing policy and government Affairs skills were transferable I needed to layer on the cyber security knowledge getting first-hand knowledge also learning from the community as well how to serve as a
translator to then go into DHS then this is cis's uh original name which was National programs and protection directorate so participating in a job fair and meeting with a hiring manager so that was actually like my foray into federal government getting into the cyber security policy career and making a lot of connections not only within the federal space but realizing that I still needed to stay tuned and tied to different communities and going to the various cons whether it was like b-sides Las Vegas or even besides DC Nova charm Delaware elsewhere to like stay plugged into what are the current issues because my portfolio actually started off as a cyber security strategist like serving multitude of portfolios to then Aviation
cyber and dealing with Workforce and training issues as well so there was a lot of different projects which I thought was very interesting and helpful and so that was my entryway into government excellent now hey good morning good morning everyone um can you hear me excellent can't fix this um so I think it's worth me starting out that I have a very liberal arts background uh I study theology uh philosophy German English I actually went I thought I wanted to be a teacher so I put out like a dozen applications didn't hear back luckily I had a internship at a healthcare I.T startup at the time um I I quickly invested myself more in that career got into uh more sock 2 type
2 audits with the security and privacy teams uh got a mentor who was the chief operating officer who encouraged me to actually go back to school for cyber security so I at night I took cyber security policy classes um found out that the Social Security Administration was looking for infosec personnel on a whim through my application in there and uh it took a while but after a year I got a federal position I worked under their their sizzo and I was doing training policy education uh and I also ran their social engineering program which I found coming from a less technical background probably at least a you know technical of many in the room there was a great fit between the the
psychology aspect of what I was doing the the liberal arts the the communication and then needing that cyber security uh technical piece as well from there I supported our ciso in looking at our Workforce where we needed to grow what capacity we needed to be at what types of certs training experiences our folks needed to have and that brought me to where I'm at now which is VA I I came over under the prospect of being able to engage more externally so not just being confined to my department but actually engaging with folks like Ian and being able to affect change at a federal level um and so yeah that's that's where I'm at now absolutely yeah maroon
hey thanks Steve um so JPL is a little bit different than government JPL is uh what's called an ffrdc of federally funded research and development center so it's it's not government but it's sort of semi-garment it's funded by NASA but we are managed by Caltech so it has a more campusy feel to how JPL works so my uh so I have a I had I got my PhD in computer science with a focus on Cyber from USC and while doing that I got to intern at JPL for a couple of times really loved the culture loved the work that they were doing and then around that time space cyber was really becoming very critical and not
many people were really thinking about space cyber now if you look at for example Aviation Village and so on there's so much talk about space cyber that wasn't the case in 2015 2014. um so for me that was a very interesting opportunity because I didn't want to go into a field in cyber which was already saturated for example network security was very saturated by then there's so much work on knacks and firewalls and all that stuff that it was hard to sort of make an impact and of course I loved space so this was a perfect opportunity to combine my uh interests in cyber and space together and so I I was recruited around the time
when they were setting up the Cyber uh the the Cyber defense uh for our missions so we always had JPL always had the I.T security and I.T infrastructure and all that stuff but they never had a mission cyber security team so we were sort of the first hires uh to build that capability um so so my team so at at JPL my team works on all aspects of a mission from the ground systems to the communication to the spacecraft and sort of doing an end-to-end security uh of that and it involves many different things like things like compliance uh risk management risk analysis threat analysis threat intelligence and to many Advanced research topics because such a new field
there is a lot of scope for research on new ways of doing things so a lot of my time I mean I started out as a researcher in the group now I manage the group and we have a broad spectrum of activities like all the way from doing engineering like day to day engineering to also doing Advanced research [Music] thank you Steve and good morning uh Steve said I'm a I'm actually a recovering attorney now I discovered I have a heart and a soul it's kind of shocking um I got into government early on and I think it was mainly I come from a long line of teachers and civil servants so going into government out of law school
was just kind of what made sense to me uh I initially started at the City of Oklahoma City doing litigation and working with them on a multitude of issues issues related to like water treatment um excessive use of force cases fire department related matters ultimately got recruited into a program out in DC because I because of that litigation background they were looking for attorneys who had some you know kind of unique experiences to help with some programs that DHS was standing up through that I went to George Washington University got my Master's of law degree much like iron and National Security and U.S foreign relations and it was there that I really unlocked you know
that interest in cyber security policy and I had always dabbled in cyber security Electronics I worked at creative labs when I was in college and you know there was just something fun to do and then I was like wait a minute I can actually do something with this um from there though I started asking questions I got to TSA I was like hey well great we have this counter-terrorism Mission this protection mission there's this line in our authorizing statute that says the TSA administrator shall review cyber security threats to Aviation what are we doing about that and started to kind of pull on that and out of that started kind of building a legal practice within our chief
counsel's office uh as Steve said I've been coming out here for summer camp for years and I had actually about six years ago I got back from Defcon and there was a knock on my door and it was from our chief of staff and said hey we need to develop a cyber security strategy and we hear you're the one to help us with that so just just make that happen yeah let's can you can you can you solve that overnight um but that I took that left what I was doing in the chief counsel's office moved into the policy side um helped draft our cyber security roadmap which was a five-year strategy and then from that have helped then
build out the various cyber security policy related issues and measures that TSA is kind of leading on today so it was a kind of a Wandering path to get there but it's uh it's been an interesting one yeah absolutely so hopefully as you're seeing and what was exciting for me to bring this group together is so many different backgrounds cyber security kind of not cyber all aspects of cyber because I'm not super technical either so I appreciated being able to have the smart technicians who can answer those questions and and things from there so one of the things I mentioned up front stereotypes right this whole title of separating fact from fiction there are stereotypes out there
I know uh one of the things that I always heard sitting here when I was in the military call myself a gully at the time looking to get a job as I'm getting out thinking about staying in the cyber security field what can I contribute things like that where do I go private sector mission was always thrown out well the government's got a mission okay I get that and I appreciate it with my background uh but Tim let me start with you not only did you get into it as we've all talked about it but you're you're certainly still there and we've all been in in different areas but what keeps you in that job
it is cliche but it is that mission oriented Focus you know transportation's one of those critical infrastructure sectors that affects everyone everyone utilizes it every single day you may not utilize the health sector every day you may not go to the hospital every day at least I hope you don't unless you're a doctor or a nurse in which case please continue to go to the hospital um you know not everyone uses dams every day but you know maybe you drink water that comes from a reservoir or you use electricity that comes from it but transportation is something that is used by everyone it's Global and helping to secure that system and make that system more resilient is kind
of what keeps me going you know it's it's that challenge it's a it's an unattainable challenge I think but that's what I like about it there's something more we can keep doing to make it better and if you don't mind time I'll take it back off that so I joined government because I was starting a family and I wanted stability and my dad was 30 years prior military worked for the government after that as a civilian and uh that's all I heard right secure a job get it once you're in you're in um some of that is true absolutely but what I think the better question is why have I stayed for the last 12 years
um and for that that answer um for me is that I get to work for an organization that is not profit driven at the end of the day I can if I need to and there are times when I need to I hit that wall I think about other careers I think about what I've done where I've where I've gone where I want to go I can draw a connection between what I'm doing yes it's three layers down four layers down from the veteran that I'm serving but I can draw that connection I can say that I'm building the best freaking Workforce for our veterans who are going to give them the best care the
best technology the best Solutions and honestly that's what keeps me moving um that and I found that once you're in there are so many possibilities I won't go into all of them but as a policy and strategy planner Workforce developer I can take my skill set that I've honed I can go work for am at oncd I can go help them develop a national cyber Workforce education strategy I can go to ostp work on federal AI policy I can work for OPM it's just once you're in there's a a multitude of ways that you can apply that skill set without needing to leave the federal government and we can address all those acronyms afterwards because they're good and I'm
like yeah I know what you're saying but I'm with you I'm with you so personnel management that's right office of Science and Technology policy Office of the national cyber director absolutely so sorry I won't do that again that's okay I was just going to quickly interject to say that it it really helps also um from my vantage point where I'm working where having subject matter experts like Chris like Arun like Tim in their respective agencies where we can then go in and say what are you seeing in your space please give us you know best practices advice and also as we're developing the national cyber Workforce and education strategy which was launched last week then
we want to make sure that the work that we're looking to then move forward during implementation phase is not just coming straight out the White House it's going to be a whole of nation effort a whole society effort we recognize that there's so many owners of different processes and and also literally like the the doors and the gates that will let you into different places so what is it that we can do to remove the red tape to remove those barriers to make things more accessible and not and you know increasing the knowledge and awareness to then have more awesome folks like us that's in the room out in this field too yeah awesome I appreciate that
um so I meant again stereotypes that's the theme that's the thing I've learned to how do you get past those so what's the biggest stereotype you've seen that's true or that you've seen and you're like that's completely not true I am and I'm gonna keep going back to I am no no totally I think we were we were talking about this uh Earl in earlier during prep was like bureaucracy um red tape yeah it's that what are the what are the ways in what does government do actually what does your agency do actually how does my role translate into this 2210 IT specialist position that you're advertising on usajobs.gov um I see the job announcement but I'm
really interested in eager I'm trying to frame my resume a certain way to make sure that you know I again get picked up through the system but I'm also not very clear as to what your day-to-day entails and what your mission set is so there's there there are those levers those levers and issues but we also recognize that uh some of us do a better job of branding and going out and explaining who we are and what we do um and some of us need a lot of a lot more work and support in that area yeah I mean I'll take it back off that so bureaucracy that's that's like the easy target here it's it's everywhere
