GF - Musings of an Accidental CISO - Brian Markham

good afternoon welcome to pea-sized Las Vegas this is the musing of an accidental seesaw we'd like to thank our sponsors inner-circle sponsors critical snack an eval email and Estela sponsors amazon blackberry and silence if I could please ask you to put your phones on silent during the talk and towards the end you'll be able to ask questions in the last 10 minutes thank you all right good afternoon everyone before I begin I just want to say thank you to the organizers of besides Las Vegas for putting together an amazing event I look forward to this every year and every year seems to get better and better so I'm super psyched to be here today and I want to

thank all of you for closing out the day with me so my name is Brian Markham I'm currently the assistant vice president for information security at the George Washington University in Washington DC GW is a private research university located in Washington DC was founded in 1821 so it's a fairly old organization was founded by an act of Congress and it's the largest private landowner in DC what that means is that my security scope encompasses like over a hundred and fifty buildings it's actually the university can best be described as a city within a city it's because it's got a little bit of everything it's got residence halls restaurants classrooms parking garages a basketball arena Museum and really pretty much any

anything that you can name trust me we seemingly have one of everything on our campus so managing security for an organization that is this large and diverse can be really challenging to say the least but I get to do it with an amazing group of professionals I'm not just in security but across the university which makes it pretty easy and pretty fun too just as a side note I would encourage any of you that are curious to maybe work in higher ed security for a little bit because it is an experience he probably won't forget you will if you like weird networks and crazy stuff and users that do seemingly everything like you'll like security in higher ed or

maybe just stick to like fortune 500 or whatever because it might be easier so ever since my dad put me in front this was my first computer was an Atari 800 XL ever since my dad put me in front of a computer for the first time I've been fascinated by computers and technology other than wanting to be a professional baseball player when I was a kid literally the only other thing I wanted to do was work in technology but when I was a kid I didn't know what that meant and as I got older I started to realize that technology is changing our world it has changed our world that it will continue to change our world that if we can't

trust it then it's all [ __ ] you know we have to do a better job of getting trust out of our technology and that's why I love this community because that's stuff that we're all dedicated to doing so I consider myself to be pretty lucky through all the twists and turns that I made it here in front of you today because like I said when I was younger and I was trying to break my own programs that I was writing I didn't know that security was a thing I didn't know that this would be something that people would pay me for but here we are so kind of at this point I wanted to

tell you this talk really isn't about me it's about you that there are things that I've learned the last couple of years on my path that I wish I knew 10 years ago 15 years ago I wish that someone had given me a manual and said you can be better at your job you can do better be better at what you do if you think about these things and consider these things and maybe do these things and when I was thinking about what I could possibly contribute to the community and this talk I really thought about well what if I tried to share some of that knowledge that I've learned on this journey to give them that manual

that maybe I that I never had so I'm not here to convince you to take a different career path like management is not for everybody I it happened to work fine for me but I know that there's a lot of people that are like I never want to be a manager and that's cool it's a lot of work and some of that work is work that honestly some people just don't like but there are some things that if you think like a SISO if you think like a manager you'll get better jobs you'll get raises and promotions you'll be able to sell your ideas better you'll be able to get tools that you want so these are all

things that you can do by basically letting me infect your brain for the next like 20-30 minutes so hopefully we can do that together so has anyone here ever had a bad boss yeah I mean I've had a bad boss and I never wanted to be one I used to see managers behaving badly doing things that were embarrassing at best and ethically corrupt at worse and I was just like my first IT job when I worked helpdesk I just thought to myself if I ever get that opportunity I'm gonna be the opposite of that person I'm gonna make my team feel great about the work that they do I'm gonna know everyone by their first name that's really hard to

do but I've been lucky that I've had some people in my career that have shown me the way to do that so I want to talk about just recent past just with what's happened in my career my last boss will call her Amy she exemplified all those things that I wanted to be she was calm under pressure she was well respected she was humble and she always made time for people but she was also really direct and decisive my favorite thing about her is when you'd go to her and say did you hear that they're trying to do this thing with this project and she would just look at me and say no and you

