BSIDESLV 2018 - Hire Ground - Day Two

♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

It is a labor of love. We are sort of unique in the standpoint that it's a combination career fair, content, resume review, career coaching. We actually had someone yesterday said that they flew in from Australia to actually be part of Higher Ground. So I started crying and ruined my makeup and that was just not a good thing. So thank you. Mike Murray is just absolutely phenomenal and this is his third year presenting for me because I find that a lot of the career tracks really talk at sort of an entry level or a basic level and there are many of us in the community who really need to sort of have that extra midway in

our career or what do we want to do to move beyond into management or we're trying to talk about other issues in our mind than just pen testing or blue team or red team. So Mike comes up with a new wonderful topic each year and then this year it sounds like we ended up having coffee about 15 minutes ago and he totally changed his presentation based on that. So with that, Mike Murray. Yeah, oh there we go, alright, technology. Alright seriously actually before I start can we do another round of applause for Kathleen she is amazing and Really the driving force behind this whole thing and to me so I've told her this before But I'm gonna say

this in front of everybody. This is literally my favorite talk I get to do all year and I talk a lot right I talk at a lot of conferences I talk about a lot of things but this is one of the few where I really get to feel like I'm giving back and and it's a lot of war stories and a lot of things that I've learned over almost 20 years of managing insecurity. As Kathleen said, each year I've shifted the talk. This year I had an entire plan. I got to two days ago, and I realized that I didn't like anything I was saying, so I completely rewrote this from scratch. You guys are getting a very different presentation than

I've ever given before because I've noticed a pattern or two in the industry that I really want to call out, and I really want to talk about, and I really want to point out. At the same time, I'm not here to espouse really, I'm here for all of you. So I plan on, this is an hour, but I plan on only going probably 25 to 30 minutes because each of the last two years that I've done this, we've spent more time on questions and answers and interesting, just whatever problems you all are having than whatever I wanna talk about. And I like that format, I like being able to hear what you all want and

what you're all thinking. So we're gonna do the same thing. I have to start this meeting with a caveat because we're live streaming. And I'm gonna tell a story about what happened to me last year. So I got up here last year and I did what I think was the weirdest, most boring security talk ever at any conference. I did an entire talk on how to have meetings, which I'm, Yeah, I'm a management nerd, guys. I like that kind of stuff. I like thinking about how to have good meetings. And what was really awesome is I spent a bunch of time talking about how important one-on-one meetings are. And before I even got off the

stage, there was a Slack message from one of my junior employees that said, "Why don't you ever have one-on-ones with me?" So I'm going to say it up front. Look, managing is hard and it is hard to do all the things that I'm gonna talk about well and I will promise you I don't do them well even after 20 years. This stuff's really hard. Honestly, I got into management because I love, I'm probably a lot like most of you guys, Though it seems like I'm an extrovert and I'm very outgoing and effusive if you see me at a party, I'm actually really shy and I really would rather just be sitting in a corner with

my laptop and my headphones on than actually dealing with or talking to people. And so this stuff's hard for me. And it's actually, I think because it's hard for me is why I want to teach it. None of this is actually ever easy. So, to talk about how to get teams in this industry to do well, I think it's a really important set of topics for anybody who wants to go into management. So actually, before I even start, how many of you think you want to be a manager someday? Oh, I'm so sorry. I'm glad you're here. I hope at least one of you I talk out of it. And that's not because management is

not fulfilling. It is. It's actually... I will tell you the best things I've ever done in my career are through other people, not through things that I came up with. And the things that I am most proud of are the days that I actually just sat there while someone else did the work, but I knew I had prepared them to do that work and they kicked a lot of ass and I just really got to sit there and buy pizza. Like that's a great day for me. But it's hard to get there. And all the other days where it doesn't happen like that are really unfortunate. But to that, I want to talk about some

of the things that make management in InfoSec and especially high-end InfoSec. So when I say high-end InfoSec, you know, you go around Black Hat and DefCon and you see some of these talks and you realize that someone is literally talking about how to do some crazy cosmic ray bit flip of a register in a CPU that you've never heard of. Managing those people, right? Because They're a very unique breed and this industry breeds a type of people that actually, I tell any first time manager in security that if you learn to manage security people well, you can pretty much manage anyone. Because we are the hardest, first of all, I think we're the hardest industry

in the world to have a sustainable career in. And on the other side of that, we're the hardest industry in the world to make sure that other people under us have a sustainable career in. And it's funny, because to me, it's not a feature. Or sorry, it's not a bug. It's a feature. And it's a feature of the industry. The industry itself is set up so that the career is really hard to maintain, and management is even harder. So let me ask you guys a question. How many of you have Again, strictly in security. Security job only, not product management, not marketing, not sales engineering for more than 10 years. Good. That's about half the audience. Now, of that half of you,

of the people you started with, how many of the people on your first teams, more than 50% of them are still in the industry? Really? So about half of them. I've been doing this for 20 years, and on my first three teams, I think about 10% of those people are still in security. That's not true of other industries, and there's a reason why. And we don't often think about what it means. We think about what it means when we talk about security a lot. If you go just look at the talk roster at Black Hat this year versus the talk roster at Black Hat in 2012, you will notice the talks are about completely different subjects. The word SecDevOps is everywhere this

year. That word didn't even exist two years ago, and now it's the main focus of this conference. And there's a reason for it, and it's fundamentally baked into the industry. Anybody know what the technology life cycle is? Okay, so first of all, anybody ever read Jeffrey Moore's Crossing the Chasm? Seminal book, if you want to be in management, if you want to understand business in technology, you must read that book. It is absolutely required. It's a little old now, it was written in 2001, but Moore actually talked a lot about the technology life cycle. Basically the idea is that as the technology goes through its maturity, it has a bell curve life cycle. Looks kind

of like this. In the early days of a technology, nobody uses it. This is basically the axis on the left here is the number of people who actually use the technology. On day one, actually it's more like day zero because this is like early alphas and early betas, this tiny fragment of people who actually use the product. And over time, if the product is at all successful, then you get early adopters. These are the people who lined up outside the Apple store for the very first iPhone, even though the stupid thing didn't actually let you send a text message or cut and paste. And those are the same people who are still lining up. Those are the people who got the iPhone X, even though I thought Face ID

was the craziest idea I ever saw and really didn't want that technology. But still, a whole ton of people bought it. Then you get to the early majority, when you really start to hear about the product. The late majority, which is when my mom comes to me and says, what's this iPad thing I've heard about? And then finally, what's known as the laggards. I hope I don't offend too many government people, but anybody still on Windows XP, that's them. And you see government, large companies, older sort of non-technical businesses. This is sort of the curve of obsolescence of every technology. Now here's the trick question for us. Across this life cycle, where did the security issues happen? Say it. No, no, not at all.

When was the last time there was a massively significant vulnerability, like change the whole internet vulnerability in the TCP4 stack?

At least right we're talking at least a decade when was the last time there was a vulnerability and I don't know Apache spark like yesterday right and actually what the curve looks like if you look about vulnerability distribution is it looks like this right so when the product first comes out the thing Swiss cheese because nobody you know that the three people in the garage who just developed the Technology did they care about security at all? No, they're just trying to get the product out the door The very first version of the technology always sucks, but nobody uses it, so there's no loss, right? You're not really worried about a hacker hacking your limited beta

that you've only allowed three users to have. It's actually, what the interesting thing is, is as the technology matures and people start to use it, this is where the attackers really get interested, right? This is, so this is Facebook in 2005 when it was just, you know, Mark Zuckerberg and Harvard and nobody cared. This is Facebook in 2010 when suddenly everybody's doing the, oh, no, I'm stuck in London. I just got hit over the head with a brick. Please send me money. Everybody remembers the scams. There was this huge proliferation of stuff on social media around then. We spent all this time building social media protection products. There's companies still that are advertising social media

security, you know, somewhere on the show floor, somewhere within 100 yards of here. I guarantee it. And this is where we spend almost all of our time. Now, what's interesting about that is the consequences it has for our careers and for our people. Because it means, so in general, for the most part, in today's world, if this was five years ago, I would quote you a different number. But in today's world, we have a new technology shift like this about every three years. And I use SecDevOps as an example right now. SecDevOps is sort of at this level of popularity right now. Three years ago, lots of people sort of knew about it, and there were some whispered conversations in the hallway between the few thought leaders, but now

everybody talks about it. By the way, two or three years from now, SecDevOps as an idea is going to be out here, and there's going to be one talk at this conference about SecDevOps, because it's going to be widely accepted. Now, what this means for us as an industry is actually a huge problem. And to understand the problem, we have to talk about accounting. Not because I like talking about accounting, but so that you understand the pace of change in other industries. Innovations in accounting. So, CPA cert, 1896. GATT, the rules of accounting, the fundamental rules are called GATT, the Generally Accepted accounting principles or GAP. The GAP rules do change a little bit every year, but fundamentally GAP's pretty much