um looking at the federal hiring right like we don't talk language that would be recognizable to everyone here we we say that we want an I.T specialist in our announcements and we're actually looking for a defense analyst or an incident responder um so why don't we do that right like why don't we change the titling why don't we uh very clearly in the job description tell you what we're actually going to assess you against and then follow through with an assessment to make sure you get the skills that uh you say you do those are things that we are working on which is exciting but something that you know a stereotype that I've had to
come to grips with is we move slow we move a lot slower than I would like I've had to temper my expectations without being jaded and saying all right well that's just what it is um so yeah I think that's that's the biggest stereotype that I would agree with the one that I disagree with um is that the government is as a whole very inefficient or you could even say lazy that workers are lazy um I don't know if I've just had a very fortunate experience or I intentionally choose to surround myself with people who are not lazy but that is the biggest or furthest thing that has been from my experience I work with amazing people
um now granted are there are there inefficiencies at VA and the government absolutely are there inefficiencies in your private sector companies absolutely for me it's been just surrounding myself picking those people who are going to encourage me and having them surround me to be a better person yeah and and I'll add in just my own perspective of both government time uh back at sizza in the middle of a crisis and there was still uncertainty about making the changes like hey this is a crisis we should act fast certain things work really well certain things didn't and then in my current job it's a very large company there's tons of the paperwork and bureaucracy so even in the private
sector trying to build a security team hey let's get this job description out took time and that was a small company example and a big one too so did I miss anything yeah so I can so another a stereotype that I do not agree with is that cyber security is all technical I mean there are so many aspects of cyber that are often overlooked like legal for example policy human interfacing those are all like so many uh there's just a few of the important aspects of cyber so you don't need to have a cyber path to get into cyber security there are so many different ways to get into cyber security um and I mean an example would be in my
own work um I mean I lead tasks where we work with people across different domains it's not everybody in my team is not just a cyber security engineer they are people who understand same missions there are people who understand uh human machine interfacing how do uh how should you build interfaces that work for humans uh how do you do how do you design processes that a human being can use or how do you integrate cyber security into a mission environment so there are so many um Dimensions to cyber security that often it comes I mean just because everybody equates cyber security to hacking that's sort of the first uh obvious thing but there's so much beyond that that often
gets overlooked so there's so many opportunities yeah yeah um I mentioned my time at scissor that was a very specific focused on covid but very rewarding as that was a favorite thing I did as hard as it was but getting in to come in and focus on that and what are the projects what are the things that you've done Arun you you've mentioned your favorite thing that you did you're like that's why I'm here and I like doing this okay so yeah so I mean at JPL so one of the first things that uh is really the impact that you're making because it's a problem that uh nobody really bothered with before our team was set up right so
uh the first thing that we started doing was really getting people aware uh there are many things that we've done over the last eight years of my uh you know eight years that I've been at JPL uh one of the things was we really tried to make the management aware of the problems by actually doing a live phishing demo we live fished a section of the management and showed them the results as to how easy it is for somebody to get to Fish you and how easy it is for somebody to just using information available outside on Google on your LinkedIn profiles on your published papers all that information to craft a phishing email to make you click a link
and you know get malware installed on of course we didn't install malware but the message was coming it was was conveyed uh because the the thinking often is that we're all behind firewalls why should we bother why would anybody bother with us so that old that mentality had to go so that was one thing the other thing is we've also done a lot of work in uh really pushing the boundaries on like using Technologies like Ai and other new technologies to build solutions that are now actually helping our missions do their work well um so I mean all in all I think it's been a it's been very rewarding because when when I joined there was really uh
sort of an uh they were it was just too hard to sell cyber to people it was always the question came back what is my return on investment which is a very hard question to answer for cyber but now with these demonstrations and of course the situation has changed there's a lot of federal laws now that NASA has to follow there's also a lot of threats out there which are much more severe and people read there's often there's more press coverage for threats um like the last year's incident with why is that right before the uh you know the the invasion of Ukraine uh that was a big event so that really opened up people to okay so this is now
possible so this is something like hitting close to home um so yeah so all the work that we've done all that we've been saying is sort of now starting to sort of really pay off and that's very rewarding yeah so yeah absolutely so Tim I'm gonna throw this question to you what's the one thing about government service people don't know it's not even a stereotype it's a hidden secret of getting the opportunity to work where you have well it's hidden why would I no um not that the the opportunity to work with so many amazing people and and I know that that you know you get that with a lot of different organizations but kind of like
like iron and Chris were saying down there like the collaboration I see across especially the cyber security Community within the federal government really is encouraging because it's one of those unifying uh threat streams and and you have a lot of people who are really dedicated to working together to solve that problem um you know and I didn't I didn't respond to the stereotype that I disagree with and it would you know I think Chris kind of touched on it you know the lazy government worker um out there there might be in or inefficiencies yes you're going to have those in any and every organization but my experience has been the exact opposite it's a lot of very
dedicated people who work long hours sometimes you know when needed uh to respond to a crisis or to avert a crisis or be proactive in preventing that crisis and I actually see a lot more of that work on that prevention side I mean we're we're working together coming up with Creative Solutions learning how to leverage the bureaucracy to help us uh you know the old attorney in me as you know processes your friend and and it's needed in some cases you want to make sure that what you're doing you know you don't have government overreach in certain areas especially I work for a regulator so working you know within that regulatory sphere you don't want to have overreach on Cyber
Security based regulations but you have to balance that with all right well there is a real need though to affect some kind of change here because sometimes that voluntary model just doesn't work so what what's the creative solution to fix that um so to me that the Hidden Gem is you know working with some really good creative and dedicated people who really want to dig in and solve those problems connects back to the mission hey Steve can I want to go back actually to the project question because um Arun you said something I wanted to touch on which is the diversity of skill sets within the Cyber Workforce the cyber security Workforce and it also ties into
this project that I'm really proud of so in 2019 we had uh some of you may know the nice Workforce framework it says hey there's 52 different types of cyber worker but who reads special Publications and 50 pages of PDF we yeah and does actually I'm guilty too but we said look no one is actually going to interact with a static PDF document so we work with sizza we worked with DOD and we built this tool called the Cyber career Pathways tool um just Google it if you haven't seen it check it out because I feel like there might be someone like me in the room who's like you know what I'm not really technical but I want to get into this
this field it shows all the different types of roles you can play I mean there's there's the legal piece there's the Workforce Development there's the training there's the project management and then all of your traditional technology roles in there so it's a really cool tool that helps up helps me and it helps others engage on the types of ways that you can get involved you can be in the cyber security Workforce without being hands on the keyboard you know 24 7 and then I do want to touch on for 18 months I led this effort to try to get our technologists and our cyber security practitioners better pay because for years it's been you know
it's a 20-year problem of government does not pay anything close to what industry can but no one was really willing to take up the mantle and say all right well let's do something about it we had special rates and they were aging from you know 2003 onward so I'm really happy to say that we built this justification we submitted it it got approved as of last month VA is paying 17 more across the board that's not a plug for hiring but you know if you want to work for us sure but just in case just in case come talk to me after um but we were genuinely hopeful that every other agency is going to look to
us they're going to either congratulate us or they're going to say that's not fair and then they're going to go talk to Congress they're going to talk to you know their their appropriators and say how do we follow suit and hopefully that that's government-wide change and then meanwhile where I'm at we're working closely with our colleagues within the Executive Office of the President um uh you know Office of Management and budget also as well as uh as Chris also mentioned earlier office of science technology policy National Security Council domestic policy Council list goes on because we're trying to ensure that the skill sets both Technical and non-technical are adequately represented for example there's a lot of talk and you'll see
this coming up later in the week at Defcon that there's a lot of tackles around Ai and how do we also get ready for that next set of Workforce and the thing is regardless of the technology we need to have a Workforce that is ready to go at any given point in time regardless of what the tool may be and it's just uh not essentially like a plug and play but almost an ability to like okay how can we ramp up and afford people the opportunities to on-ramp and off-ramp wherever they want so similar to what Chris mentioned with the Cyber career pathway tools and also looking at government resources such as the national Initiative for cyber security
of Education under Nest the National Institutes for standards and technology is that you you want to afford folks also a chance who are technical because you might be interested one day in becoming the boss right you're gonna then have to become a supervisor you're then also going to have to have that leadership training and budget training to understand what does that really mean to you know manage and oversee a team and the project where your technical expertise now is now training and providing that professional development and learning to then mentor and and groom and build you know your your organization and your portfolio too so there there it is a two-way uh streak and the other piece also a hidden part
that may not be commonly known is there are a lot of folks who work in government who also work used to work in private sector and Academia and in community-based organizations and in hospitals and just decided you know I'm I'm really ready for a change and this is a time and I'm I'm really eager to you know provide you know this public service so and there is that transition like I personally stepped out for a little bit and went into the think tank world after sizza to our street Institute and that was like an interesting opportunity where the visibility I had I had a chance to learn more hear more provide constructive criticism and then take that skill set
