AdamMcMath

[Music] so apparently now we need to go with without pants because pants is the problem can you hear me now okay I will hold it and it will not get connected to my pants there was a a lady I saw at a conference once and she was wearing a dress but she had these boots that were like coming right up to her knees and she actually took the mic receiver and clipped it on the end of her boots it was really sexy I'm not going to lie but I'm not allowed boots so I don't know it is I I wore my hoodie today though because I want to actually have some hacker cred uh but this is not the

hacker cred talk if you're looking for the hacker stuff that's probably harsh who's doing stuff on car hacking uh this one is about cyber security careers uh and this is a little bit about some stuff that has been you know stuck in my craw for a little while and if you read the the description of what this is about you you can understand some of that too the whole yeah there's billions of jobs in cyber security that are going on filled uh and I think that we're missing something ourselves as cyber Security Professionals I think that as cyber security leaders who are hiring people we're missing something I'm hoping to at least open this as a

conversation I would love this to be an interactive conversation too so heck he has his heckling this is the heckling face I see it looking for questions looking for opportunities to talk I'm looking for everybody to learn from each other this is something we need in cyber security too you've heard it now twice if you were in this room already today from Michelle uh from Vincent we need to be continuously learning from each other right this is a big piece of who we are and what we are so I'm going to give the finger guns to Brody and let's go to the first slide here uh I had I've been working on this for about four years and

nobody's ever wanted to do this one before so it's gone through some alternate titles including every time you post a job ad for a junior cyber security analyst that demands 10 years of experience bra inp God kills a puppy and then I thought well that's putting too much on you know other you on the the job hires so then the next one is every time a security professional says I've got lead High cyber skills I don't get out of bed for less than a g note B God kills a puppy um but then I thought okay maybe there's something in the middle that we can we can do instead uh which turns into oh seriously Adam rough present

yeah I get it okay uh every time a corporate recruit looks at LinkedIn to build a cyber security candidate profile for a lazy hiring manager God kills a puppy because God help you if you are a hiring manager and your recruiting team says oh yeah we are great at recruiting we're the best at recruiting we'll recruit you the best candidates and then they go and they look on LinkedIn at my profile which you know CIS

pgis help us yugu for anyone who's worked with yugu at the City of Calgary he has so much alphabet after his name that they invented new letters for him and that isn't doing us any favors either so taking no accountability for who we're trying to hire who we're trying to be is difficult there too and then we cyber security Talent hard pills to swallow I'm this is really where I want to go is like are we the special snowflakes we think we are are we actually dealing with the problems the right way in our jobs in our careers we are a young industry it has only been around for I don't know 50 years if we

talk back to the history of the computer univac days cyber security we've only been calling it cyber for the last 5 years it was it security before that telecom security all those things before that so are we getting our feet wet the right way and then we're reading the News 4 million and so when I did the original synopsis back in uh for the for the talk back in in I guess it was probably June or July or whatever it was only 3.5 we're up to 4 million now he how many okay who's hire who in the room has like job ads out right now who okay is willing to admit that they have job ads out okay there's a few of you

that have jobs who here might be you know looking for jobs over the course of the next six months y'all should like kind of talk to each no this is a hard subject because you know it's easy to go and say I'm going to go work with the technology and I'm going to go hack crap in fact that's kind of what I'm thinking for my talk next year crap Adam broke in 2023 because I like breaking stuff if anybody came and hang out with me uh you know yesterday morning uh we were poking at things with my flipper zero and my my proxmark devices go Han uh go hang out with Hank forom same thing we he loves

breaking stuff the stuff that is hard is The Human Side of cyber security and not even the social engineering side of it but the human side of who we are how we want want to be a profession the other title that I had uh was self- gaslighting to a better tomorrow but then my oldest kid said you know Dad that sounds really depressing and maybe you should get some help and I was like yeah but I had a Red Bull instead so why do we say this why do we say this four million unfilled jobs and so this is 2022 anyone from foret in the room no I'm repping foret apparently and uh there's nobody here to hear so there

we go but companies like foret all the vendors they come out with all sorts of reports as well that are saying these things too Recruitment and Retention of talent is a problem are we stealing from each other if we're trying like if we are a small incestuous community of cyber Security Professionals are we stealing from each other or are we giving each other opportunities to learn and grow well we probably are stealing at this point but the reality is who here wants to do do the same thing over and over again okay hey for enough money I'll Shel poo right but the days of you know building Fords for the most part are over like