would know that she was serious about it like they were not getting that thing like over her dead body but you wouldn't ever meet a person a kinder human being and one that was incredibly technical but very humble in the way that she presented herself so she also understood how the business worked so she wasn't just a geek she was someone that really understood how our University worked and how we as security professionals had to operate in order to be successful in that environment so one day Amy told us that she would be moving on to another role and five minutes later I'm on in the hall with my CIO and I'm the interim sis oh I didn't want to

lose what my team had built I wanted to be the one at the wheel I didn't want anyone else to grab the wheel and drive it off the cliff so I said yes I'm in let's do this I wanted to not only keep going what we had but to build it and do better and really create that legacy but then it kind of dawned on me holy [ __ ] and it got real really fast and I'm gonna talk about some of those things so sis o--'s have to worry about so much stuff and I know none of you are gonna be able to read this it was just the word cloud app that I

used was just not really very good but just go with me there's a lot of stuff there that we have to worry about the vendor buzzwords and Gartner reports and budget and projects and roadmaps and performance reviews and and apts and the latest malware and explaining what happened with Capital One to people that aren't technical and all that stuff is happening all the time so for the sake of simplicity let's just kind of break things down in like two categories strategy and operations so for strategy just like thinking big picture when someone says like well what's your strategy I usually answer that question with a series of questions well what are our business goals what is our in in my case my university

but in your case your organization's what are you actually trying to achieve you're trying to grow revenue you're trying to roll out new product you trying to expand internationally in our case we want to create a better experience for our students so those are our goals well what are our risks what's gonna prevent that from happening how is that going to go south and keep in mind of this has really anything to do with technology at this point we're just talking about the business and then how do we address those things how do we address those risks and now it starts to get a little bit more with security right like so if we want to create a

great experience for people how do we do that well we want to attract really great students if we're on the front page of the paper because our network is a cesspool we're getting DDoS we had ransomware people the best students aren't gonna want to come to us researchers aren't going to be able to get grants which means that students that want to go to university to do research aren't going to want to come the GW so this is really important to the guts of how we operate and I'm proud to say I think most of the people on my team would be able to tell you these are our business goals these are what our

risks are and this is what we actually do to counter those risks kind of going a level below that the questions are like pretty easy and you guys can apply this to your own organizations I think all the time about what we're doing how well we're doing it what can we stop doing what do we have to start doing what skills do we need to do those things and what tools or technology will we need so if you think about it like like you're like a recipe like you're baking a cake you need a little bit of this little bit of that you might not need this based on what you're making so it's kind of that and I'm thinking about

these things all the time because there are some things you want to invest more and in some things that honestly if you're going to invest in something you are going to D in vest in something else I think there's a great quote I think it's a Drucker quote that's if you want to start doing something you got to stop doing something else so I'm thinking about that all the time kind of going into the operational and like what I'll call is CISO ops this is like basically like how I spend my day and it doesn't seem that fun but again if you care about something and you get to take that seat at the wheel it actually is a lot

of fun I'll just pick I know you guys can read the side so I'll just pick a couple things you know when someone comes to me that's hey this thing is really cool we want to give this a shot we think this could really save us time or create a better result here say okay tell me why it's important and then I get to go to management and create that business case and make that pitch I'm pretty good at pitching I I have got a pretty good track record so I actually like that I like the challenge of being able to go and say you know if we were to go and buy this whether it be

anti-malware you know threat Intel platform or whatever be able to go to them and say this is how it's going to make our team better and more capable so I love that probably the part that I love the most though is the coaching and mentoring part where I actually get to work with my team take an interest in their career if they say hey I really want to get into this it's like well there's a training for that or have you gone to YouTube and checked out this talk so being able to have those conversations with them is just awesome because it's a partnership they have to do the work but me as that as that