now and bring it back to where I'm currently at with oncd office of national cyber director so just want to also share that you know those pathways are Ever Changing just as our lives are also Dynamic and ever-changing I think that's one I'm a big fan watching what U.S digital service has done the idea that you can come in and stay for an entire career you can come in and out you can do it there's all these options the government has realized and you're seeing it the government's on stage the government's present spot the FED is boring these days defcon's the same way that's good they are coming in to engage where you the subject matter experts are where you
want to learn more about what they do and the same way so getting to see that over time has been great in that change so I failed at the very beginning I meant to ask and I apologize to my panel here for our audience who has never worked in government okay who has worked in government at least once at some point Steven so you sneak in awesome yeah so we got a good diverse in the sense of experiences to talk and share and things of that nature again what we want to do and really what I hope that you're seeing and it was mentioned before is the diverse backgrounds it can be a full-time one career you know
different jobs and all the things Tim's gotten to do it can be in and out of government the three of us have had private sector in has had private sector experience it's things you can choose because that flexibility is what people are looking for and then especially the very technical background the very not technical backgrounds and the things that are still cyber security and so the beauty of being able to understand where you can fit in no matter what you're looking at and then the other examples we talked about was people who are technical that don't want to be they want to move over into the risk management side or they want to get in and just those opportunities that
government offers there too so um so panel I'll give you the last question and again I'll open it up for for all of you if somebody wants to do this they want to follow your path what do you recommend either like definitely do this or definitely don't you know mistakes you've made things they can learn from but what could you offer the audience who may be interested in these types of things hey anyone start off so um I'm going to kick off with a plug as I mentioned earlier in the talk uh White House released the national cyber Workforce and education strategy please go to whitehouse.gov cyber Workforce we created it's not just a strategy we
because we understand again there's some folks who will love to dig dig into the details so if you have time to read a 60-page document please do so if you don't there are fact sheets and cheat sheets and action sheets so we have a set of action sheets that are catered to the workers the Educators government and employers have a chance to see there's a it's a one-pager it's even shorter than one pager when you have the the the banner and and the and the templatey uh stuff that there will be resources there available that will point to a number of government resources nice says a VA uh if you're also interested in the uh
intelligence side of the house there's multiple Avenues and also for the Educators how can we support our K-12 systems um uh community colleges higher educations we're looking at this as a whole of nation society and an ecosystem approach recognizing that we're all a part of this beautiful space so if you're very interested not only for yourself but also sharing those resources to your friends your families and colleagues I would recommend that you start there and pick which one you feel would be suitable for your needs thank you Chris thank yeah so Ann talked about the the resources so um I won't cover that uh I in the beginning I told you I had a very liberal arts background
theology philosophy English German um for me something like if you I guess if you want to follow my footsteps be curious be deeply curious about the world around you why why are we doing what we're doing how are we doing it does it need to change and what's the role that you're going to play in that change um the other thing is when I started my government career my dad told me it's easy to stand out I said all right well how Embrace challenges you you will stand out very quickly if you're the one raising your hand there's an extra assignment yeah I got it no problem all I don't know it I'll figure it out
that's that's worked wonders for me in my career and then lastly um my recommendation but it's also one of my biggest regrets is not finding a mentor sooner um you have a career trajectory that you want to go down find someone on it ask to talk with them ask if they'll take you under their wing because in finding that person they're gonna know best you know you should pursue this experience you should talk to this person you should take this this class or get this certification I can't tell you how beneficial finally when I did find a mentor those conversations have been to my career so find someone that will help you and stick with that person
for real yeah I think everything that uh both Chris and Ayanna said and then if you're really looking for I think the first thing that would be really choose your domain where you want to focus on like are you interested in space are you interested in iot because cyber security is affects every single thing so um I mean I would recommend becoming sort of not becoming a generalist but sort of focusing on a domain because there's then there's more scope and you can grow better if you are a generalist um it's also good but it then you need a a much more a much uh more rigorous cyber security background to become a generalist but let's say if you pick
like iot or Healthcare and so on there's so many problems in those areas that it's easy to start off with and every area is looking for people to come and contribute um I don't know somebody said the there's like 700 000 jobs in the cyber security sector uh that that remain to be filled I think that's true even across like private and this is so many jobs out there um so pick your domain and then uh in terms of the resources I think the nist nice framework if nothing it'll at least provide you a list of those jobs that you can look at the list and say okay this is what I think I'm interested in
Pathways tool sorry cyber career Pathways tool yes yes yes cyber career Pathways tool so you can look at the job descriptions and see what really appeals to you do you want to be a stock analyst you want to be a vulnerability researcher do you want to do risk management do you want to do compliance there's like so many of them and every and is hiding in almost every every area so yeah that would be my awesome wrap it up the joy of being last you get to say yes I agree with everything um and I and I do actually uh I I Chris what Chris said you know have a curiosity and I think that's something that's you
know you see that across the hacker Community the researcher Community we all have that kind of innate curiosity how do things work why do they work the way they do and how can I make them better um you know I would rather hire someone with that level of curiosity who may not necessarily have the technical skills behind it I can't teach you desire I can't teach you a want to do something you have to have that in yourself I can teach you the technical aspects I can send you to a boot camp I can send you out here to listen to talks and engage with others in that Technical Community to at least get you a level of understanding to help
do the job that we want you to do but if you don't want to do that job I can't take that so for me the way and my approach to hiring in and bringing people in and I think you'll see this as you kind of engage it with and please if you're coming to Defcon uh come see us we have a booth at Defcon this year and we're hiring um you know don't poke too much fun at us we do work for the government and there may or may not be cookies um no seriously I have cookies here if anyone wants cookies after this um yeah I got you I got you um but what I can't like I said I really
can't you know stress enough have a desire have that Curiosity to learn and want to do more um and I also agree get a mentor um they're very useful and regardless I think of what career you choose or where your path is have a mentor ideally have a mentor both in the career you want and outside of the career you want some of the best advice I ever got was the best job you're going to get is the job you didn't apply for and I found that to be very true within just my own experience I never thought I would be in the position I'm in today when I started law school you know when I started even
my undergraduate degree which was in accounting you know talk about being boring I wanted to work for the FBI that was my that was kind of like my ultimate goal like hey I'm going to do accounting I'm gonna go to law school it took Russian I had it all set I don't use any of that right now well a little bit but you never know where you're going to end up and and you don't know where you're going to end up if you don't take the opportunity to ask people for that advice and look for those opportunities that may not be apparent at first sight awesome so before I'm right at the tail end we've got time just for a couple of
questions I want to make sure I told the panelists I would make sure because I want the opportunities if you're interested there's tons of resources QR codes that are up there for both TSA and VA other links you have these experts again I'm a big fan having done the back and forth and seen the value so if you're interested absolutely and of course they're up here but let me thank the panel first of all for your time the preparation and the the great words that you've said before I open it up so thank you all thank you Lisa someone come get cookies yes so in the question session to help you get motivated when I know we have
microphones so wait for the microphone to come to you but right here sir in the Hat and Drake you tell me when to when to stop can I ask a multi-part question all right 26 Parts like six parts or two maybe two maybe three twos um the first part of the question is you mentioned training and learning and things like that how is the government's Budget on getting the training and the learning do they are they good at that is that fact or fiction or where's that lie so historically I think it's varied the approach we're taking at TSA and that I'm kind of I'm really trying to build out is when we put together our
our uh fy24 and fy25 federal budgets and I put in there look we need 200 positions in addition to that when I went forward and I met with our appropriators and we were in working with uh the staff to build out that budget I said I also need money for training and development and I actually and it's it's put in there now what you know we'll see what we get because we're dependent upon whatever the Congress passes for a federal budget but we're trying to be very proactive again back to my you know kind of the theme I'd much rather send my employees out to learn and engage and you have to have money to do it you can't just eat that
out of your operating budget because you're not going to grow and you're not going to get the knowledge transfer that you need so we're working very hard like we have some money within each of our our cyber security uh programs that allow for that and again that's one of the reasons like this year I think we've got about 30 different people from TSA who are out here at you know doing trainings at black hat uh attending Defcon you know using that opportunity to learn and engage you have to build it in though and you have to be proactive so for the sake of time I think that's a fairly consistent across all your agencies would you agree I would say it's also
how we pray how we allocate the training right so up until a couple years ago it was just oh what search you want to take what's the new shiny thing with a nice framework and these work roles that are Beyond just your I.T specialist we're able to say hey you you know you are a vulnerability assessment analyst here is training certifications courseware that actually maps to your job so I think we're able to allocate The Limited training budget we do have to courseware and experiences that actually align to someone uh in what they do yeah and the thing is real quick is that um also when you're applying and you have the conversations with departments and
agencies make sure that's an ask so because a lot of times that's actually the biggest incentive that government can give it's um it's the it's the training it's the retention bonus there's like a few things that it's not commonly known and uh training is one of them um that is a highly negotiated negotiable piece but it's also standard depending on which agency you're you're going to um and they'll give you the flexibility to use the training how you see fit as it matches You Know Your Role Perfect all right one more second question really quick sorry um the the one thing I've always heard about the government is that they're more open to uh diversity inclusions and