been the same since 1939. If you learned GAP in 1939, you could read a couple articles and be up to speed on today. So in the last 60 or 70 years, your knowledge is stable. In the last 10 years of security, our life kind of looks like this. Oh, don't worry, it speeds up. And I'm probably a couple years behind. I know I forgot SecDevOps on here somewhere. You get the point. Our industry has evolved more in the last 10 years than accounting has since 1939. And so it leads us to this world where constant update and constant reinvention is required. We must continually learn. And my rule of thumb is really simple. Every three years, the most

valuable thing in security changes. And I'm using SecDevOps as an example because that is pretty much one of those things right now. If you're an expert in SecDevOps, you have lots to talk about, you have lots of things to write about, you have lots of conference talks to give, and you have lots of people who want to offer you a job. If you're an expert in protecting WPA2 on wireless networks, well, not so much. And yet in 2003, 15 years ago, if you were an expert on protecting WPA2 in wireless networks, does anybody know there was actually a certified wireless administrator certification? Okay, now that I've asked that, did any of you get it? I was hoping, no, I was literally hoping that there would

be at least one person who got that cert. The point being... Something that was important enough that we made a certification for it 15 years ago is now not even a job. That's how fast this industry evolves. And so a lot of us end up like this. The reason I ask the question about how many people that you started out with are still in security is because our level of attrition is so high. If you start out in the career path as an accountant, you generally are an accountant when you're 50. There are exceptions to that rule. But in security, it's the other way around. The people who have been around for 20 years walk around here. How many people have actually done nothing but security

for the last 20 years? Look, you guys are a very small handful, right? You're a very small handful of your peers. OK, and I guarantee you, you're the only one in the room who's done that. Yeah, which I caught earlier and I was like that's a good t-shirt. I want one of those But that the idea that people like people don't stay in security for this long for a reason and So one of my favorite jokes ever made on the Black Hat stage, Scott Blake did a talk. And for those of you who remember Scott Blake, he started the Razor team at Vineview. He was CISO at Liberty Mutual for a while. And Scott did a talk, I think it was in 2001, called Should

You Hire Hackers? Were you there? Scott opened the talk with my all-time favorite security dad joke. What's the difference between a hacker and a security professional? Time of day. Nice. Not a bad guess. a mortgage and the fact that you all laugh means you all get that right like that that is actually true there's a truth to that statement and Because of that, as soon as we want to grow up and not continue to reinvent ourselves every year and not continue to learn. By the way, I have ridiculous ADHD. Anybody who has ever hung out with me knows I'm always thinking about something new. I'm always learning something new. This industry works really well for me. Because after about

three years of knowing something, I'm bored and want to learn something else. And so that's why I'm still here is because this industry fits for that. If I had, at 27, decided I wanted to coast for the rest of my career, I would still probably be a pretty decent web app pen tester, but how useful a skill is that really? That skill obsoletes really fast. Whereas if I learned accounting in school, I would still be a decent accountant. I might not be the best accountant in the world, but I'd still have a job. This means that our industry has one trait that I think nobody talks about. Some people after me are going to talk

about this, which I'm really excited this is becoming the topic of conversation this week. We talk about it a lot. My company, our headquarters is in San Francisco. Actually, any of you guys in tech in the Bay Area, Silicon Valley? A few of you? Okay. So the one thing that I've noticed, and you guys can confirm if you're seeing the same thing, but all of my friends are seeing the same thing. Rates of attrition on staff for security people in San Francisco range between 35 and 50% a year. It's really interesting to me to talk to managers around me who haven't come from security because if you didn't come from security actually our CEO to our CEO is Brilliant man. He's just he's done all this incredible business stuff

over the years and he said to me So he he's built tech companies in Boston on the East Coast, you know over many many years and he said, you know when I was growing up and If a CEO had 7% attrition, the board was asking them why they were terrible at their jobs. He took over this company and his first reaction is, "30% attrition? Oh my goodness." Then people started telling him, "Wow, you only have 30% attrition? Great work." Because that is the new normal in security. By the way, it's not a bug. It's not a problem. It's actually a feature of everything I've been saying. If you have to reinvent your skills every three years and you're in a job,

three years from now, suddenly the skills you're learning may not apply to the job you're in anymore. And suddenly there's movement. We move a lot more than most industries. We have a lot of attrition. I actually, I think the only way that we as an industry survive in the long term, you know, we all try and manage it. I bet if we talk to all the people at the back of the room, most of the organizations have ways to try and retain their people. I'm looking at the B of A people who are nodding at this, right? And we work really hard to retain our people, but we also have to realize that kind of movement is actually a feature of this industry. And

if you do that, Then you realize you have to change what you do as a manager and a leader. Just think about it this way. If you knew every one of your employees would quit in the next two years, how would you change what you do? Would it change the way you manage? Of course it would. And the very first thing you would get good at is what? Hiring new people. Actually, my favorite mathematical equation. Say it takes me... Say it takes me 90 days to recruit and onboard a new employee. I have a team of four and I expect 50% attrition. How many employees do I have on that team? I think your math's wrong. Yes. No, I don't. I have three. Because if I have 50% attrition,

which means 50% of the people are cycling out at all times, and every time that happens I lose 90 days, over the course of each of those four people quitting I lose one man year over the course of two years.

I'm averaging, I'm not putting the variance in there. We do a much more detailed analysis, but just in general, the idea that you have a four person team, but you can only ever maximally expect a three person set of output out of that team. How many of your managers would say, "I gave you four people, but really, do three people's worth of work." That's not what we tell our managers. You have four people, I don't care that one just quit, you still have four heads, you should be able to do four heads worth of work. Right. I completely agree with you. I completely agree with that. If instead of it taking you 90 days to

recruit those people, it takes you seven days to recruit those people. And if you have a seven day turnaround from the time that you lose that person to the time the new person starts, then you think I'm crazy. Every every single person is looking at me like that's impossible, Mike. Oh, it's absolutely possible. It's absolutely possible. I explain it to business executives this way. We have a sales team, right? The sales team, there's 35 of them. They're prospecting on 150 accounts. Why don't they just do one account at a time, wait until they close the deal, and then start on the next account? They look at me like, "That's stupid. Who would sell like that?" But isn't that exactly what we do with

recruiting? almost across the industry, I get to start looking for the next person the day the person gives notice. That 90 day clock starts that day. Right? You're right. My best case scenario is I get to start that day. You're right. It has to go through HR approval, backfill approval, some sort of committee. Yeah, it usually takes a week or two. And then my 90 days is 120 days. Right? And then I have two and a half people across that team of four. This is the point. The point is, if you know that you're in an industry where attrition is a natural part of the way things work, we have to change our recruiting. We have to be building pipeline in advance of actually needing the people. Because,

so it's one thing if you're in a company, like if I ran an accounting team and I expected one person to quit every five years, I could afford to lose 90 days when that person quits. If I expect half of my people to quit every year, or if I'm going to really stretch it out and say, okay, I'm going to be really great at keeping people, I'm going to have 33% attrition, so I'm only going to lose one-third of my people every year. Even still, if I have that, in order to maintain my productivity, I must be recruiting ahead of the plan. right I must be recruiting so that the day that that that person

leaves or that that happens I am ready to move forward with the next hire as quickly as possible here's the problem nobody is good at recruiting I and I I've been doing this for a long time and I'm literally somebody who thinks about recruiting enough to stand up and talk about it and I will tell you I might have a 50 percent success rate of hiring great people and the unfortunate part is There's an old sporting maxim that says, "Best coach is the coach that has the best players." And that is true unequivocally about management. It does not matter how good a manager you are if all of your people are terrible. And that's where recruiting really comes in. But the

problem is, how do we recruit? We get resumes, and then what do we do? We interview them. How many people think interviewing works? James is literally the only one with his hand up. Why? Because it doesn't. Actually, I would love to know. I'm going to take that offline because I'd like to hear about that. Because actually, I think you probably are going to know most of what I'm going to put in here. Because... All the research says, and this is the most uncomfortable thing for any of us to accept, but I promise every single person in this room does it. All the research says that you make almost exactly the same decisions after the first 10 seconds as you do after 30 minutes.

The idea, if you thought about this as the case, if everybody just acknowledged this was true, all we could do is like a police lineup and decide who to hire. And guess what? We'd hire the same people. That's the scary part. The scary part is if you turned your interviewing process into a police lineup, most of you would end up hiring the same folks. That's how strongly our unconscious process biases the recruiting process. So the problem is there's not a better answer. There's no like, okay, here's what we're going to do. We're going to take all the resumes, put them on a wall, and throw a dart at it. That might work, but I don't think any of our HR people would be okay if that was our process.