leader I have to take that interest in them so they feel supported because this industry is really hard and even the smartest people are going to have doubts I was just talking to a friend of mine who has more knowledge in his finger than I do in my entire brain and he tells me the doubts himself all the time and I'm like well if he doubts himself like do any of us have a chance but impostor syndrome is very real and I think you know all of us to some degree question our abilities so having that support structure really really helps and I hope all of you have leaders and you know in your lives that they give

do that support so there's just some things that I'm gonna talk about does anyone know who this band is by the way I'm dating myself I'm gonna show all of you how old I am but this is a descendents so just a couple things like observations that I want to just impart on you that you guys can I think apply to your own to your own work when you're a manager you're always on stage always every word you say is listen to written down every word matters the pauses matter the things you don't say matter your emails matter you're always on and I knew this but I don't know that I was completely ready for it at first when

there's layoffs happening in other or in other parts of the organization and there are people legitimately concerned about their jobs I'm the one that has to tell them don't be concerned and I have to do that in a way where I don't want to have to walk it back after right how do you say I'm pretty sure this is not going to happen while in the back your mind saying well that could change in an instant right so all those words matter so when you start thinking about like your manners how many of you are managers in this room okay so like a pretty good number of you so you guys get this but for those of you that aren't like these

are things that your manager may think about and because I know you guys probably all pay attention because you're probably detail-oriented analytical people so nothing gets past you so you can tell like with a pause like oh what did that pause mean for anyone that studied like micro-expressions if you've you know looked in the social engineering you know I do that with my I do that with you know my managers you know I what did that thing mean I saw that so staying calm in the face of stressful situations you're going to just have to walk into fires and you're just gonna have to deal with the heat it happens all the time and you can't flinch and you can't show

them that you're stressed or that you're scared you're always going to have doubts but you can't show it because again everyone's watching you the moment you show it the moment that you show that weakness they're gonna think you don't know what you're doing and so for me I've tried really hard to be prepared for that moment and you know take a deep breath get the information don't jump to conclusions rely on my team rely on the information and then let's let's go have a tough conversation again something that I didn't necessarily know that I would be good at but I kind of surprised myself that I tend to stay a little bit more calm probably than I am right now to be

honest with you taking care of the team like I said before this is like really my favorite part of the job sometimes you just have to put people on your back and say get in this is this is where we're going part of the part of the work is that you have to see 360 degrees and someone that's focused on malware or on pen testing or doing IR or vulnerability management they're not seeing the 360 all the time in in bits maybe but all the time no that's kind of my job so sometimes I have to navigate my team through things that are not easy we're not obvious and at those times I really like this picture because I do

have to just put them on my back sometimes and say you guys just have to trust me and then it's just up to me to deliver you know and be that trustworthy person that I that I do endeavor to be there was this tactic so I'm XP WC for anyone that's worked in big for consulting they kind of infect your brain with things and one of the things that they really infected my brain with is this idea called teach don't tell whereas if you're working with someone you don't tell them what you want them to do you basically ask them questions until they tell you what you want them to say so hey and a DeLorean that isn't so so inside

besides Las Vegas baseball is when you put in a when you respond to the call for proposals you get to ask for like anything and I was just like how about a sousaphone or a DeLorean and they've literally just so that's amazing thank you so much I was terrified because I don't drink so if you were gonna bring like a shot glass out I was gonna be like oh yeah good this is amazing I'm never yeah I'm not taking this off all weekend yeah so so this idea of teach don't tell is incredibly effective because if someone asks you how to do something and you just tell them you really haven't taught them how to fish

they just are like what did he say again but if you ask them is like hey I'm having a problem with this thing what do you think the first thing I say is well what do you think because most of time they know they're either just not confident or they're not sure and you have to be there you have to be that pillar for them because it's in there and sometimes I mean when it needs a little bit of calibration be you know sure give them that calibration but for the most part if you've done your homework and hired smart people and let them be them they're the answer is gonna be there you just have to allow them to