stuff like that then you would get me um in other sectors mainly around neurodivergent uh individuals right um is that fact or is that fiction and can you speak to that it's a it's a fact because I so my the team that I run uh JPL I can speak for JP feel very heavily supportive of deia we have our own deia office that was set up a couple of years ago and my own team has neurodivergent people uh and honestly in my opinion uh that diversity is very important for cyber security even neurodiversity is very important for cyber security because you get very different perspectives and uh I mean my and my half of my team is actually here
at blackhead and Defcon this uh uh this year and yeah we have all kinds of people yes awesome thank you uh was there another I think you had your hand up first and then we'll get to you in the back a real quick question actually um I've seen all these job postings and so on available what is a GS 13 or gs14 what does that mean in a commercial you know you know in our world well public world so that's just the scaling so gs's General Services uh scaling so it's uh different job series have different classifications so you can look it up in the the office of personnel management they have the different sorry breakouts
of like you know a GS 12 I think is like a anywhere from like seventy thousand dollars to a hundred and eleven thousand dollars whatever you know um and it covers like what they get paid and the general set of responsibilities right right yeah so again this is the kind of one of the problems from government we use classification systems that are unique to government they don't translate well to private sector um you know we're work that's one of the things we're all collectively I mean as we were at dinner last night I mean we're all working to fix that and kind of break that model but at the end of the day again back to the bureaucracy
you're kind of bound to some of that yeah and okay let's let's grab real quick while we're moving the microphone because we have one last question and then I'm getting the hook point to that we have an interagency working group where we're having these conversations because we're also recognizing that there are disparities as well so that's one of the things that we're hoping to work on uh moving forward okay I promised I will get you afterwards go ahead last question hi I'm usually don't need microphone I have to use my teacher's voice so I have many students who graduating with cyber security degrees and also we have government that I just said that contacting us and asking for
people to apply and you know what the biggest issue now government is not cannabis friendly when it's kind of gonna overcome this problem like I have students deny it because they use cannabis that is uh that's a good one I know I have it so so let me help you all out I know in our company right that's a consideration let me use an example I won't even get into that let me use an example being in the military 10 not even 10 years ago 2007 looking at cyber security issues how do we do things better in the military and the answer was you can have a bunch of dudes that look like me there's only so many of them and
they only have so many talents or you can open it up for example you come to an event like this and she has purple hair and that dude has a mohawk and they look different and they look weird to you all and they may have done those things but if you don't find a way to engage them because they're smart and they got the talent you're not going to benefit so trying to open that aperture there is no set answer both on the government side and the private side but it is it is an issue and I know folks are trying to look at it and figure it out so this is awesome thank you again I'm getting the
big hook and I want to make sure we'll be available the panelists will be available so thank you again for your time we really appreciate it [Applause] can we get one one [Music]
thank you [Music] thank you [Music] foreign [Music] thank you [Music]
[Music]
[Music] foreign [Music]
[Music] thank you [Music] foreign [Music]
thank you [Music] thank you [Music]
[Music] foreign
[Music] foreign [Music] foreign foreign
[Music] foreign [Music] foreign [Music]
[Music] [Applause]
[Music] foreign [Music] thank you [Music]
[Music]
[Music] glad you're here my name is Barry McLaughlin uh today I'm going to talk to you about talent I work for Bishop Fox Bishop Fox is the best offensive security company on the planet right so we'll talk a little bit more about that statement event later not about the company about brand about your brand about uh how you show up we're going to talk a little bit about that today um the last 20 some years I've spent all in Talent acquisition spend time with the big four fast grow startups did my own thing for a while um so to me it's it's all about talent that was one of my monikers for a long time in building teams I've seen
organizations in scaling from the big four with companies like eBay and Microsoft where I deliver teams in the past um things have changed certainly right um I think we've all seen that and I think what you can all agree to as well is everything's about Talent no matter where you see it whether that's in your employment whether that's people that you hire to do services around your home whether that's the pigs you hire to watch your children a babysitter it's all about that and let's face it today I think there's a deficit in what talent really looks like and how it shows up um stage really moves too so if you see things moving it's it's the stage uh I
don't sit well I don't sit still uh real well either but um yeah I think as far as the town ecosystem goes I think we're challenged in our industry I think we're challenged on our projects I think we're challenging our own teams I think we're challenged in management whatever your role is how many people are full-time employees in this room majority majority are um we're gonna talk a little bit about that uh what that looks like in in a talent ecosystem as well full-time versus a contractor a vendor um so let's get started by the way this is interactive you got a question raise your hand i'm not uh wait until the end and you know take pictures so if there's
something you want to do question why I shoot it okay all right uh this goals we're gonna have for today we're going to talk about some hiring Trends in cyber security this is cyber security overall this is not experience hiring only entry level hiring this is about everything and hiring Trends as of this year we're also going to talk about when you walk away to a little bit today about marketing your own brand my comment about brand about Bishop Fox being the best cyber security offensive leader in the space you should be thinking about how you Market yourself as well I do as a Global Talent acquisition leader that's important to me as we select
talent and I didn't I didn't go into that either that's that's primarily where I came up from from tech recruiter into leadership uh and then managing Global teams so we'll talk about that about your brand and why that's important soft skills critically important today you know a lot of times back in the past Engineers would say well I don't need to talk to people I don't need to to be uh a personality Slide the pizza under the door and I'm ready to go right that was the mentality in fact if you think about it an introverted engineer and an extroverted engineer the only difference is the extra extroverted engineer looks at your shoes when he's talking to you so
there's a lot of things we have to look about as soft skills and how you show up it's in your it's just like in your personal relationships no difference and then last uh we're going to talk about today is how do you compete you are competing in your roles today more than ever in your roles for promotions in your roles for job changes uh in your roles for being selected uh we're gonna talk about getting back to those Trends about how to compete and if you're competing for a job that you're not in today how do you show up for that if you're competing for a job against peers to be promoted how do you show up in that too so this
is going to come Compass all that okay let's talk about cyber security employment landscape first um I started the presentation when I wrote the bio two through sent a lie you can read these up there I won't read them to you but anybody got an answer of which one of these cyber security jobs being resilient jobs in the marketplace open today or making a change in cyber security is easy but you gotta guess which is a lie somebody said they're all lies this woman here said three she's absolutely correct um I love that Defcon Shirt By the way um we had we had a fun time last year at Defcon and some things that we did in a
live stream for Bishop Fox um you're absolutely right uh making a career in cyber security is not easy um and it's gotten harder I mean look at the news today or in the last 24 hours on a leading company with 18 of its Workforce amonging to about 400 people fantastic company we ourselves were not immune from it nobody is and so I think what's important is we look at the industry yes number one definitely more resilient and economic downturn look at that first national level slide there on the left that shows a supply demands that's a supply demand statistic these statistics are in the middle of Q2 this year so if you look at this this is around
May time frame all this information is posted publicly as a phenomenal website I'll share with you later about where you can think about your career skills for your career and then also um you know where you'd fit into organizations but the supply side right now is at 69 that means that 31 of all the jobs now I'm talking U.S I will talk a little globally too are unfilled so uh 69 that means there's plenty of jobs now there's plenty of jobs but I think the scrutiny and difficulty in landing a job could be certainly uh maybe more challenging but 69 of all open jobs today in cyber security are filled that's everything too that's that's a job being done by a human being
uh second second box there as far as what you'll see is total cyber security job openings that's again around May of this year uh 663 000 jobs now that's everything from security operations that's product that's Services that's everything inside of cyber security and let's face it it's a tremendously broad industry right we'll talk a little bit about some of that as it relates later as far as uh some change too um and then lastly if you look at the slide on the right um the national uh total employed in cyber security today in the United States is one million one point one point one million people so these are statistics today that matter uh I think as you look
at these and you look across on the on the national level there's also some tremendous data out there about where jobs show up what jobs are available and again this this uh website is free it's tremendous uh in recruiting we use it a lot we use it a lot to Market ourselves we use it a lot to find Talent uh for us like our website says Bishop Fox we were remote before it was cool we'll put people anywhere we'll find top talent like get to an airport got Wi-Fi we'll hire you so this is the landscape overall today but you're absolutely correct uh cyber security career is not easy let's talk a little bit about the talent
acquisition funnel there's three ways to acquire Talent the first is like it says on the left you buy it buying it you're making a commitment it is your highest level of expense as a business is people um by far I listened to a presentation earlier today on CFOs and it was about CFOs and comparing CFOs and intellectual property um certainly it is a huge expense for a business uh part-time workers same thing it's still going to be an expense think about benefits alone a benefited salaried employee cost you roughly 23 percent of their salary and benefits 23 so the expense of that is just not payroll it's a lot more than that and it's a lot more how people show up
especially to consume things training for example leave vacation all these things are a big expense of the business and the last way is temporary you're still acquiring a temporary resource maybe it's a part-time temporary maybe it's an engagement basis maybe it's somebody that you need to augment staff because somebody's going on maternity leave but those are the ways that you buy and acquire Talent the second way is building it this was very very prevalent in the last couple years right do we have a talent shortage to my point earlier in that slide sure we do I would argue we have maybe a um a creativity shortage how do we find the right person the right job at the right
time maybe that's a challenge right but today we'll talk about this in an entry level it's hard to find a job right now on cyber security if you don't have skills and it's gotten harder but companies right now are not building as much as they used to for two reasons one is gas expensive we're gonna cut costs we're not going to put these people through these training curriculums we're not going to pay for their search go do it yourself and come to the company with it the second thing that people are looking at now is organizationally as you look at uh skills and what you're going to pay for um what if it walks out the door
you know there's a lot of commitments people make to signage an agreement if we train you or we give you a certification you pay us back for that if you leave within one year right so there's a lot more scrutiny around training today too but that's the second way is to build Talent the third thing I think is today we're we're cyber security entry level hiring is hard is um they can't wait around they can't wait around for you to grow yourself they need you now they need you on the ground running and they need to be productive so building is gone a little bit quieter uh as far as acquiring talent and the Third Way is getting more