So what do you do if you want to hire good people? The very first thing is you have to accept what I just said. Your brain is out to get you. Your brain will screw you up and your brain will make sure that you hire exactly the wrong people. Most of us make a really screwy mistake. Most of us do one of two things and we do it exquisitely. We are all so good at it. We either hire people exactly like us or we hire people exactly the opposite of us. One of my favorite quotes I heard a psychologist named John Bradshaw say one time, 180 degrees from wrong is still wrong. Hiring somebody exactly

like me is just as bad as hiring somebody exactly the opposite of me. And we all make that mistake. It's a built-in human bias, right? And we could go into the psychological reasons that we like people who are like us, or we hate ourselves so we like people who are like the people we hate. There's a lot of deep-seated psychological stuff there that doesn't have a place in this talk, but it's true. And so if you actually want to interview well, and this is why, knowing Jameson a little, I bet he's actually solved some of this, To actually interview well, your job as an interviewer is to realize your mind is out to get you and to intentionally fight yourself. So, my best way to

do this is really simple. You have to write a real job description. Now, when I say a real job description, how many of you guys, I'm sure most of you have a job description. If you actually went to work and did exactly what was on that paper, how would that work? Yes, good job. But exactly, most of our job descriptions actually have nothing to do with our jobs, right? And we write these job descriptions that have all this crap on them, but what we're really, you know, it's like, must have eight years of this experience, and must know how to run Snort, and must know how to run Metasploit, et cetera, et cetera. And then you get to work, and you

never touch Snort, you never touch Metasploit, and you spend all your time interacting with people and program managers, and you hate talking to people. And you're like, man, the hiring manager's like, he seems so great in the interview. Well, why? Well, we evaluated his Java skills and we evaluated whether or not he could use Snort and Metasploit. And so we gave the person the job. The problem is, when the job description doesn't match what you actually are looking for, how are you making the decision? You're making the decision on unconscious bias. You're making all of your decisions on unconscious process. And so you literally could do the 15 second lineup and be equally as effective

because the criteria that you've primed yourself with, that you've set up yourself with, looks nothing like what will actually make the person successful at the job. And so you end up in this really screwy situation where the people you hire aren't effective, but you don't know why. I'm a big believer that 90% of management is hiring the right people into the right roles and then getting out of their way. If you don't get this step right, everything else gets hard. And if you get this step right, everything else gets easy. The problem is we're not wired to get this step right. So you have to work really hard at it. And it's ultimately about knowing

more than what just goes on the paper for job descriptions. For those who are really interested and nerdy about this, there's a wonderful article in the Harvard Business Review about 15 years ago called The Portfolio Model of Human Capital. And The Portfolio Model of Human Capital basically is the best way to write that job description. It basically says there are a lot more to a person's job and to a team, to a set of people on a team, than what actually most of us write. Most of us, when we write a job description, we literally just sit down and go, "What skills?" and, you know, "What kind of knowledge do they need to have?" Eight years of Java experience, 14 years

of DevOps, 36 years of understanding AES. Like, we write the skills down, but we don't write down the most important question. Who is that person? Are they an extrovert? You know what? If I'm going to hire an evangelist who goes out and speaks at conferences, I probably don't want to hire a shy introvert who's not very good at talking to people. And similarly, if I want to hire an amazing coder who's going to solve really hard technical problems, maybe great sales skills is not what I'm looking for. But maybe it is. But we have to think it through. You also have to think about the team you have. So what they called it in the portfolio model was they called it the weirdness quotient. Every

single company, I will tell you. So just a couple of career path jumps for me so you understand what I mean. I went to GE Healthcare and I ran a team at GE Healthcare and I hired a team of about 20 people. All of them are, I think, in fact, I'm pretty sure all of them are still at GE and they're all doing a great job. Then I went and I worked at Lookout. Now, you think, I hired the team of all these great people that I love to GE, and I didn't bring any of them to Lookout. Why? Because the weirdness and the kind of person that fits in GE's culture probably doesn't want to fit in a Bay Area startup culture, right? Or might not fit in

a Bay Area startup culture. And vice versa. Before I went to GE, I ran my own company, We were a 30 person security consulting firm. I didn't take many of them to GE with me either because that's also a very different set of weirdness. Actually, funny story about my GE employment. Three weeks into GE, and I have to come out so you guys can see what this was actually about. Three weeks into being at GE, my manager told me this jokingly, but this clearly happened. He said, somebody pulled him aside and said, "You know, I don't think Mike's gonna make it. "I don't think Mike's gonna last here." And he said, "Why?" He said, "Well, have you seen the guy's socks?" Seriously, that was the

reason. Not tech skills, not can I do the job, have you seen my socks? That's what I mean when I say weirdness quotient. Every company has things like that, which will mean like some people fit and some people don't, right? And the problem is, this is where we stray into the problem that this industry has far too much on the other side, where people think about fit, and their definition of fit is everybody who looks and acts exactly like me. Right? And we get into the diversity conversation. I am actually arguing, the point here is you should think about the diversity you need. You should be thinking explicitly, what diverse things about the people I'm bringing in will add to my

organization? What is their background? If I hire a whole team of PhDs from MIT, that's going to be very different than if I hire a bunch of people out of a coding boot camp in San Francisco who are self-taught and have learned by being scrappy. Those are two totally different teams. In some organizations, I want a whole bunch of MIT PhDs because that fits that organization. In some organizations, that's insane. And so it's up to us as managers and leaders to think that through and to try and create a situation where we are able to hire exactly the people that we want to hire. So here's my other rule of thumb, and I could talk

about this for an hour, but it is a simple concept and we all screw it up, me included. It is always better to say no to a good hire than it is to make one bad hire. Always. 100% of the time. By the way, Humans aren't wired like that. You are not wired to have a candidate that almost fits and go I'll wait till the next one right we all want to close our reps We all want to move quickly. We all want to we all want to round up relationship the relationship actors expert Dan Savage likes to say You know we take our partners and instead of them being the one we round them

up from a point nine, right? The problem is when you're hiring the The research shows, HR people have done a lot of research, and the research shows that in general, a bad hire costs you exactly 1.5 to two times that person's salary. That is in lost opportunity cost, the amount of time you take training them, the amount of time that you actually have to spend firing them and managing them out of the organization, the things you didn't get to do because they were a distraction on your team, the averages. So if you're hiring a $150,000 engineer and you make that mistake, you would immediately incur a $300,000 bill before you hire the next replacement. It is always better not to hire the bad, to make the

bad hire. And so You have to move as quickly as you can and you want to hire as fast as possible, but at the same time, you absolutely have to be thinking about how do I create a situation where I am able to do that. Now, a quick, literally just a quick digression because I really want to get into conversations and it's about development. So everything I've said here is about how to live in a world of attrition. But how do we keep people from attriting in the first place? The answer is development. The answer is you must be committed to actually making your people better. And that doesn't just mean with money. Like a lot of us think, especially around here, a lot of

us think that commitment means I'm going to send you to every Black Hat, DEF CON, CanSec West, Recon, et cetera, around the world, and you're going to spend 26 weeks a year at conferences. That's not what I mean. What I'm-- what? I would love that. I would like that job too. But what I actually mean is you have to be thinking about how are you constantly causing your organization to learn and grow? And how are you setting them up for three years from now when they want to have that new set of skills? How are you getting them there? And this is an entire org effort. What it comes down to is not just do I send people to conferences. My team, I think we have 11 or

12 people here this week of the 35 or 40 in my organization. I would have loved to bring everybody, but we're going to take those people who came here and they're all going back and they all have responsibilities and they already know what they are to be teaching internally at town halls and internal all hands for the next few months. Everybody who comes here comes back to the organization and then trains. Even the junior people. Even the people who are here because it's their first time at Black Hat and DEF CON, I expect them to come back and teach. At the same time, it's funny, I was talking to Kathleen earlier and I'm really excited

about her talk later this afternoon because our company actually has a really great policy of volunteer time off. Where we actually give people time off to volunteer. I didn't tell you this, but this should be interesting. I don't remember in the two and a half years that I've been there that anyone ever asked to use their VTO to volunteer at a conference. And I would absolutely approve it. Right? Because volunteering here is just as powerful and, you know, an opportunity to help the world and the community as volunteering anywhere else. And not only that, you learn stuff, right? You can't volunteer here without meeting all of you. This is where networks happen, even just by

osmosis, the hallway talks, I learn stuff. Just hearing what people are talking about at dinner. Volunteering at conferences is a huge opportunity and many companies have policies around volunteer time off that I bet... Actually, how many of your companies have a policy on VTO? How many of you have ever used it to volunteer at a security conference? Do you see the difference? Half the room and two hands. But that's the kind of thing that we need to be encouraging our teams to do, encouraging our people to do to get out there, to use the resources they have so that we can keep growing them in this industry that requires constant growth. Because the other side to this, right, the other side to this, we evolve every

three years, is as a manager, if three years from now my people haven't learned the skills that are going to be relevant that day, then what do I have to do? I hope I don't have to fire them, but at the very least I have to go get new people. And then I'm back in that attrition, hiring, all of that all over again. And the hiring treadmill never stops. The best way to stop the hiring treadmill is to turn the people you have into the people you need. Much easier, but takes a lot of commitment. And actually, you said something wonderful to me that I don't remember who you said said it, that somebody's manager

said, "What do you think I'm doing? Paying you to go to conferences?" And I looked at her and went, "Yeah, that's exactly what I'm doing. That is absolutely what I'm doing because that's the only way that three years from now those people are still going to be useful for me and part of my org and be able to teach those skills to everybody on my team." And it's something that we all have to commit to because, you know, we're self-selecting by being here, but ultimately being here year after year, actually all of you who have been in this industry more than 10 years, Is this the first Black Hat DEF CON for any of you?