find it inside of them telling stories telling stories are incredibly important people have been telling stories for as long as there have been humans and I do this all the time because stories are memorable stories make people feel something if you go and just talk about the latest you know you know BC wave that's been out there business email compromised wave that's been out there okay fine there's more fishing awesome but if you tell a story about a woman that was on a dating site and fell for a romance scam and sent all of her life savings to this man that didn't exist and was actually a yahoo boy in Nigeria that's a story that people will remember

for a long time so and that's a story that that I was told and so I I have remembered that it was told by a gentleman for Magary told us a story about how he and his company your firm agari yeah they're awesome I should remember his name because he was awesome but I don't I'm sorry it was yeah yeah so telling stories are incredibly powerful and it does sound cheesy and ignore my Sponge Bob picture but finding pictures to describe some of these ideas as harder than you might think to be honest with you telling this is incredibly powerful especially when we're dealing with incredibly complex technical topics and generally people that don't have the

knowledge that we have so that's something that I do all the time and I found it to be pretty a pretty effective the next thing is I question absolutely everything I probably ask too many questions I know most of you in this room would probably describe yourselves that way too I don't leave well enough alone I don't assume anything you really can't because the one thing you don't ask will be the thing that burns you so I ask questions I'm genuine I'm I'm genuinely interested in things not just superficially but if someone's doing a project it's like Oh tell me about that thing right like how does it how does it work you know I'm not afraid if

someone's like well how do you not know how that works it's like I'm management dude I don't know anything you know like i'm pointy-haired boss so i ask questions to learn as much as possible not just to know how things work but to understand how it fits into the big picture so i can then go back and explain it if someone asks well why are they doing this why are they doing this upgrade why are they doing this replacement why are they migrating the service you know I want to know all that maybe in some cases I don't have to but I don't know how you shut that part of your brain off so here we are the next

station a lot of people have told me that when you get in the CISO role you don't have to go to blackhat briefings anymore you don't have to read blogs you don't have to do labs anymore and that's fine that probably works for some people it doesn't work for me though I still like coding I like reading technical blog posts I like doing labs and CTF challenges it's fun for me like maybe it shouldn't be my hobbie but i like it and it helps me understand things when they happen in the news it helps me put it in a context so I can actually understand it and explain it and I can have better conversations with my engineers and my

teammates they know that I'm not just reading Gartner Magic Quadrant documents and you know you know writing writing management briefings they know that I'm at least making an effort to respect the craft and respect what it takes to be to be good at those jobs and when I can have ask better questions and have better conversations with them I feel like I'm kind of honoring the work that they've put into to their craft making decisions is just I'm making decisions every day everyone's making decisions every day but in my case I have people just staring and being like well what do you think right and like I said earlier a lot of times my answer is well what do

you think but I always have an opinion about something and I kind of I have to make difficult decisions I have to allow applications to go live that I know have vulnerabilities in them and it sucks right but I understand what the business need is and security has to enable the business so we say yes and then on the backend we figure out how we're gonna make it better so I'm making decisions all day and a lot of them are difficult but it's part of the job it's also lonely right like a lot of no one else on the team is doing what I'm doing and so I think if there's a takeaway from this slide that I can impart on you

people on my team ask me how my day is going and they might think that that's like corny and it maybe sounds corny but it it helps like it really matters that they asked me like how I'm doing are you doing okay you seem stressed one of them oh it says to me like you look tired and it's like thank you very much I probably do but that like little that like little bit of feedback that question really goes a long way so I hope that you have leaders you know you know in your lives that you know you would ask that question too because it really does make a difference and I think this is

something that all of us can relate to we stand for things we stand for things that aren't don't always make us the most popular people we have to we have to blacklist things sometimes because they're really scummy we do assessments all the time on mobile applications that collect way too much data and we blacklist them and people don't like it and it's like we stand for stuff and we have to be there to support our user community and sometimes it's going to mean people aren't happy but the best that we can do is explain why we made the decision and stick to our principles it's hard to be principled when the easy thing to do is to just let