prevalent and that's the borrow uh I say contractors that could be independent that could be somebody that's hung their own shingle so to speak and gone out on their own um it could be partners there's a lot of good partners out there that are willing to take on projects maybe it's a deliverable base maybe it's a fixed fee maybe it's an engagement where they just need help to get it done because again they're not going to hire you as a full-time employee so borrowing is a real viable way right now to solicit Talent there's also less uncertainty so if you bring a contractor in guess what things gets changed and things go slow down what do you do you get rid of the
contractor or you get rid of the employee if they're not as good as a contractor right but at the end of the day um the contractor partner Vendor model in competing for talent today is making that landscape even harder now you might say to yourself I want to go do my own thing I want to be my own boss right everybody does um but the challenge with that too is that it's marketing I mean it's one thing to land a gig it's another to get the next gig and the Peter Principle model and a management philosophy is you're only as good as your last gig or your last deliverable right so making that change into what would be a borrow model is
difficult however there could be flexibility there could be choosing what you want to do there could be more pickiness there could be more time to take time away um so maybe maybe that's a model too that's interesting to you but there's pitfalls to that as well they're all all of them are but uh today in the landscape especially in the last nine months organizations are looking at Talent from a contract borrow perspective use it when you need it don't put it sit it around don't have somebody uh you know waiting on the bench if you will uh they want those skills and so we're going to talk a little bit about the finding that further about how you can be more
resilient how you look at a career opportunity in the capacity that you have to do other things that's really really important I think it's important we want to hire people like that we do hire people like that because as we take the field we all have the same helmet on we all have the same Jersey we look the same doesn't matter if you're a contractor or full-time an organization's got to deliver and um you're going to see yourself in a lot of situations where you're going to sit alongside somebody that's a contractor they work eight hours you know they make more money than you they you know that a contractor is going to be paying on the hour right they might
not need benefits they might have it through a spouse but it's an interesting Dynamic I think but I feel like in Talent you need to you need all three you you can't just sit there and say oh we're just going to hire all employees that was back in GE days 40 years ago it doesn't exist anymore any questions on that relief
it's a great question the uh the question came from the front was how does company culture get impacted by contractors versus full-time employees it's really good question um I think two ways probably the first way is um there has to be unity in the workforce and if there's not there's a division of us or them there has to be a bridge between we're here to deliver as a team but the second challenge is they don't have the same helmet on they don't have the same commitment they might not have the same goal or purpose maybe it's Money Motivated maybe it's skill based motivated maybe it's an opportunity to increase their career and they're just going to be gone the next right so it is
hard I think the best way to do it is you hire people that are contractors that know what a full-time employment opportunity looks like you hire people that are good at what they do but maybe they just are they they they're really a full-time employee but they're in a contractor suit but but you're right culture is definitely can be impacted um especially on deliverables how many people here work in Services related organizations like you're delivering a service and a value man but not about half okay that's different than product right screw the product in install it leave right that's not the case in services so now let me back that up they're obviously the services for the product but there
is a difference between that Service delivery in a contractor or product to borrow that out but it is it is hard certainly I think in uh in cultures that are impacted uh and I think the biggest thing at least two is that um for most organizations if you bring somebody in and they're no good as a contractor and you are you're gone so I I think it affects attrition I think people look at that and go hey if you're going to hire a contractor and you're going to give them the opportunities and take it away from me then I'm gonna go find another job so I think attrition is definitely spiked when you can't balance that on a project
how many people here are managers several you know what it's like to build teams you know who you want on your team as far as an organization goes you're the one that makes that culture work you're the one that establishes those guidelines whether that's an okr whether it's deliverable based whether it's how we're gonna how we're going to finish a project you do that that's what you do thank you for the question all right let's talk a little about entry level hiring uh entry level hiring this is a uh publication last week conducted by a company called active cyber active cyber is an organization that's a Learning and Development opportunity a lot of curriculum based
things you can buy participate in share information on who you are this was interesting look at the top of 83 percent of the current job openings are requiring a certification of entry-level people 83 back to my point earlier companies don't have time to wait around for you companies don't have time to wait around for the fact that they want you to be productive they're not going to wait around for you to come up to speed right so what they want for interlevel people is certs the top two certifications I've listed there I'm going to show you a stat on what those certifications look like and how many people of those employed today have those certifications but think
about that entry-level people they might have had some skills through college they might have had some things in a work study an internship that's still experience they might have a lab in their basement that's experience people need to see about that in the talent system where they understand it will talk about what they've done not because they have all these years in a company but things that they went on and done on their own by seeking it because they're interested that's that's a big difference um so certifications are are very very prevalent today for requirements at this at Ginger level 92 percent of the people the candidates are being asked to be familiar with these things framework
standards and regulations I've listed those regulations in standards below go ahead
question was good question he asked if the cissp is an entry level certification no it is a difficult certification it is one that uh if you look at experienced people that try to pass the cissp it's not easy so it's a difficult Journey but it shows also not because it's required for the job but it shows your interest in your field
it's a good question he's asked is it required it should be should it make sense what if you're writing the check what if you're the employer and you have payroll going out and you want that and to my point earlier with the jobs available There's an opportunity right now for employers to be picky a year ago it was a candidate Market it is no longer a candid market today it is a employer market now that being said there are some very demanding skills where people can walk if they want or have it you know have a focus we'll talk about the career path in a minute too and I'll show you some of those but it's a good question should it
be no should a company invest in you to have that done absolutely but that's changed so so today it is did you have a question behind okay
build a circle that's right that's right
it's a good perspective so he's saying it he's saying it could should be so that's a good debatable topic but this is where the industry is headed and there are other certifications there's other things they get there's clearances there's other things you can go maintain but these are two big ones um that they're looking at salaries Sal uh go ahead I really can't hear you I'm sorry I'm gonna fire that person on my team no I put that together that was me I'm sorry yeah and I worked in healthcare too so yes hip is building correctly the Privacy Act portability Privacy Act uh yep tiring at approximately a thousand people per day and with um covid killing approximately 300
people per week and disabling about 10 percent of our population how much longer do you anticipate the current hiring environment staying as an employer pick and choose type thing that's a good question thanks for showing the mic um I think for the foreseeable future certainly I do I think there's other things and forces that play around the corner look at AI what's next year's Trends right I think that there's other ways that we're going to see that change a little bit what's a global model look like right there's a lot of talented cyber people in the world there's some phenomenal people look at the people look at the people the other than to change the world is Ukraine there was a
tremendous cyber focused teams in Ukraine delivering so it's a good point and I think there is the change in that right um that that will Trends change with time salaries has been on the cover salaries in a minute too salaries right now Financial of employees 53 000. 214. 53 000 is typically your security operations analyst sitting there behind in a sock doing that kind of work the upper end of that might be somebody's a little bit more broader skills and Pen testing uh some other things in data some other things and modeling vulnerability things like that uh remote work remote work right now is number three on an employee's list of what they're after in an employer number
three the first is money the second is your security in your job job security companies standing that that's number two number three is remote work remote work's not happening for for entry level people not as much because why you got to have somebody Mentor them train them sit with them watch them are you making that back to that point in investment in that person so not as easy to do a remote staff for entry-level people college degree is the last very few in college degrees and as far as that goes I don't see that changing as a trend we don't require we don't require degrees at my company we acquire Talent certifications of trump that so that's
just something in the industry our industry that it's not as prevalent I've seen it in others but not so much in cyber yep think that the do you think that the for like remote work it'll change to kind of a landscape of you are in office or something to learn and train for a set amount of time and then you're eligible for remote work or something like that I think that's right it's a good question I think you have to prove yourself I think you have to show that you can do that remotely not everybody can I think that transition had to happen during covid for obvious reasons however that's not the case anymore so I do believe
that and I've always said this to my children success has rewards so if you're successful a reward should be able to not come in the office I do think there's something missing in the fabric though in off without that in office or without getting face to face how many people were Defcon last year in this room quite a few almost tons of people what about a couple years ago right it was quiet so some some people still there so I think that that's a good point I think that that can be done I think it depends a lot on the job as well and certainly when it back to the borrow model the borrow model you're going to
have that person pretty much under your thumb or you're going to want to make sure that there's a deliverable based item that they're giving you that you can verify without watching them and seeing them very very important let's move on top skills in demand 22 and 23. these are the top three in a row of um is that fuzzy is that coming out pretty clear it's good okay it's just my eyes um top three for 22 top three for 23. you'll see some similarities one of the things I think is interesting in this data um and this this by the way is um only experience level hires experience level hires is somewhere around three years plus does anything about that way
three years of experience in a company it's three years um so the top skills one of the things is interesting in 22. look at 22 the first skill last year app security Engineers number one this year app security Architects so does that say that they need a higher level talented individual in the workforce because they're using them for a market or word architect you bet it does or as an engineer somebody that's kind of you know got some got some baseline skills but they need a little bit more I find that interesting um especially when when other things get added right like last year it with with um java.net you had had those Dev skills