the old Henry Ford put people on an assembly line we want to do stuff that excites us we want to do stuff that is you know you know does good things and and helps us learn and grow experience new things we want to contribute I think every one of us wants to you know do work that matters right and we want to receive recognition for that contribution too in the form of usually our salary but also people recognizing and saying hey Adam I appreciate you hey Tim I appreciate you Tim was my boss at the City of Calgary and we were we've worked together a number of times over the years but those are the things we're

looking for so we don't have to be stealing from each other we don't have to think that we're abandoning people right Alan he abandoned me at the airport but you know what he abandoned me at the airport because he needed the next level to go and see the new thing so what roles are organizations's looking for cloud security specialist security operations analyst security administrators sounds like there's a whole lot of things that we're doing how often when we're seeing the job ads for those of you who put your hand up saying yeah I'm looking for a job when you go looking for a job you see well we need somebody to do our pentesting we need

somebody to do our GRC we need somebody to do our audits we need somebody to talk to our board is is this realistic not really realistic is it uh this so I I I did go out to the Internet and try to find stuff that we could actually reference back and in all my slides I did actually you know I'm not making this crap up this is me taking screenshots I did take some screenshots too of horrible job ads and then I got really depressed and had to self Gaslight myself and do a better tomorrow so I didn't include those screenshots uh this is ictc and this is how they wanted themselves uh referenced if you ever put it on a slide one in six

Canadian cybercity roles go unfilled whose fault is that I don't know is it anyone's fault is it because we Sorry hiring manager hiring manager I yeah I like that I like that commun between theing manager and the HR doesn't consider oh that's good too Kevin that sounds like accountability

Dena is gonna finish my [Laughter]

talk so shared accountability oh my God you guys this is the brightest audience I've ever had

see and this has been endemic for a long time you are 100% correct I remember when I was so I was at Nate back in 1994 and there was a job ad that we were passing around that was looking for 5 years as a Java developer and Java had been released for as a developer package for two years right so this has been going on for a while this is not new we're just we've just inherited

it

positions Alex had one recently when we were talking last she said that yeah the junior cyber security position required five years of experience and probably a cissp and a certific yeah yeah well and a cissp gicsp c risk anything from isaka ISC squared all requires five years of experience before you can even get there what have you

seen I saw that go away for a little while but it's back isn't it right so the idea of the degree everybody needs to have a degree in compai all of a sudden or a degree in engineering those of us without degrees what are we supposed to do about that that's tricky so and I usually try to boil things down to things of Threes right make it easy on folks why are we seeing some of that because hiring managers are trying to replicate themselves they're saying I have been the sole cyber security person in this organization for the last 10 years and what I need is another me they're not looking at the business objectives they're trying to serve so

when I'm talking to people who are trying to hire this is usually where I tell try to steer them towards what is the business problem you're trying to solve do you need somebody to help you manage vulnerabilities do you need somebody to help you tune your sim to fix your noise do you need somebody to help you understand how this new AI stuff can fit into your existing Technologies find out the business problems you're trying to solve don't try to replicate yourself I absolutely hate that oh Adam if I could only clone you well then you'd be in real trouble and nothing would get done because we'd be breaking all day long um for those of us then and so besides Edmonton

okay this is the year of the floppy disc by the way I love this so besides Edmonton we did floppy discs as well as part of our badge um when I was at bides Edmonton I sat down at as many table as I could just to try and talk to as many people as I could and and discuss who we are in the industry and almost every time it was well how big is your it Department oh we got 15 people how many people do you have in cyber security me how many it leaders do you have in your organization oh we have a CIO we have two directors we have five managers and we have 35 technologists and who do

you have for cyber security me and where do you sit in the orig chart um yeah I'm down there so then this is our opportunity as a profession to evolve and this is where I love every single one of you in this profession right now lead upwards and we have to be Educators we have to educate who we are what we are what we're doing what we want to be a part of and my slides disappeared that's awesome hi Dan Dan you're doing great this is lovely we're g to go back one poor Dan he's he's trying to I I gesticulate wildly and he's trying to read my use and no you're good this is be you're

beautiful Dan thank

you best crowd ever this is so good um deliver business value so when we were designing the badges for bides Evington me and a buddy of mine were're kind of working through this and we had various little puzzles that we could do so you could earn add on Badges and it was really eye openening for him when I said uh he was like oh we got to start off with a cipher and we got to look at you know we got to have people doing packet inspection and I'm like but that's not what motivates everyone in security and he took that as like a oh wow okay that was his eye open moment that okay