the bad thing happen and keep people happy but I feel like me and all of you in this room aren't those kinds of people I feel like you know we're here on a weekday spending our time you know at night when we could be drinking or having dinner with our families you know you're here to immerse yourself in this I feel like we stand for something and that can be hard but we stand together my team stands with me on these things and and I try and stand with them to when we have to make difficult decisions about things so at this point I kind of want to talk about some specific things from my infected brain that that maybe

you guys haven't thought about before for the people in management you guys probably do get it so maybe this will be a rehash and I'd love to hear comments after but these are things that you can do to be more effective if you are an engineer or an analyst to just have a better experience as a security professional and in your workplace so the first is and I know that how boring this sounds like I know but figure out how budgeting works in your organization figure out how something goes from an idea to actually being paid for it sounds crazy but like it wasn't that long ago that I was literally like I have zero interest in that but it's

literally the ticket for how you can get anything done if you want to buy something knowing how you actually get that thing funded it's super important because just like anything else you can't hack anything until you know how it works so when you figure out how this works you can hack it you can make it work you know how many times I've worked out backroom deals with finance people to get things like it's just because you know how the process works and those people that don't know how don't get things I've ate people from my team here this week eight it's because I know how to ask so it's really important lesson to always be making people better

people make me better they challenge me they teach me things on my team it doesn't matter that I'm the manager so I pay it forward and I try and make them better too I question them I give them honest feedback I try and be transparent with everything that I do all of you can do something to make other people better whether it's someone that you just meet at this conference or this weekend at DEFCON whether it's someone at a local meetup whether it's someone in your workplace you know you name it you can always be doing more to help make people better and that really just enriches your life more than any you know people that find

Seavey's you know get you know reports TVs awesome like that's really great but in 40 years if someone can say I had a great career because Brian gave me a shot I'll take that and I'm fortunate that I think that there are a number of people that would say that about me and I hope that there are people in your lives it would say that about you too you know the next one is don't bring problems bring solutions this is really what helps you level up in the eyes of your peers and your management if there are tough problems and you say this is what I think we should do and you're not afraid in that moment to be wrong or to

get shot down because people that come to me and say what do you think that happens all day but people that come to me and say we have this problem and this is what I think more often than not on this is completely crazy we can't afford it or it's going to get me in trouble I'll just say I trust you let's do it you know so don't miss that opportunity to get your ideas to the forefront and make them a reality I always say to my team we invent the future together it's not going to be anyone else we decide how secure this place is going to be and may the best idea when I hope that you

guys are all in situations where you get to do that too the next one kind of kind of dovetails nicely with that and that is get uncomfortable I got thrown into the deep end and I swam but I see a lot of people that are really complacent and they don't want to challenge themselves and and really that's not good for your career really for your life the keynote speaker this morning at blackhat talked about how he was afraid of flying so what did he do he learned to skydive you know that's an extreme example but I think it's a good one we don't really get over our fears until we face them head-on and getting

uncomfortable is how you do that so if there's a thing that you suck at that you don't know anything about go learn that thing I didn't know anything about AWS a year ago I knew nothing about it I had never done anything in the cloud I had never I mean I had like a free account but I hadn't really done anything so I made it a point to go learn as much as I could about security in AWS and now I know enough to be really dangerous to the point where I've you know built my own V pcs and I've got way too many s3 buckets and databases and basically just test labs that I use

to test things out and stand things up for like open source projects but I had to walk that road on my own no one was going to do that for me I had to get uncomfortable and feel like a [ __ ] when I was you know reading white papers and doing training slides but that's instructive and it's how you get better the next one and this is maybe the most important one for this room is to advocate for yourself I can't tell you how many times people have come to me and said I would ask for more money but I'm afraid I'm gonna get fired I just tell you I've never heard of anybody get

fired getting fired for asking for more money like if you do you may work for a really vindictive person or organization because I can't imagine having that reaction if you want a promotion make it clear that you want a promotion don't expect it tomorrow but say hey I'd really if you're you know and see a security engineer I'd really like to be a senior security engineer how do I get there let's have that conversation right I really want to be making this much money let's have that conversation I can't help you if you don't tell me and the worst thing would be to let someone walk out the door because they're afraid to ask it breaks my heart