Of course not. How about B-Sides? A couple of you, it's the first B-Sides. But I guarantee you, even that, it's not your first security conference. We are a learning industry and we have to keep that going and especially we have to teach the young people. So with that, I said I would only talk for 30, I talked for 40. Let's turn it open to questions. Do I need to pass the mic around? Oh, thank you. What Mike is referring to is my talk that's at this afternoon is I've been noticing over the last five, eight years that I've been in the community that people use volunteering as just a way to get out in the

community, but they're not looking at it from a career development lens. and companies are not looking at it from a technical and non-technical skills management lens. So I actually did a survey over the last three months within the community nationally and internationally asking people do they volunteer, does their company support it, what are the skills that they have learned, if they would move to another company, if the company provided more support, and we'll be releasing some of that data this afternoon, and then we just got accepted for DerbyCon, so the full community survey will come out at that time. So if you're around at three o'clock, we have a panel of people who have used

community volunteering as a way to develop their career and how their company supports them and how they negotiate with their company to do that. And enough of the commercial for my talk later. Questions? It's a great talk. I'm really excited about it. It will be taped. - So if I could summarize your talk into three phases. You've got recruit, run, and retain. - Yeah. - Okay? - Absolutely. - Alright, so across the three categories, with the differences in management styles you're advocating here, where do you see managers encountering the most friction? with the rest of their organization and what strategies and tips would you have for them to overcome them? Great question. Really great question. And I hate to give the

it depends answer, but it totally depends, right? Every org is different. So when I was at GE, I thought I was going to have the biggest issues with the recruit part and HR was incredibly willing to just go to do whatever we needed. And I thought that was going to be the fight. And it turned out that the fight was actually about training and some of the other things. At the startup I'm at, actually I would have thought the recruiting stuff would be easier. I've had a hard, partially just because we're in many offices and we're across multiple cultures and we have a lot of other challenges, I have a harder challenge on the recruit

situation there, so I spend more time working on recruit. I think it's a matter of, for each of those orgs, you've got to understand the culture and you've got to understand Every org that I've ever been in has had some things that don't move and some things that do. It's just like hacking. Some rules can be broken, some rules can be bent, and some can't at all. And for each org, you have to figure it out independently. Because I don't think there's necessarily a one size fits all. In the managers I meet, though, I actually think recruiting is the hardest part. Because we don't check our unconscious bias. Heck, I've interviewed... conservatively 1,500 people in

my career and I still fall victim to all of these things I'll still walk into an interview and think wow this person's awesome and they haven't said a word yet all right and it's it's just a human response and so until you're aware of that and you're really willing to just to be rigorous and just almost beat yourself up every time you have an opinion with no justification And none of us are good at that. We all do that, right? We all judge books by their cover just naturally. It's why it's a cliche. And so I think in terms of actual individual skills, that's the hardest. It's the hardest one to learn. So next question.

Mike, you keep playing with your microphone. It's because it keeps falling out here, and I don't know if you guys can hear me. I'm just trying to look like Britney Spears is really what it comes down to. There you go. Ah, perfect. Thank you. Now maybe you guys will be able to hear me. I won't sound like I'm fading in and out. Thank you for the great talk. I think the best I've heard so far today. It is only 10 a.m. High bar. So many questions come to mind. Have you read First Break All the Rules and what do you think? Of course. Yes. There's a lot of that in there. And actually, I had a slide. slide on strengths and weaknesses earlier, but

as I told Kathleen, I rewrote it. That was in my original deck. So did you want to tell them what it is, or do you want me to? I mean, I did see some things that reminded me of that. I was just wondering if there was-- Yeah, there's definitely some Buckingham influence here. Yeah, OK. And it's great. I recommend it as a read. There's a lot of research behind it, and it gives some paradigms that I think are helpful for hiring for the weirdness, I think, that you kind of alluded to there, and understanding what the job description is as well. not just like what are the skills you're hiring for, but what are the

talents, what are the innate, what's the innate nature of the person who's going to be successful in this job? But I think my question though is related to like, so there is some value that I feel I get out of my intuition and I find my, I've studied myself in this area and I have found that when I disregard my intuition and I take it completely out of the hiring process, I am more likely to fail. And that perhaps speaks to the inadequacy of the rest of my hiring process. I disagree. I think you're right. Okay. Intuition is not the same as unconscious bias. Okay, great. So I and I and I feel like it's

the onus is on me to take my intuition out of the realm of unconscious competence into conscious competence and understand why that intuition is working for me and in the ways where it may not be if that is if that is the case. I just was wondering if you thought that was a valid consideration. So let me just re- so we just had a very a lot of shorthand in that conversation. Let me just actually restate a few of those things for everybody. But I you're doing it exactly right as far as I'm concerned. That was one of the most insightful takes on this whole process that I have heard. But it's especially the best

one I've heard this morning. So, all right. So, quick references. The book that she was referring to is called First Break All the Rules. There's another one called Something About Playing to Your Strengths. They're both written by a guy named Marcus Buckingham who has written some of the best things on this. And Buckingham actually... They did this incredible study at Gallup and what they found was that the most likely things in developing career for people that were successful and we had to throw it on our head a little bit. Up until about 15 years ago, everybody viewed management as, let me look at, and your annual performance review probably still looks like this. You go

in, you hear a couple of nice things and then there's this whole list of things you suck at and We'll call them areas for improvement. But really, it's a whole bunch of things you suck at. And then there's a plan for you to not suck at those things anymore. anymore, right? We spend all our time talking about what we're bad at and getting better. And Buckingham actually did this incredible study and what he found was the people who are successful don't spend their time working on their weaknesses. They spend their time making them stronger at the things they're already good at, right? You have a superpower that is uniquely you, right? The things that you

are just naturally good at that they really come through that you can offer to an organization better than anyone else. And If you work on being better at that, you are more likely to be better than if you work on trying to be less bad at something else. It's sort of like, I don't know how many of you guys are basketball fans, but if you think about like Steph Curry, I don't think Steph Curry spends a lot of time working on like 360 windmill dunks, right? He works on shooting three-pointers. He's already the best three-point shooter in the history of basketball, and he gets better at it every year. He doesn't spend his time working

on becoming Michael Jordan or working on becoming LeBron James. He spends his time working on being better at being Steph Curry. That's what Buckingham was talking about. Now, to the intuition thing, you cannot... So everything you said was so right on that I'm just going to restate it so that everyone hears it because, yeah, it's incredibly important. If you've been doing this for a while, you get intuitions. It's not the same as making the unconscious decision up front. And the goal of a really good interview process, and if you get really good at this, what you will find is I have an intuition about somebody. How do I on the fly then structure a question

to confirm or deny that intuition in real life? It's not about just pretending that you don't have experience. Anybody who's been managing for as long as many of us have, you can tell a lot of things unconsciously. And if you guys have read Malcolm Gladwell's book, Blink, there's a lot about how much we know quickly. The problem is that often gets mixed up. That's not a high fidelity signal usually because it's mixed up with all... It's mixed up with, did I eat breakfast this morning and am I hangry? So your goal has to be to take that, figure out what that intuition is telling you, and then figure out what questions to ask to figure

out if you're the one that's wrong or if the intuition's right. And I think that's what you were saying at the end. And really, that was wonderful. So thank you for offering that, 'cause that was great. Yeah, go for it. - So you gave a great talk on management direction. And there's enough of us in here who are managed versus managers. And because of the situation that all the managers are in, what advice would you give to the employees who have to switch jobs every once in a while because they're no longer a great fit for their company? Obviously, get training, study, yes. But managing the job interview process, managing the fact that the job