now without threat modeling you're probably not going to get looked at in your resume or a career opportunity so again that's that's a that's a personal interest that you have in your employment uh I'm just showing you what's what's hot today and for me in a global talent talent acquisition leader for me we got to follow those those Trends we got to sell what our customers are buying and we got to deliver top results okay um experience level candidates let's talk about some Trends there uh compensation this is an interesting one I've listed the five areas in compensation this year that have dropped for the first time in history the only other time it was done
was during covid all five of those skills today are at a lower amount in compensation that they were a year ago all five there's one outlier for that only and you know what that outlier was Executives because the throat to choke has gotten a lot tighter and so they want somebody to come in and deliver and they want to deliver fast CFOs with their weight in gold today um so some of those Trends as far as leading an organization developing people you know maybe that's uh maybe that's an individual where the salaries went up equities went down so maybe you have to pull that lever right there's there's three levels of compensation one's your base salary one's your bonus and then
one's Equity or maybe some other things that are on top of that right as you took take a look at those pools but um now this has a lot to do because of obviously because of covet too right obviously with the last layoffs and the mass changes that we had that makes sense that that was the only other year in history where salaries come down but I think that's a temporary I think that's a temporary thing I think that uh that will continue to evolve but I also think it's like car prices were a year ago right it went through the roof it will change it maybe level itself off but I also think that um you know you
pay peanuts or you pay peanuts you get monkeys that's what I always say so you got you got to be able to pay people too for what they're worth but I'm just saying that as a hiring landscape goes there could be other levers to my point about your interest and it's not in base compensation maybe it's something else maybe you're driven by equity bonuses maybe as a performance guarantee likely not that's why they call it variable right but important important to note that that's just a change required skills this is going to be one we're going to talk about later a little bit is the required skills of tech and soft 90 percent you know you can be really Technical and
I was I was in a conversation to see in this room it wasn't a conversation last night uh by the pool with a brilliant individual I mean he leads a 3 400 person team um see so type see-so type of background and um I asked him what's the hardest thing about finding people what's the hardest thing about retaining people and he said soft skills you kind a lot of really smart people you're all really smart people I can tell looking at you you're smart people especially these four in the front these these four are like brilliant some Bishop fox in the room love it all right um so record skills soft skills think about that think about as you show up
with your family members loved ones friends what do they say about you they don't say that you're boring they probably like you why do they like you because maybe you're like them so soft skills have been important in the workplace as well it used to be separate you always had a separate business from personal today there's a lot more about what you who need to be in showing up locations don't matter as much but obviously you'll see Virginia on this list uh because of the fact that uh the government sector right the public sector California probably because the size and Texas because it's seen a lot of growth a lot of people moving to Texas there's certain areas
that are hotter for others and then this is what I mentioned earlier today with the two security clearances that's the number of security sorry certifications today being held by U.S employees in cyber security So to that point earlier about cissp and where it fits or the top one with you know three times as money certs just an interesting data stat sure you got a mic for him what do you think the split is between Federal and uh non-federal use of those CSP certs I um the the website that I referred to earlier by the way is called cyberseek cyberseek.org they would have that answer on there because it's super cool about it you can filter it public
private by state by title across the entire and it's in its updated daily it's a phenomenal site cyberseat.org yep thank you sir they would have that sure all right this is the uh career path opportunities this is also from cyber sequels we're going to introduce the website you can go to cyberseek.org plug in what you like to do plug in how your career path looks plug in jobs that are available plug in other information and it'll show you and I did this on the bottom for a pen tester vulnerability tester if you look at this you're going to find out salaries geographically you're going to find out skills required you're going to find out other things
that are hot in the marketplace and where to get those skills of where you want to go the side on the right is Advanced so that sometimes goes into execs but you can see if you think about the feeder channel from entry-level folks into pen testing vulnerability testing from that side all of them all of them on that and that entry level have a path towards that success you probably came up that way how many people came up that way from Blue into pen testing vulnerability I know one dead all right so but but check that out because I think that's important as you define your career or you define in an organization where you want to go to my
point about promotions today are difficult too again it's an expense of the business the landscape's super talented and people are highly motivated so uh just more on that this isn't just being hired for a job this is about taking a look at what you want to do brand matters my thing earlier about Bishop Fox being the best damn offensive security company on the planet that's a brand statement what's your brand statement this is a menu I had this over last weekend at a little bar restaurant from Denver Colorado this is a bar restaurant coldest beer in the universe I loved it I took a picture of it right I had to have one of them it wasn't that cold but
I thought it was cool right it was outside but here's the thing it's important you start to think about who you are if you don't know that question ask somebody that knows you because there's always an introspective view of yourself that others see that you don't but your brand and how you show up with your brand matters substantially it is the biggest differentiator today in employment by far your brand it doesn't mean confidence it doesn't mean cocky it doesn't mean arrogant it means positive there's a simple truth the simple truth is that enthusiasm is contagious you show up you show up excited you show up ready people want to be people want to be part
of that so think about that as your own brand as you leave today I'm going to give you some examples of soft skills that resonate probably with you and you can't make it up by the way we'll talk about what that means in your own personality but marketing your brand in your office on your teams in job hunts is critically important yes
sorry we um so we have a Fortune 500 company we own other companies so there's no brand for the company but I I was kind of thinking on those lines of kind of branding our sock team to attract the talent but not sure how to go about doing that that's a great point it's a great question you know one of the things that you don't have to have it be all all of for one one for all that's important sure but to your point if you have stock teams and they show up because they're working a three three uh three shifts and they're they're you know there's a lot of pressure in that uncovering what they're doing maybe
there's something that that team needs to do in their own brand right maybe there's something that you market and hire people for that or you look at new organizations or you acquire companies you know maybe there's something in that brand that collectively meets that older goal but it could be individual for that particular Department you know rallying behind that right it could be something like that okay all right this is all your brand how you show up before in the past the biggest thing in the Cog in the wheel on the right is competency who are you what are your skills sorry not who you are like as a person again but who who what
skills do you have as a competency that's the biggest that's the easiest as a recruiting professional my mind says I can find out Tech skills all day long I can give you a test we can do a challenge we can understand what what you're bringing to the table because you got it on your resume or you bring it right I got the cert I got the degree I got the years of experience I got the chronological history whatever it is they're going to know that about you right what they don't know about you is that first on the left capacity one of the big things employers are looking at today is your capacity to do more at my
earlier point the start of the conversation was capacity matters when things do change or you do want to rely on your people right I've been in organizations where uh if people are too and this is usually large organizations if people are too narrowly defined and can't get out of the lane that they're in they could become obsolete so if you look at where um capacity matters it's the ability to learn and expand your skill set that's critically important they're going to ask you that in an interview not that question tell me about your capacity they're going to understand from examples that you give them about why you're able to apply the skills you've learned to deliver results and something
to ask you to do that's really really important and the last one is desire I put the heart moniker up on that because that's the heartbeat right desire is how you show up desires passion it's interest it's what wakes you up at three o'clock in the morning to write something down because you want to you don't want to forget it that's desire you can't change it you can't teach desire it's one of those things that if you have it towards something bring It Forward be enthusiastic about it especially in the interview process or in a company for uh promotion consideration these big three things are very very prevalent today and going to be even more so in the future and that's
changed dramatically in the last five years that I've seen so again before it was all about competency now it's a lot more about that and to the point we question we had earlier today when you have culture and teams that you're develop well you better have that across the board whether you're a contractor full-time because that that alone that desire alone is going to lead to results right that's where we link arms right we're one team we take the field together candid selection criteria this is where those three things show up um you talked a little bit about personality I put that in the top left personality is hardwired in you as a person at 12 years of age statistic
prove it psychologically proven 12 years of age so personality if you look about that you talk about self-motivated what gets you up in the morning nobody wakes up in the morning goes hey I'm going to work right but you got to get up in the morning with an interest in what you're doing and and personality for that self-motivation is that Curiosity how are you going to answer a question about curiosity how did you grow your career are you boring are you something you want to still learn and learn more about right are you picking up a trade what do you do on the weekends people are going to ask you that question because they want to know you have a curious mind
character critically important Integrity there's a lot of tests today that companies are giving that'll Define what you show up at now what you tell them you're going to show up at not your resume says but actually a psychological personality test and they are extremely accurate I'm going to cover I'm going to cover one of those in a minute technical industry knowledge again back to your competence back to your degree back to your certifications your industry uh technology and you know that's that's obviously a huge part of the selection it's not changing uh company team fit to the question we had earlier about culture is critically important a lot of that where organizations I thought fall
short is that they don't pay as much attention to that when they're hiring and ultimately that leads to firing because that person doesn't fit on a team nobody wants to work with them or you're going to be rubbed the wrong way same thing with leadership they say the biggest reason people leave companies because they're manager statistically be relevant so think about that um uh chronological history is important to delivery those of you that manage are really important too as you show up but this is how they're going to select you these are the six things an employer is going to look for this the top personality traits being sought today so what I would say to you