when I see someone leave our organization and they say well I really wanted to work in security and it's like you never talked to me I have four people on my team that were internal and they came up to me in the hall and said I want to work in security how do I do it I said do X Y & Z and let's talk and they got a full time job so you have to advocate for yourself you can't see it as be as bragging you can't see it as wanting too much people will give you as much as you ask them to give so it's okay to ask for a little bit more and

it's okay to advocate for yourself because if you don't do it I cannot as a manager I can only do so much you know if I think that you're happy with what you're making it's like oh they're pretty happy but you might they might not be happy so we have to have those conversations so I hope you're all comfortable having those conversations and then finally you are the culture people think the manager does have a major role in determining team culture team communications and and really kind of the ethos of who who a team is but it's more than that a team is made up of a group of people and a group of people

can make that great where they can make it really toxic and a manager can't fix toxic workplaces unless they just get rid of the problems so we all have a part to play in building a great culture don't look to someone else to build that if someone's acting out and making something a toxic workplace you can have that conversation with them it's not just the domain of the manager to have those conversations in some cases it's even more effective to get it from up here than it is a manager depending on who the manager is so the thing I want to impart to you here is really owned that culture and if things aren't the

way you want them you can make them that way you really can I mean I know it's hard it's supposed to be hard because if it wasn't we'd already have done it we'd all work in amazing workplaces that were super healthy and supportive but I know that we don't so we have to be that change we want to see so kind of like I said at the beginning I know I talked about myself and my journey on this it's kind of kind of part of getting up in front of the room and talking but really this was about you I say this kind of tongue-in-cheek but I've reached the mountaintop I don't want another promotion I I information

security is part of me computer and network security is part of me I can't go work another IT job I might go work another CISO table but this is like kind of part of who I am I'm not here to get another promotion or make a name for myself I'm here to share what I've learned so that you all can go and get that job that you want get that role that you want achieve those career goals that you want so I hope that I've told you something today that was new something that made you think and if anyone has any questions or wants to say anything I would love I'd love to hear from you so so thank you first of all

thank you for sharing with us two quick questions what was the biggest challenge when you took on this noodle and why so I think for me the thing that was probably the hardest just it was it was and continues to be reporting up what I mean by that is I don't spend a lot of time with the Board of Trustees I don't know them well but every so often I have to create a presentation and a report to talk to them and talk to them about information security that doesn't come easy to me I mean as you can probably tell them pretty comfortable speaking but when I think I know my audience you know through my my time you know going to

these conferences I don't know that audience very well so it's been challenging to do that and I've tried really hard to edit myself because my first inclination is I want to put together a PowerPoint presentation and I want to talk about threats I want to talk about risks I want to talk about what we're doing about it and then I step way and I look at it and I say they don't understand any of these words and it's like rewrite it and I have to do that and then I have to rewrite it again and then it goes for edits and then I have to rewrite it again so that continues to be really challenging for

me I'm not ashamed to admit it I think I've done ok I'm really looking forward to being much better so you have a lot of great advice about being able to advocate for yourself can you give any more maybe more tailored advice to people who are more likely to be looked down upon for advocating for themselves women people who aren't white perhaps who get penalized for standing up too hard for themselves that's a really tough question I can only give my perspective I think all of us deserve a community in a workplace that takes care of you for who you are and respects you for who you are whoever you are whatever your however you identify whatever you

look like what matters is what's here and what's here a little to you no intention matters and brains matter and if you are in a place if you're in an environment that's abusive and looks at the color of your skin you know or how you identify as how you know how you should move up and what you're deserving of it may be time to make a move I can tell you my team is almost 50% women and almost 50% of them were not born in the United States and I see everyone as as equal and I don't think I'm a weirdo and I've had many of them come to me say I want to level up I want to make more