there's so much more that we can be doing but deliver business value focus on the value that we offer the businesses we work in coach yes okay we want to be coaches sure be coachable this is a question I asked in a forum about a year and a half ago with a uh with a really wild group of people but I asked the question do we suck at being led we are the Mavericks because we're in cyber security right we're all we're all smart we know we're smart even if we're stuck with all sorts of imposter syndrome but we're all smart and we know it and sometimes we feel like we're the smartest people in the room so does that

mean that sometimes we're not not listening when our boss or some other leader in the organization is saying our business objectives are this the last corporate gig I had I brought I broke down their risk factors in their organization down to four things and I'm not going to tell you what they are cuz they're probably some sort of secret asset protection was number four operations was number one there's an operations and guest experience thing that was more important than anything else in their organization Allan smiling cuz he knows now you just have to dox me and Allen and you'll know who I'm talking about but asset protection was the actual lowest risk posture item in their organization

because we had to go out and listen to the people who were running that business about what their actual goals were of course being the cyber security people were like just please turn off the windows 2003 servers and they didn't but anybody you know anybody want to argue any of this it's like I if I'm wrong I'm happy being wrong but like are you seeing something in your jobs in your search for fulfillment in your jobs what what can I

add

to encage students here someone that youat and these people all want to get back so there's some pretty you know pretty powerful people in this room some really powerful people we got Michael we got Tim these are all guys who want to help we got what's up you good D oh

yeah

conception so okay uh okay very very quick I'm not sure if everybody heard the questions but what what Kevin was asking about and and kind of giving some some thoughts about to is the idea that this community is who this community is because we want to grow and mature as a profession we are looking for ways to learn and grow and experience new things and everyone in this room wants to have these conversations with us and then the question from Dan comes to when are we ready to be coached when are we ready to not be coached and the reality of that is too that uh you know we should be coachable from inception but we have to

approach what we do in our businesses with no fear and sometimes it's scary and sometimes we'll fall and sometimes we'll fail um I'm trying to remember who was asking me this question yesterday but it was like What if I make a misstep it's like so uh you know how many missteps I've made along the way um there are very few missteps we can make in our career that we can't recover from and more often than not the things that I thought were missteps actually turned out to be a you know a really cool opportunity what's on your mind do

they

I'm gonna I I got a few slides on that later on that phenomenal question and for anyone who's you know I'm hoping we can all hear but some of the answer to that too is I don't even know what questions I should be asking I don't even know what I should be experiencing some of those questions come down to asking what question should I be asking what am I missing Tim wants to say something he's got he's been I can see it he's he's just vibrating and it's like he's had the Red Bull not

me

you

the part and do you a

chance

so following up on on Dan's question you know if you don't know what the questions are ask what questions you should be asking I love that too it's like what what what do I need to know where where do I should where should I go who should I be asking questions there's so part of the problem I think that we're in in our industry right now too is there's so much to consume there's so many YouTube videos there's so many LinkedIn posts there's so many uh podcasts Tim's podcast is awesome just saying but there there's so much information to consume that sometimes it's hard to weed out the the signal from the noise and that too but that's

why we come here that's why we come to besides to interact with the people always remember that as much as we we often get into this industry because we want to work with technology the end result is we're here to work with people we're often here to work with people and the people and the business objectives we're trying to serve you know is really where we'll find our success and as we have missteps in our career too you know you can we we we rise and then we have a little bit of a dip and this is my career whatever and I'm not even you know I guess I'm not trying to make fun of alcoholism because I don't really

drink anymore but we will always have this dream that we're trying to achieve and sometimes the dream is unrealistic it was when I first met a real live astronaut that I was like oh dang like that's actually a human being doing human being things that are far beyond anything I will ever achieve in my life so sometimes the dreams dreams aren't actually achievable that doesn't mean we failed it means we have a new opportunity to try and find the next dream right Peg right hole when I so I went and worked with Trent for a few years at the City of Calgary it was awesome and the funny thing with that was that he was like dang you are not in