to do is find three of these what three of these if you if I went to your significant other or friend of yours and I said tell me about them what would they say because I could tell you right now quick study self-starter and critical thinker are really really important but so is self-control initiative look at change fatigue today look at how many people going through change whether it's in our world or whether it's our jobs interpersonal flexibility to maintain and manage change and stress critically important so find these think about those as your brand and bring those forward when you interview when you look at opportunities for promotion these things matter highly highly important
interview questions these are top interview questions today I I I we do a lot of training too with managers and hiring manager training this is critically important too easy to find the competency skills too easy to talk about your degree because you geek out on it or your certification find these things out why should we hire you answer these questions if you're not ready to answer these questions they're gonna they're not gonna hire you the guy that I talked to last night the CSO had he selected people that not the best not the best qualified or most qualified but the best fit for his team and that's what he found out in the interview process so why should why should I hire
you um leaving your role are you running from something are you gonna run two something very very important to understand that question as well um sell me on the company how many times I have sat in interviews before where I asked the person to sell me an organization or tell me about the company and they look at me like a blank stare and I'm thinking so you didn't do your research before coming here about what our company does and we're not gonna hire the person right so so think about that do your research you be picky as well really really important the first one I was going to say the last Comic about the um
tell me about yourself is um it's not like where you're from and what you like and what you do on the weekends it's about tell me about yourself in the capacity we're hiring you for so think about that think about the questions there's some tremendous content on LinkedIn about this preparing for interviews questions you'll receive what the answer should look like how you should frame it what you should bring up tons of stuff out there but think about that because that what I see about this line at the top you know there's there's you know as far as Talent spotting Talent is you know critically recognizing Talent important the cost of turnover is extremely high
organizations should take the time to hire you thoroughly because if they don't they're going to take the time to like let you go it's as simple as that better spend the time in front all right last slide this is the leap the first part of that getting ready is obviously preparing you've got to get it ran your brand your CV your LinkedIn profile is your online resume if you don't have that in place you need to get it in place um the company Target what do you want to do who do you want to work for go to Glassdoor what do they say about the organization a lot of times people a lot of people look at Glassdoor sometimes
people just gotta gripe sometimes people got let go sometimes people didn't like a co-worker so they they want to vent so I'm not saying it's 100 accurate but it does show you what others say in the organization taking the leap is difficult when you take the leap it's challenging it's stressful you gotta adapt in midair you got you know when rejection is difficult in your search be prepared for it adapt and refocus and you're gonna you're gonna have a better opportunity spawn the landing is important because where you're going to go and where you're going to end up is going to be really important as far as where you want to land I put some things in the left hand
sorry on the right hand side that show a little bit about what that looks like when you negotiate an offer there's a lot of things just more than base salary think about that what's personally important to you and the last thing on there is counteroffer a lot of times you're gonna go look for a job and they're going to tell you to stay they're gonna they're gonna say to you uh they're they're gonna say to you hey why are you gonna leave why because it costs more to cost more to hire somebody to replace you it's easier to retain you so counter offers are real in a executive recruiting perspective it's a question I ask every time the
other question I ask is what is your significant other think about your job change because that falls apart when you make an offer and then sometimes people just get pissed off one day like I'm gonna get a new job because my bosses treat me lousy right they go they go through the cycles and everything else but they're not really ready to leave right so counteroff is really important to think about so are things like signing bonuses today we don't do a lot of them as a company um other organizations do sometimes they do it to make up the salary differential but there's a lot there's a lot that goes into an offer uh at the end of the
day and a lot more is happening today on that in that regard oh you bright people that's the last I have the slide I'll take some questions and wrap up uh right here you got the mic for them yep he's got the mic what would you oh Mike's Hot uh what would you say your experiences in the acceptance of retention offers from a counter offer uh for a company so say you're leaving uh you have an offer for a separate company company B and then your your current company offers you what would you say in your experience personally that you've seen is like the acceptance rate of that I'll stay here or offer okay the people that accept the
counter offer correct eight percent in our company's eight percent I manage that through applicant tracking system we have a conversion acceptance rate of 92 percent so eight percent either say no stay where they are took another opportunity but 92 percent of that and it and that's a recruiting thing in the beginning to validate who your should be pursuing rather than getting to the end and hoping they take the job but but majority um uh if you flip that around majority of the people that are committing their job search end up leaving it's just those that either have a feeling of emotion or respected and abstain it's not about money it's that we want you we
want to keep you right so you got to think about that and as a follow-up to that would you say it's more senior individuals that are taking the counteroffer to stay or lower lower interesting okay yep foreign do you think it's always necessary to negotiate your salary at the end to kind of give when they offer you a um amount a dollar amount should you always ask for more no it's a good question it's a good question negotiation what I'd say is this wage transparency laws that are in effect today and increasing in America you're going to know what that range is right but you can't price it too high so there's certain things that maybe it's to this gentleman's
point about remote work maybe you're going to take a job because it's three days remote right maybe that's a benefit to you right so not always but but I think there's an opportunity for you because you're going to wait another year before that's going to come around again right and if they've made you the offer their mindset you're already a member of their team you're no longer a candidate it's much easier at that opportunity to start to get what you like a little bit more of and bring that up certainly yep a lot a lot of variables to pull in that yep got a question oh go ahead you mentioned a current Trend towards kind of contract
work from the talent side is that a good option for someone looking to grow their experience and skills or should they stick to full time that's a good question I think there's a lot of personal uh processing in that answer um I think when you are on your own um and you're not part of a team um it's easier to um it's it's I think it's a little easier to be part of a team than an independent you know just how you feel inclusive as well right but it's not it's it's really a personal uh taste in them too yes sir on your first slide one of the truths you list is the resiliency of
cyber security and downturns but this year we've seen tons of layoffs uh rapid seven is doing layoffs this very week Cisco's laid off a ton of their security teams Bishop Fox laid off 13 of their Workforce earlier this year now it wasn't 30. 13. yeah 13. yeah do you think that that resiliency is still true or is that going to be do you see that changing I think I think the resiliency in the market certainly for our industry is certainly still true resiliency I think you had a lot of overstaffing you had a lot of expectations that things would continue you had a lot of change since covet happened you had a lot of over investment in the industry of
Market investors cyber overall uh and then also with with the change let's face in the last nine months companies aren't spending more they're spending about what they spent before so if you over hired in advance I think that Trend was still going to go up and it didn't you're overstaffed but I do think it's still very resilient Highway if you look at those slides of Supply demand so you first see that resiliency staying a fact uh cyber security matures as a field I do I do have you got time for one more or and I'll be I'll stand for a little bit and catching a plane out this afternoon but I will stay a little bit
for questions uh I think he was oh go ahead do you have any information on how the bottom end of the entry level uh salary has trended over the past few years you can look at historical aspect that check out cyberseek you'll see some of that in in salaries because you'll see the range what you'll see in the ranges think about that range before this year that range is going to be over time historically is going to increase in that in that window that's that's the easiest way to look at the data sure but my well I guess what I was getting at is if employers are if employers are asking for more certs from their entry-level people because
they want to hit the ground running but they're not paying entry-level people more for having those certs than they have in the past like does it make sense does it still make sense to attain those search when you're not going to get paid more for having them I think it's a ticket to the dance it's the price the ticket right now that's what it is I I don't think that's going to change one more thank you for the questions everybody I really appreciate it some some good content so you mentioned soft skills and you mentioned talking to somebody who said that people are kind of lacking soft skills and it's causing an issue um my question is how exactly do we get
into the position to even display those soft skills because what I'm starting to kind of see is that uh soft skills really only happen when you're face to face like in maybe in emails here and there but like it you don't really get those opportunities if you're not even getting past like the uh the application part and then when you come to events like this and stuff like that sometimes you're just meeting people who are trying to sell you stuff and not really people who are looking to find those people with those skills good question I think two things one is uh that should be part of your CV you should have some of those things on
there you're right there's algorithms right now they're screening things out before even a human looks at it so let's just say you take self-initiative and in your description you show how that is if somebody's looking for that they will put that as a keyword and find that so include that you don't even put your address anymore put some of the things that define you it's important everybody thank you for your time very much appreciated today thank you very much [Applause] [Music] thank you
[Music] thank you foreign [Music] [Music] foreign [Music]
[Music]
[Music] thank you
[Music] foreign [Music]
foreign [Music] [Music] foreign [Music] foreign [Music] foreign [Music]
[Music]
foreign [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] [Applause]
[Music] thank you thank you [Music]
foreign [Music]
[Music]
[Music] baby you'll kill me you'll whip up my appetite don't leave me alone [Music]
[Music] I overthink it baby [Music] baby you'll kill me giving me Wind and Rain some kind of butterfly baby [Music] [Music] oh but I don't wanna miss you baby [Music]
[Music]
maybe you'll give me [Music] fly [Music] baby [Music]
[Music] baby you'll get me [Music] don't leave me
[Music] oh oh [Music] foreign [Music]
[Music] foreign [Music]
[Music]
foreign
[Music]
[Music]
[Music] moving up
[Music]
[Music] foreign [Music]
[Music]
[Music]
no lab or something in the cloud anything some VMS on your laptop something and they will say I just don't have time and I'll just kind of go next um I do love honey pots last year I did my honey pot talk um we're going to talk a little bit about that today um if you want to have a life probably want to tone it down a little bit because your mileage may vary and breakups can occur um yeah I get obsessed when when log4j hit even though I was stuck at work working on that I was also putting it in my lab and going oh what can I do with it so yeah it's it's lots of fun