money and I've said I'm gonna see what I can do because I'm your manager like we work together to achieve a mission but I'm also here to advocate for you if you're willing to take that first step so I think really in a roundabout way I'm saying that if you feel discriminated against if you don't feel like you can advocate without being retaliated against and maybe time to look and there's a lot of great employers out there in the hall that you know I know that it's hard yeah I hope that I hope that helps a little bit how you doing thanks for thanks for coming up today um my only question is how would you describe your relationship

with your peers executives board and yeah anyone of power and influence yeah varied I've worked incredibly hard so where I work right now we have decentralized IT so each school has their own IT shop and when I started there there was a very adversarial relationship so my first goal was okay that just has to go so I made a point to get close with as many of them as I could whether it would mean setting up one-on-one meetings going to lunch joining a softball team and playing with them they get the get to know them on another level and so I think I have pretty good relationships there internal IT it can be hard because there's different

incentives people want to go live with things they want to hit a deadline and I say hey hold on a second has anyone looked at that does anyone know what that does does anyone know the data that it's collecting and they're like you again right so I think I think and I've heard this all week about security being like the team of no and and it came up in the keynote at blackhat this morning we try and be the team of yes but a lot of times it's yes but let's talk about this let's talk about that it seems like it could work just need a little bit more information and I think for me one

of the toughest parts was get over not being liked people are gonna like talk about you behind your back people are gonna make stuff up and you just have to get over that and it's more important to be respected than to be liked I think because you can control if people like you or not but I think in their heart they know if you've got good intentions if you do what you say you're gonna do if you honor your word I always try and do those things and I let the chips fall so in short I've tried really hard to build good relationships with people so they will respect me even when we disagree and it makes the disagreements

a lot easier too because you can have those tougher conversations when there's real trust thanks for this talk I really looked forward to it thanks it's better than I thought you mentioned staying sharp and I'm wondering like how do you how do you try to stay sharp with all the different areas for all the different teams that you manage do you like cycle through and just focus on a thing at a time do you have areas where you're still with it you've just still neglected and you haven't got to yet what's your plan that is an amazing question I think I try and focus on the things that are it's probably a bad answer but it's true

I try and focus on the things that are most immediate so just last week the identity team at my university started reporting to me I don't have a lot of experience with identity management so I need to get up to speed pretty quickly which means reading a lot there's fundamental thinking about identity from a security perspective that I'm just not really well versed in so that's how I'm gonna be spending the next couple of weeks but generally I do hack the box labs I read blog posts I read detailed write-ups about you know malware analysis I'm really interested in the work that PFF IVA Halperin is doing around stalker where and spends like spouse where I'm really interested in

protecting our students against that so I tend to kind of move around a lot I also tend to not sleep it's not healthy and I don't recommend it but it's just kind of Who I am I just don't sleep so I have a little bit more time to dive into these things but but yeah a few different questions I'll rapid-fire them and you can respond to whichever ones you have information on one soft skills if you have any recommendations on people who are working on that number two like time management like I heard one guy who said he does he does old work before noon a new business afternoon and I can't imagine like being that organized and

third prioritization like how you manage the not just your internal priorities but priorities from other departments yeah okay so those are those are good questions what was well I want to start at the I want to start at the first one was it that was skills okay I would say the most important one is writing you will be judged on how you write whether it's your resume your cover letter or report you will be judged on how you write so it's really important that you write well you don't have to be you know Shakespeare but you have to be able to put together a thought and have it be understood by whoever that audience might be I'd say that that's really

number one like doing things like this speaking being comfortable speaking I think that that's really important but some people some people like it some people don't there's some positions where you really don't have to do it that much so but I do think it's you want to be able to clearly express yourself in front of an audience so let's let's leave it at that because I know you have a couple more questions I'd say maybe staying organized I think for me I probably have some pretty weird habits I tend to and let's mix the two questions together I tend to make a list of the things that I absolutely have to do the things that