your right place here doing Capital risk Capital project risk assessments and I'm like yeah um and and this is not something that is fully developed either this was just me on a on a Wednesday night trying to formulate some ideas but we are a broad group of professionals doing a broad group of professional things if you are a technologist wanting to work with tech writing policy is probably not going to be where you're going to feel fulfillment in your job role if you are a pentester if you are an offensive technologist maybe doing vulnerability management won't be where you'll feel fulfillment in your job role if you are looking at awareness education budget accountability politicizing the leadership side of our

business is really important too but it is not for everyone everybody says says I want the boss cuz I want the boss salary and then they realize that being the boss really sucks uh and the the vendor side of our business too there's lots of vendors down the hall and they're all doing great things too they have all their goals and their objectives are trying to achieve and I highly if you don't have a whole lot of experience in this realm in in cyber security in general you're going to have to try a few things to figure out where you want to be and who you want to be because I really thought that yeah risk assessments on capital

projects for for government that sounds cool and I want to do that for a while and Trent found a way to get rid of me rather quickly cuz he knew that it was I was problematic does anybody have thoughts about this about where we can be in our in our careers and maybe what's missing

there yes

yes so when we're talking earlier about stealing from each other the reality is is we shouldn't be thinking about it from the perspective of stealing this small talent pool from each other but giving each other opportunities to learn and grow and explore I have told everyone that has ever worked for me I will never you know I don't buy into that whole people don't leave bad companies they leave bad leaders people in cyber security need to explore the world and figure out where they need to land and for anybody who's ever worked for me I've told them from day one you ever need a reference I won't be the guy to freak out about you know you know

saying hey Adam I'm thinking about doing something different if I can't offer the people that work for me the opportunities they're looking for to learn and grow and explore and do new things and deliver value then and for those of you that are in leadership positions in your companies I hope you can start to think about doing the same encourage en your people because the last thing you want and okay I appreciate it yeah I will do the same thing I will work for for the money because because we all have to eat some of us have kids to

feed yeah

yeah yep that's brilliant yeah msps so there's lots of Outsourcing opportunities to be a part of what's on your

mind sometimes it's kind of hard to tell our different goals and back we have to do a lot

ofies I've seen that on Reddit a lot so I have a couple opportunities I can go be a cyber security analyst or a cybertech engineer what should I do and and I bring out the the the the Thor quote it's like all words are made up right because that's what all most of our job descriptions are is made up words this is what's killing me in the job descriptions and and why I you know had that existential crisis looking on indeed.com was that these postings were for all of these things continuously in our organizations and this is not achievable by any individual this is achievable by a team and yet for a team of 15 it people we add in one cyber

secur analyst and when I'm talking to people when I have the opportunity to talk to students I often tell them too is you you got to get a school you got student loans you got to get paid off go get a job and when you look at things like the ISC squares CP body of knowledge what you'll discover is that pretty much all of it is stuff you will be doing in your job you are not your job title for any of you who are trying to build your brand on LinkedIn you know it has you know you have your name and then you have your little kind of blurb underneath don't put your job title there your job title

is somewhere down in you know in your your experience put who you aspire to be right so on your mind it's Adam MC mouth cyber security risk management it's not you know director of cyber security is some 12 billion doll company that doesn't give a hoot about who I am right it's build your brand about who you aspire to be right it may be greatest hacker in the world it might be uh security awareness educator Ry Gia did uh did a talk at besides Calgary last year where this was exactly what she did who do you want to be who do you aspire to be I learned so much from that talk it was fantastic

let's scoot to the next one Dan because I'm running out of time you guys are brilliant thank you so much for the conversation he's

trying

am I feel like it is massive

vulnerable

and okay I'm going to take that so what we're talking about is how do we do that educating upwards if this is the reality of what we are why would we say cuz we're the special snowflakes why do we believe that uh we are actually more important than one of the best project managers in the company an IT project manager does a whole lot of things an IT project manager is capable of doing great things a full stack developer are we actually more important than those individuals the place that we have to be because our industry is so new I'll sneak back to you in just a second is that we have to be those Educators we

have to be delivering that awareness in our organizations we'll scoot forward Dan I think uh uh piie oh and this is this is where we'll get into this and I had to get some memes in there so yeah there's there's hey thanks Toby yeah and yeah I just silly memes in because I like pie and I I did that at at at Thanksgiving this year and my middle kid I may have scars now but that's [Applause] besid you had a thought I