description doesn't necessarily match the job, what advice would you give us? Because I'm sure you've got plenty. No, that's... Oh yeah, actually it's funny because I was actually just about to call you out. So go for it. How can managed become better managers of their managers? Yeah, managing up. Are we on that thing today? Yeah, we totally are on that thing today. So actually managing up is one of the biggest challenges. And we often... So one of the hardest things for most of us and... is that we enter into a very strange relationship with our managers. Many of us, and this is a pattern I've noticed across most people, we relate to our management almost like they're our parents a lot of the time. And

so we go into the relationship as though they are immovable, and, you know, much like our parents, they told us what to do, and we didn't really have much say in it, right? And we still treat our managers that way. And to me, managing... I'm looking into the camera for this. If anybody on my team thinks I'm not doing this, send me a Slack message and call me out because I fail at this too. But as a manager, you have to be willing to be partners with the people on your team. And if you are, then managing up is easy, right? I don't view my team as working for me. I have management skills. This

is what I've cultivated. I will tell you, I'm the worst reverse engineer on our team of malware reverse engineers. I haven't opened IDA in five years. They're better at that than I am. And they should be. And if they're not, we've got a problem. Because if I'm the best reverse engineer, we are in deep trouble. And I know that, so I know that my role is not to be above them in some way, it's to use my skills the same way their job is to use their skills and we're partners in this. Right? And if I can view it that way, then you being able to come to me and say, "Hey Mike, I need

this." Or, "Hey Mike, you're not doing that." Then we can actually have a conversation. That makes it easy. Now, the hard part is that not that many of us, especially if you read older management books, were raised in that culture. And some managers are not as open to that, especially the autocratic folks. I see lots of nods in the room. We've all had that manager. And in that situation, my only advice is strong understanding of economics. So economics is known as the study of incentives. What are your manager's incentives? What do they want? And what do they want is usually not what they tell you, right? If I go to my team and I say, "Hey, I need you to do X, Y, Z." It's not

because I really want that, it's because I want something else. Does anybody know the Toyota system of what's called the five Y's in the quality system? Where you ask why five times and eventually, like after you've asked why the fifth time, you have the real answer? Figuring out what your manager wants is really a five Y's exercise. If you can get to, oh, they want to look good in front of their boss. They want to get promoted. They think that whatever they just ask you for will get them promoted. They want public recognition. They don't want public recognition. They want private recognition. You have to figure out what your manager wants. Then how do I

structure whatever I'm doing to help them achieve that goal? If I can do that, then my manager's happy and I'm probably successful. Now, the hard part of that, and I don't have a good answer for this, because this is where management and the manager-employee relationship is a relationship. The problem is if the manager wants something and you fundamentally can't give it to them. In divorce proceedings, that's called irreconcilable differences. Right? And it generally leads to a divorce. And the whole thing is you got to hope that you can do that divorce as amicably as possible and do it with as little collateral damage as possible. But sometimes that's the only answer. All right, I'm getting the hook from the back. But seriously,

thank you all for coming and listening. Thank you, Mike.

Thank you. I'm around. Find me. Ask questions. I'm always willing to talk and share. So just hit me up. And if you love this topic, we have Dr. Andrea Limbago coming up in three minutes. Thanks. Who actually has more workforce retention data. And we'll continue this conversation. So awesome. Thank you.

Looking at increasing capacity I love Wednesday morning with Higher Ground because we get into some sort of meaty issues and I think that's really good fodder for people to take back and see how they'd incorporate that into their organization. But as we know, a lot of people say, "Well, what's the data behind it?" And one of the most phenomenal data scientists that I know in this community is standing right behind me. You know, she's also a phenomenal woman in her own right. And I was so happy when she shared with me her data and I said this is perfect for higher ground. So Andrea, take it away. Andrea D' Thank you, Kathleen. All right. So if you saw the

last talk, this really builds upon a lot of that. It's almost a continuation of it, which is great. So well done, Kathleen, on managing those. So I'm a social scientist and I work at Endgame, do a lot on the intersection of geopolitics and cybersecurity, but also give my social science background. I've done a lot of analysis in the past on institutions, cultural change, organizational shift, all those kind of things. And I've been in the security industry about five years now and noticed a lot of the stuff that I used to study that applied to geopolitical conflict, interstate conflict, I could actually take some of those lessons learned and some of those policies and strategies and

apply them to what I was seeing within the security community. And one of the things that I noticed, especially compared to, I worked in the military, I worked in academia, the security industry is unique in some of the retention challenges that we face. And I wanted to dive into it, I mean that's what social scientists do, we want to start looking at the human behavior aspects of it. And so I did a study of it. And so I'm gonna walk through the findings of the study, and then some of the social science theories and strategies for addressing some of the retention challenges. And so basically about a year ago I did the analysis, so I'll

talk about that. We'll walk through the analysis itself and some of the key findings, and then I'll talk about the recommendations for helping retain more people within the community itself and within organizations. And so what we hear a lot within the, and we talk about the workforce shortage, that's something that I think all of us know really well, so I'm not going to dwell on that so much. But what's focused mainly on is the pipeline problem. I didn't see much going on in the area of retention. And so that's why the talk before was great. Started to talk about some of the challenges we see with retention. And I wanted to dive a little bit

deeper into it and look at what some of the causes might be. And so I did survey analysis and actually did over the last summer, Jack Daniel actually helped me propagate it throughout social media, which is always helpful. Because this is actually a challenging community to get people to respond to surveys, as Kathleen probably found out as well with her analysis. A lot of people think you're out there fishing for some sort of thing, and I got a lot of comments along those lines that that's all I was doing. So at the end of the day, I got a little over 300 respondents. I'd prefer a bigger N, but you take what you can get.

And the distribution was 80% male, which actually is a little bit different from what our community is, so not awful. And what I was especially interested in was the industry breakdown. It was fairly consistent across the board, so it isn't one of those things that leans heavy towards startups or government or so forth. It really is a broad spectrum of respondents, and so I was very happy with that. So after doing the analysis, it was about 20 multiple choice questions, which is a good way to actually frame the analysis because people aren't willing to just put in an hour to respond to anything. So you do the 20 multiple choice questions that covered a range

of issues as far as why you stay, why you go, some of the key causes, then a little bit of demographic information, then in different areas for comments, and I include some additional comments. A lot of people actually did take the time to write in some additional comments, and it all pertained to retention. And so there are three areas that, three key findings that I've found. One was on career limitations. And this to me was one of the more interesting ones and may come as a no-brainer to a lot of people I think within the industry that the career progression seems to stop if you want to stay doing technical work. And that's what a

lot of people said over and over again. And so there was that lack of advancement, the lack of professional growth where people kind of felt like they were stuck in sort of a hamster wheel doing the same thing over and over again without seeing any progress available for them. And a lot of other fields that isn't there, you kind of know where you're going to be progressing. You know what, if you work for 30 years, you know where that high level where you can aspire towards. And it's not quite there yet in security. And so that gets to some aspect, a lot of people say, well, it's because it's so new. But it's not so

new that that should still be an issue, but it really is. So that's one key takeaway, that the manager or boss issue, I think that that's pretty much across almost any industry. So I don't think that's necessarily unique here, but it's interesting to see it reiterated. The lack of challenging work I thought was especially interesting, probably because we hear about how challenging and how, you know, what the cool work that we can be doing in security is. And so that's, I think that's relevant, but I think a lot of it is that when people are coming in though, they start doing a lot of the same kind of processes and redundancy in their work day

after day after day, instead of being able to evolve into some higher level, more sophisticated work. And so I thought that was an interesting aspect of it that we don't hear talked about very much. And then the limited opportunities for technical management. A lot of management basically requires doing more of the timesheets and so forth versus helping technically develop the workforce. And this is just one of the quotes that was in there, which gets back to because within organizations when there is little understanding of security or where security should be placed within that organization, there is no set career path. And a lot of these different comments along those lines talked about, oh, we were placed in IT, we didn't really belong there, or they placed us over here,

we were sort of an island. So a lot of those kind of issues were talked about in some of the comments. And this is some of my favorite comments from Twitter. I think this kind of dives into this a lot more, especially when we're starting to look at what kind of people we're hiring for, and the kind of experience, doesn't necessarily match what people are doing. And so these are just a couple of my favorite ones on that area.