are basically do and then I make another list of the things that I have to do but are like less important and I basically am just adding and removing all the time it's really important to not let email manage you that's something that I've learned three years of failure and more recently I found that I don't want to reply to emails after hours because I don't want to be that guy so it's actually really great that Google has now built in as the scheduled send so I scheduled all my emails to go out at 8:00 in the morning so if I want to get caught up on email I don't feel guilty but they all just go

out at 8:00 in the morning and then by the time I get to the office maybe people have like replied and so it's like yeah it's not something happened so that's like that's like a big thing for me I think also having helped I'll give a shout out to my assistant her name is Karen I was really reluctant to work with an assistant I was like I'm really not worthy of this but she's incredibly helpful she helps manage my calendar I block personal time for myself to read to talk to people for whatever I want to do and whatever I need to do because if you don't it will just be consumed by meetings so I tend to block out two or

three weeks in advance as just like leave me alone time and Karen knows is she if something's really important she can put it there but no one else knows that so so that's kind of a tactic that I've used to kind of schedule my time as well I tend to be pretty fiercely protective of my team's time and my time because that's the thing that you just don't ever have enough of I hope that answered your questions

you mentioned staying sharp for yourself what about sugar your team works for you and you know we all deal with training budgets and you know do more with less you know YouTube is great but it's you know how do you go back and dealing with the issues when you have a large you know even a small shop that each year you know your budgets are getting you know thinner and thinner but your skill sets aren't strong enough to keep up with the latest threats what we're you know we're here for how do you keep your team you know and how do you make sure it gets spread out equally enough that you know you say you invest in their

time and the best in them but how do you ensure that you're keeping their skills up and ensuring that you know who gets the training dollars and who doesn't get the training dollars right so they all get the training dollars so I think it starts with knowing what our goals are knowing what they want to learn how does that dovetail into what we need to do better like what we're going to be doing in the future so many people have come to me saying we need to spin up on cloud so we bought subscriptions to a cloud guru which is really great online cloud training if you haven't heard of it so so that was that was one way but I think

it really starts by being able to build that business case so if we know that we're gonna be moving the cloud and we know that our teams need to be better at it it's really easy to build that business case that I need to be able to pay for training for my team all the dots just connect so I'm not I'm not really that smart it's just I try and connect the dots to be able to get the thing that I want for my team so and you can you can hack some of it too like sans we buy sans credits ahead of time so you can get a discount if you buy sans credits ahead of time and they

discounted almost 50% if you buy online credits for like the online courses so I'm able to save thousands of dollars just basically by planning ahead like if I know I'm gonna do a certain amount of sans courses I just buy them ahead of time and then I get to save all that money and then we we use them and we buy more so I think there's also local opportunities like where I'm from there's Nova hackers there's besides charm there's besides DC there's besides Nova there's a lot of there's monthly tool meetups where you get to meet people I encourage people to get involved with those communities to go to local meetups to meet people the

network I can't imagine it I can't even remember a situation where I told someone no they couldn't do something it just means I have to work harder to make the case sometimes like I said there's a lot of people from my team here but this is a chance for us to bash our brains in and get immersed in this subject matter and then we go in there like we just drank jet fuel we go back to work and we're like let's do this and that's an easy case for me to make because this is hard work and we get to have some fun and we get to learn too so I hope that answered your question and it does sound

very like utopian like oh I just make a good business case and the money just shows up I know that organizations don't work that way but like I literally worked at one of the largest consulting firms in the entire world before I went to GW and I asked them to send me this and strany and they're like I don't see how that relates to your job it's like oh yeah me being better at security like definitely shouldn't make a security consultant any better totally but meanwhile then I go to higher ed and we like make those investments in people so some works just don't get it for sure but that just means like what do we do we give up or

we try harder it's like okay let's let's try harder let's go at it a different route let's build a better case let's show how we can save money let's work out some deals with some content providers cyber re Pluralsight you know there's great there's great content providers out there now that will make a deal with you if you have the right conversation any anything else okay thanks everyone I appreciate it