just

y

y yeah well let's burn through this and that is actually my closer you're jump you're you're head of the you're head oh yeah next one there we go performance image exposure so one of the things that because we often have privacy and cyber security we put them together but they're kissing cousins at best they're not actually really all that related privacy is much more of a legislative issue versus cyber security which is taking who we are in our business and providing reasonable security of personal information which could be our role within privacy sure but sometimes we take that a little bit too hard so if we start off with the idea of performance this is what we all

seek to do in our education in our careers we want to perform we want to do good work we want to be experts we want to be known for being experts in our field we want to be known for being the go-to people when we have the bad day we want to be known as the people who are absolutely necessary at project initiation wouldn't that be awesome if all of our project projects had cyber security advice at the Inception rather than you know a risk assessment at the end when we tell them that their stuff's all broken and you shouldn't go to prod yeah never I have scars there so performance is absolutely a key piece of

that get good at what you want to get good at and get paid while doing it right get a job get any job do that exploration figure out how you can deliver what you're delivering my first job I stayed at for a year my second job I stayed at for a couple years I ended up in my own consulting firm which ran for 17 years successfully it was glorious but I always kept moving and I re all the Tim has always kept moving the people that that are are always seeking new experiences are the ones who you know are worth having those conversations with about you know where did you screw up where would you have liked to have

stayed that you didn't stay because I've had a few of those over my career too craft your personal brand when I talk about privacy how many of us actually have LinkedIn profiles that say this is who I am I'm adom mmath I do cyber security and I do risk management and I'm not saying do what I do because well I'm a old bald guy who can't clip a mic thing onto his pants or it'll break but craft that personal brand and that's another one where you're going to fail I continue to fail I try things I see what works right it's much more of the design thinking methodology it's okay to stumble along the way as long as we learn for that in

the process and then exposure right you have to be seen um I I have worked with people over the years who they come back to me and they say yeah if you Google my name you'll find nothing like okay great um who are you if you want to advance in your career you are going to have to be Expos your exposure to your personal brand will give you the opportunity to per form at ever increasing levels maybe we want steady state in our lives I don't judge that's fine there are people who want that who genuinely want to work in the same role if you want to grow if you want new career you are going to have to

have some exposure to an image that is attractive to the people who are hiring that we're going to educate along the way through our performance so performance we tend to put 80% of our effort into that we put 15% of our effort into our image and then we put 5% into exposure um when you look at I don't know some of the people that we would consider successful in this world the vast majority of time their performance is something they did 20 years ago and today it's 50% image 45% exposure and that's okay too scoot to the next one so I got two minutes so my three things that I suggested maybe we got some issues with

we got awareness problems be Educators in your environments your environments don't have to be your boss they can be other people in your organization you can work through the entire organization find Champions find it people who want to do what you do or want to be connected to what you're connected to find Human Resources people recruiters Educators anywhere else in your Human Resources we all like to hack on human resources some of the coolest security people I've ever worked with have been the result of Human Resources image problems this one I would love to have spent more time talking about but we're not I got one minute um align your image in your organizations to business value

if you're looking for jobs look look through some of those job postings too we if the employers are going to treat us like numbers we can treat the employers like numbers huh uh leadership problems if we have leadership problems this is where the accountability piece comes in you guys nailed it right at the beginning I didn't even need to give this presentation it's great we'll sneak to the I think it's one more here this is the one that has become really important to me over the last 5 years as we've gone through a global pandemic and I hope maybe can be helpful for any of you as well when we went into the pandemic and

there was all of the stress around all the lockdowns or all the unlock Downs the uncertainty and it was one of my kids Ringette coaches who taught the kids on that Ringette team there's two buckets there's a bucket of things you can control bucket of things you can't control the the more you focus on the bucket of things you can control the lighter the bucket of things you can't control gets so focus on what's in your control we can't control the crappy job postings what we can control is how we react to them and what we apply for and how we apply those learnings in our jobs and our and our daily lives and follow

the right energy this actually came to me from my my boss in my current role is uh I was raging against uh someone who was doing something stupid and I came back to he came back to me said I'm just ignore all that follow the energy where's the energy where can we go that we can actually make the right difference that we want to do there's going to be so much that's out of our control most of that will have negative energy do what you can to focus on the right energy and what's in your control and that's really it that's the we're at 11:21 we haven't yet had a I think Vincent's the only one who's ended on

time so far today thank you Vincent for being cool um my name's Adam please connect with me on LinkedIn I only log into LinkedIn a couple times a week because I uh have my

like thank you Brody thank you Dan I'm going to take off the microphone come talk to me if you want [Music] hi