So burnout is next, and I think that again comes as probably no surprise to this community, but what's interesting, I think to the outside world, it actually is a little bit. I was just interviewing Jack Daniels for an MIT Technology Review article that came out today on burnout. And it's really starting to gain greater visibility. Black Hat's got the whole track now on these kind of issues. But it really is one of the major causes for people leaving both companies and leaving the industry. And I asked both those questions, why people leave the company and industry can be two different things. But they were pretty consistent on that in this area. And so part of

it was that security basically, you know, was rest on the shoulders of just as hearing professionals and wasn't dealt with as an organizational whole Responsibility and so the accountability rests on one person and because it rests on one person that means you know They're constantly again just working overtime that as we all know you there's no rest time during any of this things don't stop Generally a lot of these major attacks and happening over holidays or really inopportune moments so put those up just smart comments along those lines and But it is a constant stress, and the paper in the MIT Technology Review today I think is pretty good. It covers a broad range of

these topics. And again, it's one of it also gets back to some of the feedback cycle. So you're still working really, really hard, but if your customers, when you're trying to prove something that might be unprovable in many ways, especially to customers that may not understand the technology aspect of it, you really don't get the accountability or the recognition for all the hard work that you're doing. And then again, just a couple of comments on burnout. And I'll address some of these more so when I get into some of the recommendations, but one of them is on vacations. I think probably most of us, unfortunately, do a fair amount of work on vacation, more than

we should at least. And as every other study shows, vacations actually should be a time for taking time off. You actually come back more refreshed. But that's not really how a lot of us do it in this industry. I mean, that's something that we see in other industries as well, but I think it's especially pronounced within security.

And then finally we'll talk about industrial changes. So that gets into changes in the industry culture. And so part of this isn't necessarily what we hear about a lot. Some of it is that, half of my respondents were between 31 and 40. So when we see all the cultural stereotypes that are out there, the 15 year old hacker, that's not actually reflective of the security industry itself. And so part of it is there's a branding challenge that we have within the industry. Some of it falls on us, but it also can fall on the companies as well to reshape what this vision of what security is, what the job potentials are, what the opportunities are,

those kind of things. A third response point to security culture and what an interesting component of this is, one aspect that kept being brought up in the comments was the bro culture and it was all self-identified males that made those comments, which I thought was especially interesting. Also, I think a lot of women are just don't, are tired of talking about it. But the men were very vocal as far as how the negative impact it was on them as well. And so I think that you see as well in, Some of the tweets on the right, basically issues with the social aspects being heavily reliant on drinking, all the mantles that we see out there,

those kind of things. Together they help build this culture that may not be, they take that culture and you combine that with the burnout, you combine that with the career progression, and you get a lot of retention challenges.

On the positive side, what makes people stay, which is something that we do also need to be focusing on, these are some of the top aspects for what keeps people staying within their jobs. I think these are fairly similar and aren't necessarily unique to the security industry, except for the mission aspect. The mission here, I do think is, extremely important, it absolutely can be viewed as weighted heavier and more important than what we see in some of the other tech industries. So I do think that's something that as an industry we should absolutely take to our advantage when we're trying to retain people, that's about the impact that we can have. Stimulating work as well,

sort of the mirror image of the lack of challenging work, so it's not a surprise. Supportive boss/manager keeps you there, whereas an unsupportive boss or manager is why you leave. Professional development, which again was talked about in the last talk. extremely important and again in how professional development is actually applied is really really important I'm just putting money into professional development box and no one ever uses it really doesn't count as professional development and so Unfortunately a lot of companies just kind of do it that way I think they can throw money at it and you know move on from there So what can be done about all that? I think probably for a lot

of us, you know those three high-level findings though the lack of the career trajectory some of the cultural aspects and burnout and probably don't come as much as a surprise. We all, anecdotally, I think have felt, at least one, perhaps all three of those, as something that may wanna question whether we belong in this industry or whether we wanna retain working in this industry throughout our career. And so, we know that problem's there, and just identifying the problem, obviously, is part of the solution. We actually need to start looking at solutions instead of just continuously highlighting some of these challenges. And I feel like for a while, the last few years, When we see media

reports on security industry along these lines, a lot of it is just highlighting the problem without really getting into solutions. What I want to do for the remainder of the talk is really focus on some solutions or ways that I think we can look at addressing it. One, by no means do I think I have every solution in here. Obviously, everything has to be customized to organizations and so forth, but I think there's some overarching themes that have been proven time and time again organizationally to help improve retention within companies. And so, for social science, one of the key ways we kind of break down the way social systems, social systems are extraordinarily complex. They're

open systems, which makes it even harder. So any of those system dynamic models, I argue, don't work really well at all for social system analysis, even though I've seen that tried before and it tends to be a disaster of a spaghetti ball chart. So instead of looking at it something like that, we look at the agents, who are basically the modes and ideas of individuals, and look at the individual aspect of it, then you look at the structures, the environment, the institutional constraints, the various parameters that are out there within which the agents function. And honestly, you do, and there have been lengthy dissertations on which matters more, the agents or the structure, and there'd

be huge debates on, and then at the end of the day, they both matter. And so that's my perspective, and so we need to look at both. And so I'll start with some of the structural factors. Within organizations, one are the policies. And so the first one, the performance metrics and recognition, when looking to the survey responses, A lot of the folks highlighted as part of the reason for leaving is the lack of the recognition. So the point that they're working very, very hard, if they complain about being tired or needing time off, they're told they're not passionate enough about their work. So we need to actually start looking at what the performance metrics are

and how we're recognizing the people for the work that they're doing. And so again, it's one of those things where say a breach doesn't happen to happen over some course of time, How can you integrate something like that into some of the metrics? How can you integrate something that even if a breach does happen, people aren't going to be concerned that they may lose their job because of it? There are some issues along those lines that we really need to start thinking about as an industry. How can we start rewarding people for their performance, for their hard work, in a way that actually takes into account the unique aspects of security? Another one is sort

of the notion that security professionals within organizations are their enemy. And so I heard that a lot in some of the comments that when going around trying to help different people out and trying to either update their systems, help them learn some of the patch management, working on new two-factor authentication, some of the very basics, there's a lot of organizational pushback against the security folks. And so they kind of felt like they were working up a river trying to do their job. At the end of the day, we need to have that shift in the mindset, whereas the security professionals within organizations are viewed as friends, as allies, as there to try and help make

the organization succeed in the business. Not there to be a hindrance, not there to slow everyone down. And so it's gonna take a give and take, right? So security professionals also have to understand that people that they're working with have their job to get done and have their own business incentives. And so it does go back to where are incentives, where are people trying to go, what do they need to do for the businesses? And so trying to find the happy medium and work together instead of seeing it as an enemy. Another aspect is leveraging technology. Again, we're starting to see more of this come to security. A few years ago when I joined in

security, most of the interfaces I saw, and I used to do a lot of user experience interface research, a lot of interfaces I saw were looked like they were about 20 years old, right? So where we saw the technology industry, a lot of the applications have moved ahead and really leveraged the user experience component of it, security seemed to be lagging a little bit behind in that, or quite a bit behind. I think we're starting to catch on to that and realizing that we can leverage more friendly user interfaces, Some aspects of automation, leverage automation where it's relevant, leverage user interface and user experience where that's relevant, and really optimize the human computer interaction is

where we can start moving ahead to make a lot of this work more accessible and also more efficient. So it's more accessible for more junior analysts and more efficient and timely, less of that redundant kind of processes for analysts across the board. PTO policies I think is one that I think is especially important that kind of seems like a no-brainer, but I think it gets overlooked a lot as well. Especially when you have a completely open PTO policy, that tends to be something that a lot of people tend not to actually use it as much as they would if they were given X amount of weeks during a time period. And so we need to

find a way within companies, and every company's going to have some different strategies for this, that when someone's on PTO, to not bug them with their emails, to not expect them to be producing whatever your reports or projects, to not be available 24/7 for various phone calls. And I think it's really hard. It requires some sort of mindset shift. But it also requires getting to a point where other people can help each other out and carry on some of the responsibilities. So I think that's a really important thing that we need to work on. And finally some of the corporate social events, which gets at some of the cultural aspects of it. Are all the

corporate social events, do they all pertain to happy hour with drinking? Are they all things that basically appeal to a certain subset of the workforce and maybe not to the other subset? And so we need to find a variety of things. Everything from a book club may work for some group and that would be great, so keep doing things along those lines, to the happy hour, which doesn't mean no drinking at all by any means, just making sure that's not the only option. To sporting teams, get people who are athletes to go out, make them maybe morning runs, those kind of things, just finding other activities outside of the work for people to find those

interactions. Because those interactions outside of everyone's other keyboard are really, really important. And it's really, it becomes even more difficult when you start thinking about distributed workforce. But there are ways to find, you know, meaningful ways to find various outlets for people to work together and find something to talk about outside of the work. Because when you're having those discussions outside of work, somehow they, you know, they often, somehow that lead back into something along work that you wouldn't have come up with otherwise. And so there's sort of those spontaneous conversations that I think are really important. And they rely heavily on those social interactions and ensuring that there are those events that are accessible

across the board for the entire demographics, aren't just aimed at a certain group of people. And that's why you make, ensuring they're not just reinforcing the problem, they're actually trying to solve it. Conferences, which is relevant since we're here right now. And I will say besides Las Vegas, I think it does one of the better jobs at creating more of an inclusive environment. Conferences, about 95% of respondents attend conferences. They're a very big deal in this industry, I think as we all know, and I think more so than in some other industries. They're great for professional development, they're great for networking, they're great for hiring. They're a really good way just to learn more about the cutting edge of what's going on, and we all know these things.