um but why are we not here well obviously I'm not going to show you everything I have in a lab that's just kind of silly um it wouldn't work either it's kind of hard to show all of that stuff my goal here today is to get you to walk out of here going yes I can build a lab and it's not going to cost you know fifty thousand dollars and I'm not gonna feature it in Labs R Us or you know some some magazine because it looks so cool labs are there to be taken apart to be able to be put back together taken apart again and so on they're not there to to heat your house in the winter and if
that's what your lab is doing you're doing it wrong and I'll prove it to you but I want you to think differently about the value of home security Labs I'm not showing you all of my gear I've got some pictures to give you some ideas of what to do where to go um like you know eBay and different places and and hopefully I'll get you thinking about some of this and we might even look at a little bit of kubernetes um or Patriots and and ketchup um I've got some Raspberry Pi kubernetes clusters um I don't have it with me right now I'll show you a picture of it but if you see me at Defcon
never mind um anyway why are we here um very simply I think security is fun and every talk I give I guarantee you if you didn't think security was fun when you started you're going to leave this this talk thinking it is but toys are fun um and I don't know I like breaking things and I like building things and I like breaking things that I build because it's fun this is why when I see these these security labs are so neat clean and cabled and everything I said well you don't change it up much do you um learning never ends with me if the only way I'm going to stop learning is I will have to be dead last night well
that came close I was I've been wearing my cat ears the whole week so far and the ER nurse that was really really helpful last night she is now walking around with my cat ears um um some basics when you start with your lab start small point we want to talk about though is virtualization how many of you heard of have heard of proximox a lot of you that's awesome some of you have not I didn't see everybody's hands but yeah crop slots is an amazing tool for virtualization now you can go out and you can put esxi out and virtualize your environment with that and if it's a home environment you can typically do it
for free but perhaps mobs I think is easier and some security tools come pre-configured with a proximox installation that will set up all the VMS within a proximox environment I'm going to show you that about halfway through the talk here also I do this on purpose because a lot of times the slides will will have something hidden where the URL is hidden I make sure all my URLs are clear so all those pictures you can take you'll get all the pictures of the URLs that are important obviously you can use virtualbox I did run into a slight problem with that not with virtualbox but with another virtualization tool which is parallels I run parallels on my
MacBooks and I have an older 2019 Intel based MacBook this of course is an M1 oops can't migrate you're Intel um VMS to your Arm based Apple um silicon Minor Details here I thought I was gonna like give away my old um MacBook my old Intel one to somebody that needed it but now I have to keep it um raspberry pies I have been told this is one of the reasons why their shortages I have 35 um Raspberry Pi 4S I have probably 20 of the RPI threes and I still have Raspberry Pi ones why because they still work and they were the one of the great things just get those USB Ethernet connectors I'll show you some of these
um but one of the things I love to do with raspberry pies how many of you played with open wrt cool most of you need to get it here's why if you see me walking around Defcon walk probably away from me there might be something in my purse or my bag where there could be a Raspberry Pi running open wrt that is connected to the Defcon Network but it will also be possibly this is only possible see now you know why I'm not streaming this and recording um possibly it might be broadcasting other SIDS such as Xfinity a t and all of these others why because even as Security Professionals what's the one thing we do that we shouldn't
don't forget those networks on our devices our phones Etc it's too much work so people that walk by me their devices automatically connect to my little evil AP if you will but the interesting thing about it is there might also be another Raspberry Pi sitting in the purse they run off those little battery packs for the better part of a day with no problem and the other Raspberry Pi runs several honeypots well the first thing I do when I get on a network whether it's at the hotel or anything else I might run a quick in map scan I want to see if I'm isolated or not somebody does that they see there's a couple of ips showing up on
this wi-fi that I'm not noticing I connected to and they might attack it the interesting thing is is when I get home typically I will have a month's worth of data because I'll go sit in the chill out rooms or various other areas and just kind of sit and people come and talk to me and the whole time you know they're connecting to things and I see other tables that are doing things the point is you can get very creative with this stuff and learn techniques that you never thought of because a lot of you may have played with wrt but have you ever thought to well what if I may a little something in my home lab where
I'm broadcasting a free network especially if you live in an apartment complex or counter complex and put some honey pots on it and see if your neighbors are willing to attack your honey Parts honey box I can guarantee you buy an arm uh when I lived in Kirkland it happened all the time I lived in a 600 unit apartment complex and my honey pots lit up like Christmas trees because everybody was getting on the free Xfinity Network and they were so that's something you want to take a look at another one open sense anyone familiar with open sense one of the best firewalls out there PF sense is okay I'm a fan of open sense if
you've heard of the two then this is the one I would recommend and I'll show you how what you want to put it on but get rid of that Wi-Fi router firewall one thing always keep in mind no attacker has ever gone oh they have a firewall I think I'll go and attack something else that never happens I work for a former three-letter government agency for eight years and funny I never went oh a firewall well I'm afraid now it doesn't doesn't happen that way um and then we'll talk about some random bits that that we're going to apply to our home lab here all right so virtualize so here's one of the Intel nuts that I have this thing
cost me roughly 199 dollars it's got 16 gig of RAM it's got a terabyte drive filled in an nvme drive and then it has the top comes off and I can put another SSD in it a standard Sega drive and then I just got two drives underneath it that are a couple of eight terabytes and they plug in via USB which people say oh yeah that's not reliable they're virtualizing it in a lab I'm not using it to store my family history and all the photos and everything else but it is very useful and the the probably the biggest expense was maybe the hard drives the the 200 time I bought those I think they were
160 bucks each something like that for eight terabytes and it's it's just there and it's virtualized into a minimum of four to eight virtualized systems and this is what cross mocks looks like it's a very simple system you can see I've got several VMS on there in this case I've got a vulnerability scanner if you can read that there's also security onion running on there but there you tear these things down you build them up you tear them down you know they're they're not going to be production systems so don't worry about running you know large hard drives off of USB that's something I hear a lot of oh I don't want to do that I want to go out and get an ass
why do you want to spend all this money okay this is an example of some of the things that I that I do with my my pies on the left click here that's my Raspberry Pi kubernetes cluster what you see down at the bottom is the battery pack that it is strapped to and it does fit nicely in my purse um but yeah it's a full and the battery pack you can't really tell but it's got um uh power over ethernet um it's got those those hats on there so they're all being powered off of One battery pack it only lasts about four hours at the One battery pack but it's a portable system if I were doing my
kubernetes security talk I could bring that in here set it down and kind of do a live demo with kubernetes and all sorts of things so it becomes really useful um the other one with the big fan that's been virtualized with the sxi you can run esxi on a Raspberry Pi I don't know why you want to but you learn a lot again it's a security lab so I I virtualized it and I've made four VMS they don't do much because the the Raspberry Pi CPU only has the four cores in it so I didn't get much out of it and it's only got eight gig but it is still a great learning apparatus the other one
at the bottom that might be the Honey Pop one that I also stick in my purse there's a Raspberry Pi zero that's a camera the point here is don't worry about stuff to be clean and pretty and neat sometimes you're just using cable ties to put it all together this is what you're going to do when you're going to do the lab okay and then this is some other stuff and you know the open wrt or bdwrt these are Wi-Fi open source toolkits they will turn just about any Wi-Fi router into a much more powerful one of those Wi-Fi routers that you see in that picture there the one on the left which is the
Nighthawk five bucks on eBay the one on the right 10 bucks on eBay you can go on eBay and find this stuff I've got dozens of these little USB to ethernet adapters that you see down there they've gone out they're like 13 bucks now but I used to get like four of them for 20 bucks off Amazon and then smart switches again eBay start looking around on eBay and even Amazon under the refurbished stuff so once we get all this Hardware oh and the other thing that I would suggest um how many of you have seen Pineville not many um this is a great little dashboard tool that allows you as you change your home
lab environment you can create these jump points from a dashboard because you're going to forget everything especially if you changed a lot so Heimdall can go out and scan and figure out or you can just put it in the dashboard manually and then you can go straight to it you can go to you know your pie hole configuration or any of the others so you definitely want to take a look at installing Honda that's the one thing you're going to probably keep clean because you need it [Music] thank you [Music] foreign [Music] foreign [Music] foreign
[Music]
[Music]
[Music] thank you [Music]
[Music] thank you
[Music] together [Music]
all right [Music]
[Music] thank you [Music] foreign [Music]
[Music] thank you [Music] thank you [Music] [Applause]
[Music] thank you [Music] thank you [Music] foreign [Music]
[Music] foreign [Music]
[Music]
[Music] leave me alone [Music]
don't wanna overthink it baby [Music]
to fly baby [Music] [Music] oh [Music] but I don't wanna miss you baby so enough that's because [Music] butterflies [Music] don't leave me alone [Music]
[Music] baby you'll get me you're with my appetite [Music]
[Music] oh [Music] [Music]
foreign
[Music] foreign [Music]
[Music]
[Music]
thank you
[Music]
[Music]
thank you
[Music] foreign [Music] [Music]
[Music]
[Music] moving up
[Music]
[Music]
foreign [Music]
[Music] foreign [Music] thank you [Music]
[Music]
[Music] thank you [Music]
[Music] oh yeah [Music] foreign [Music] thank you foreign
[Music] foreign foreign
[Music] thank you
[Music] thank you [Music] thank you [Music] thank you [Music]
foreign
[Music] foreign [Music] [Music] thank you [Music] [Music] thank you [Music] foreign [Music]
[Music]
[Music]
[Music] thank you [Music] [Music] foreign [Music] foreign
[Music]
[Music]
[Music] thank you [Music] foreign [Music] thank you [Music]
[Music] foreign [Music] thank you [Music]
[Music] [Applause]
[Music] foreign [Music] [Applause] thank you [Music]
[Music] thank you baby [Music] you're giving me wind away there's some kind of butterfly baby
[Music] [Music]
[Music] don't wanna overthink it baby [Music]
[Music] don't leave me [Music] but I don't wanna jinx it baby foreign
[Music] [Music]
[Music] oh [Music]
baby [Music] don't leave me alone baby you'll get me rain there's some kind of butterfly baby
[Music]
[Music] oh [Music]
my God foreign
[Music] thank you [Music] foreign [Music] thank you [Music]
[Music]
[Music] moving up
[Music] foreign [Music]
[Music]
[Music]
move it up
moving up
[Music]
[Music]
[Music]
[Music] thank you [Music] foreign [Music]
[Music] thank you [Music]
thank you foreign [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] thank you
[Music] thank you [Music] foreign
[Music] foreign [Music] foreign [Music] [Music] thank you [Music] thank you foreign [Music]
[Music]
[Music] thank you
[Music] foreign [Music] [Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51