The problem is, win some of these conferences, reinforce some of the challenges. So even as a company, you're doing all the right things. You're doing the professional development, you have the career track, you're doing great things for growth. If when people are going to conferences and having really awful experiences, They're going to bring back some of those experiences back to the company and may not want to stay within the industry. And so some of the experiences at conferences are what people spoke about. And so that's one thing when we talk about the boomerang effect. So even if companies are doing things right, if the conferences, which are such a key part of the community, aren't

doing some of these things right, it may have a negative impact on those organizations. And so there's been a ton written about codes of conduct and actually complying to those codes of conduct, so I won't go into that much. The speakers, the males, representation, all those kind of things, ensuring that those speaking at the various conferences are more representative of a broader workforce I think is really, really important. And some conferences do this much better than others. CFP processes, I think, are actually really interesting. I've been on a handful of different review committees, and how you end up doing them really has a big impact on the range of speakers that get accepted. And so

when you do blind reviews, when you do double rounds of reviews, those kind of things, you start to get a different look at the very speakers that are coming in. And I think that's really, really important because there's a lot, you know, the unconscious bias to, oh, we know who the speaker is, we know they're gonna do a good job. We've never heard of this speaker. That one limits new people from coming in, and so that limits their own professional development, but also ensures the same voices are just heard every time. And I personally like going to conferences where there are new speakers that I've never heard their opinions before. I think that's a nice

way to grow and learn from new people. Another aspect is sponsorship and professional growth. Companies, you can put their, all the companies that are out there saying they're in favor of creating a more inclusive security environment, sponsor some of those aspects then as well. And use those for professional growth. Some companies are much more willing to send their people to conferences than others are. And so I think again, saying that you're in favor of professional growth and then enabling that is another aspect of it. And again, the quote on the bottom, I think, kind of drives home a lot of this. The impact of conferences, I think, really is sort of those network effects with publishing work, finding co-speakers from different companies. All those kind of things help people

stay within the community and really enjoy the community. And then finally, visual cues, again, focusing on the structure. the workplace environment and decor. And this isn't, one of the things I've heard so many times from leaders is, well, you know, we bought a ping pong table and a beer fridge, so why aren't they happy? That's not really what I'm talking about when I'm talking about the workplace environment and decor. And actually, one of the things on the cipher, why people stay, is perks, not the benefits, not healthcare and those kind of things, but perks as far as the beer fridge and what other ping pong or foosball or whatnot, people don't care about those and

they're actually making their final decision. So I'm not talking about that, although that's what a lot of leaders may say, they're throwing money at it, that's the easy thing that they do and I think that's, honestly in many ways putting lipstick on a pig, it doesn't necessarily work very well. But the workplace environment at the same time does need to be something that's not offensive, needs to be somewhere where people who tend to like to work on their own have a private place to go, while at the same time having places for people to work together as groups, provides places for social gathering, all those kind of things. To understand how people work in very

different ways and while at the same time also ensuring that the decor matches the culture the company wants to have. Power of swag, and this one I think is actually really, really important. When we first started at Endgame, we didn't have any women's shirts that we gave out at conferences, and that drove me nuts. Fortunately, that has shifted a bit, and I'm starting to see more of the companies are doing that. But just little things like that just signal to various groups that, "Okay, you're welcome here. You have a place and you belong here." Not doing things along those lines really is impactful. And so the same thing goes with if you're a conference sponsor

and all of your swag has to do with alcohol, perhaps, maybe you want to consider doing something else as well, like a notebook. I mean, who knows? But you just started broadening it out to make it inclusive to a broader group of people. And at the end of the day, when people first walk in, and this gets back to some of the recruiting that was talked about earlier, people also make that quick minute decision when they're walking into your office to decide whether they want to work with you. And when they're looking around the decor, if it looks like a welcoming and open place that might be doing cool work, you know, they're going to

be more prone to, you know, take that next step and consider that. If they walk in and all of a sudden they really don't feel like they belong there, you know, that's me. That's up in 15 seconds, and that's a very hard image to shake. And so that's some of the structural aspects and I'll run through the leadership and personnel aspects now really quickly. So we just did all the environmental aspects, now what can people as individuals do? So on the one hand, leadership is what's highlighted. This is a leadership issue, it's not necessarily an issue for other people. I don't believe that at all. I think leadership is necessary but it's not sufficient. And

so leadership absolutely has to lead by example. And so that's sort of the no-brainer. And this is something that if all your leaders either don't talk about any of these shifts, they don't talk about professional development, they don't talk about how they're handling burnout. If the cross-leadership board, it's a pretty homogenous group, that's setting the example. So that's what I mean by that. They also need to establish the policies, though. So when talking about those structural factors that occur, the policies actually have to help promote that. And one of the good examples is the professional development, ensuring the policies are in place so that people can then leverage a lot of those professional development opportunities

that are out there. Also, it's not all about the money. When you see a lot of the metrics for, especially in the tech industry, for oh, they threw however millions of dollars at inclusion and development, and they find that nothing has shifted over a year, or after two years, after three years, it's because just throwing money at the problem isn't the solution. It has to be smartly allocated. And honestly, a lot of these solutions, in my mind, don't require much money at all. Some of them are actually almost free, if not completely free. And so just throwing money is not going to be the end all and I think that's also getting a lazy way

for leaders either addressing an issue when they're not really. The greater representation, they can ensure that as far as helping with the recruiting process and so forth and the metrics. Actually helping to work with the various technical teams to ensure the metrics are appropriate for the jobs at hand. But for the rest of us that may not be on the C-suite, something that I coined cultural entrepreneurs. So policy entrepreneurs are people who kind of take a, they see a gap in policy and they kind of go through and they help push through new changes in those policies. And so I think cultural entrepreneurs can do the same thing. And so that's where you're coming from

the grassroots up. And so it's not just a leadership issue to have to address all these challenges. It's on all of us as cultural entrepreneurs within our organizations to help be the change that you want to see. Other people aren't going to do it. If we all just sit back, nothing is going to change. So it is on all of us. It helps foster social capital. Social capital are basically the linkages across and within teams that actually help lead to things like economic development, more stable governance, all those kind of things. The same is true in organizations. So it's this notion of leadership from below. So to summarize, so we have a couple, a minute

or two for questions. One, there's no easy button. This is the one thing that kills me on all these things for retention. It's like, oh, we're just going to throw some money at retention and it'll work. That's not how it happens. Or we'll just get a ping pong table and people will be happy and stay. Not how it works either. So it's not easy. It's actually quite hard. It actually requires a lot of the human element combined with the technical element, which I think is why so many organizations struggle with it. So it's no easy button. Not all the money in the world. It actually doesn't require a ton of money to do a lot

of these things. They're very, very simple. Especially for small organizations, it shouldn't require much money at all. And so I actually have a lot more details on the results of the study and on the white paper itself at the address below. It's a white paper that goes in a lot more detail with some additional links and so forth on this research. So thank you. We have time for one or two questions. Any phenomenal questions? Margaret, do you have any questions for her? Calling you out, yeah.

I saw something you had tweeted this morning about an article talking about stress in the cyber security workforce. Do you go into that at all in this white paper? I do a little bit, yeah. Not as the only topic, the whole paper's not about that, and it could be, right? But I do talk about it a bit more within the paper itself, yep. And as part of the underlying, you know, leading into the burnout aspect. Gotcha, thank you. And just out of curiosity, do you see a... - Of the respondents to the survey and some of the data and the research that you've done, do you see a difference between smaller companies and larger corporations

in how this manifests itself from a retention perspective? - Yeah, so it's interesting. I asked about sectors but not company size. Quantitatively, I can't answer that. Qualitatively and anecdotally from talking to a lot of this, I've given this talk a couple different times. And the first time I gave it, a guy from JPMorgan Chase basically said, "This is great, I'm gonna implement it, "and it works very well with how we're thinking "about addressing retention." And following up with him, it seems like good strategies for companies, I mean that's a pretty large company. And we've applied some of these at my company where we're, you know, when we were 60, 70 people. So I think at

a high level, I think there are enough commonalities. Again, it gets to the notion of customization per organization. So I think, I don't necessarily think it's a side to the organization. I think it's making sure to adhere to the business and cultural objectives within the companies itself. Because even at the large companies, they're going to Something like JPMorgan Chase is going to be very different from the security team of Exxon, right? And how they're going to be fitting in with the rest of the companies. So I think that's probably more of the nuance that I would think about. But at the end of the day, I think the overarching strategies I think can work and

the overarching findings probably are pretty consistent. It's getting into the details of the companies themselves where we start tweaking it. One more question? Okay. And for our friends in cyberspace, if you could speak into the mic so we can hear your questions and then her answer. How do you address the requirements section of job postings where it can, on one hand, HR wants to not have a deluge of applicants, but you don't want to make it so intimidating that people perhaps with intuitive knowledge or on the work knowledge are too intimidated to apply? Yeah, so I think that's a great question. I've studied that elsewhere. Within this, I focus more on the retention. I view that as pipeline, but I've done enough research into

that to at least have some thoughts on it. I think the way that we write our job descriptions generally is really harmful to what organizations are looking for. And that's sort of on the one side with the different tweets about, you know, we want a junior professional with 20 years of some language or something along those lines. It's written as a joke, but there are still way too many along those lines. Or we want someone, we'll hire you as a junior, but you have to have like five different certs. And maybe those certs aren't even relevant for the job they're going to be doing at hand. So we do, I think also the talk before

did a really great job talking about how we need to start doing a better job, making the job descriptions match to what the job they're actually doing. And as an industry, thinking about how important the certs are, how important the various educational tracks are. I mean, that's, for me, I've worked on teams that have someone who didn't graduate from high school with a PhD on the same team working side by side and both were phenomenal, both contributed enormously to our company and I would not weigh the value of one or the other. So we have to understand that there are so many different career trajectories into security. I think on Twitter a little while ago

they did sort of like tell us your track into security and everyone's story is so very very different and the job descriptions I think need to better grasp that and better grasp the nuances. Especially when we're seeing that all the technologies are changing so, so fast. If we want people to actually stay longer than that technology lifecycle, we need to look at more of the things as far as the curiosity and teamwork and critical thinking in addition to their technical skills. So I think we have a long way to go as an industry. I think that we're acknowledging that that's a problem, but I haven't seen a ton of change coming in that area yet.

So the Twitter handle or the Twitter hashtag she's referring to is my weird path into InfoSec. Actually, several well-known people have sort of outlined, threaded on Twitter what their career path has been. And I've actually done two or three presentations on it. Andrea, thank you for finally coming and presenting at Higher Ground. Let's give her a round of applause. Thank you.

No manuals here. So we now have a two hour break. The break is for you to have a chance to talk to our phenomenal sponsors, Centec, GuidePoint, Oath, Rapid7, Bulletproof, Amazon, and Bank of America. Our resume reviewers and career coaches will be showing up in about 15 minutes. definitely take advantage of that and we'll kick back at the afternoon around two o'clock with two more great sessions ending with my presentation with a panel on career development through community volunteering right yeah ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

Okay, can everybody hear me? And those in the back that are talking, I'm going to go into my radio voice so it gets loud. How's that? So, this is actually a one-hour presentation, so I've got a lot of talking in 25 minutes. So I took out a lot of slides. I suspect I'll be presenting on this in the future. My background, well, it was 1978 when I was... taking a class in computing and I decided I'd learned about a game and I decided well I don't like losing games so I modified the code and I went back to system administrators and said hey I modified the code this is really cool and they said you're

responsible for security so that's how I got into the industry okay and it happened again and again and again and stories over adult beverages are always good so the goal of this is to take the hacker mentality and apply it to finding not only jobs but your career. Now to begin with, how many people are actually looking for jobs? Okay, how many people are recruiting here? Oh, I knew you, yes. So there's information about both. My biggest concern in this industry is there's a wide gap between the needs and the definitions of the people that are hiring and the ability to be able to translate that information into making a match. So this particular set of slides is specifically to

hopefully help both sides of the domain. Okay, so we'll have to do this fast. Yes, find a job you love. Yeah, I've been doing it for a while, so I love it. So let's hack the actual process of the HR. So you are on the left-hand side. And the organization, which includes your HR person, your hiring manager, and who actually funded it or funding it. The organization or the HR manager, specifically the organization, is going to be looking at two types of hires. They're going to be looking at a tactical hire. A tactical hire, you're going to go sit in a seat based on a set of definitions and maybe be a sock monkey or whatever. It's a typical issue, especially in the government contracting domain,

but essentially you want to be a strategic hire. Okay, strategic hire, you need to provide extreme amounts of value to that company and give new ideas and new concepts to actually help them meet what their objectives are. So, they define the job position. The next thing that happens is somebody has to break that out into tasks. These tasks may have been sitting there for years. There are job presentations out today from specific companies that still include mainframe as one of these lines, and they have not used mainframes in years. Okay, that particular company is no longer. So, this is a real challenge to go through this particular process for a lot of organizations. Then we have the actual mesh between you and the actual tasks

you're looking for. This is where the knowledge, skills, and the abilities come in. Oh, by the way, there is a link to the very bottom that if you allow me to bounce out. There we go. Okay. If you're a hiring manager, make it simple on us so that we can get hired. Here is a product that DHS offers for free that you can use as a template to create these particular items. All you have to do is provide the job description. It makes it simpler for us. You notice how I just hacked the HR system? It's awesome. Let's see, current slides.

Okay, the next thing that happens is you have to go through performing a job. So what they're looking at is for the tasks. They're looking for things that can be performed in less or learned in less than 90 days. You know, I need to learn VI. Okay, you can do that in an afternoon. On the next one, which is creating the interview questions, checklists, retention bonuses, things like this, this is actually where you want to be. You want to make sure the tasks are met with what you're trying to accomplish, but you want to be a strategic hire with the items on the next line, and I'll map those for you. For the manager, what

you bring to the table is your knowledge, experience, and training, everything else, but you have a resume, and please make sure you update the resume. If you don't, don't do it here. Go find a mentor to help you actually design your resume to be focused on what your passion is in this field. And also you're going to be interviewed get somebody to actually walk you through the interview process some of us have gray hair in this audience So we've been through it once or many times some of us don't so Be aware your resume better include the right training Certification. This is a point that slows down the The hiring process if this information is

not right so make sure this is aligned so other things Carefully read the job description carefully read what the features are if you are a Microsoft person They're talking about Linux It's going to make it harder to get through the door to have that conversation Go learn Linux. Yes. I'll I have links to how to do that later Match your job experience with what you see. Oh, by the way, I If there's something missing, there are so many resources out there that within a week you can actually pick up a specific experience. Has anybody ever loaded Elasticsearch? Has anybody ever implemented SecurityOnion? I mean, literally, these are one-week type things just to get that primary knowledge about how this

stuff works and have a conversation. Oh, for a professional standpoint, please, if you're young, please don't use the email you did in high school and grammar school. Get a professional email. Put a LinkedIn in. Your Facebook, no, get rid of that. Put a professional one in. So these are really important to think about because recruiters are now looking at this about you. Reboot yourself so that you can get this job opportunity. Also, does anybody belong to any local groups where you live? ISSA, a hacker group, a meetup group? Not as many people that should be. Everybody basically should be part of that particular group. Why? Number one, it's free education training. Number two, if they are there, those companies have jobs.

Okay, ask the question. So I am coming to this ISSA or this ISACA or whatever meetup. I'm looking for this kind of job. Do you guys do that? Okay. Finding the person that's going to hire and going around HR is the simplest way to get hired and then make sure HR processes the paperwork. Let's see. Oh, how many people have a home lab? Yes, we're almost halfway. Everybody in this field should have a home lab. That might be a single computer with virtualization, virtualized networking and things like that. Or it could be like I had in January with 96 cores and 35 terabytes of drive space. I was experimenting with a couple things. So you can go either

direction. but go set up a lab because there's going to be times you're going to want to ask a question, you're going to go home and actually be able to test it out and come back with new solutions. On the other side, get to know the company. We call this open source intelligence. Go learn open source intelligence. I presented at DEF CON 16 years ago about how to do this. Please, go do this. Go find out about the company. Why? When you're in the interview, what is the first thing they say? Do you have any questions for us? This gives you context to say, "Well, I see you just bought another company." What does that

mean to me coming on board? Or, hey, I see that your stock prices are going down. What does that impact? How does that impact me in the industry, in the thing? Or I see you're getting into a new product line. Ask those questions. The hiring manager appreciates that, that you've done the due diligence and started learning about what the company does. Okay, a job is really simply earning money. A career is connecting all your employment opportunities to get to your greater job. Some people early in your career, you only want to make one hop, and that's what you're looking for. Some people want to say, hey, I'm in my early 20s. I've done this and this and this. I want to now be a chief security officer by the

end of my 20s or early 30s. Okay, start mapping your career out number one It'll save on burnout because you have an ultimate goal. It also allows you to control your your career Here's what my career looked like. Okay, because in 78 there really wasn't a job role for that what that was was hey Something's weird with this thing. Can you look at it? It's not working and finding very strange things That's another discussion later Well, National Institute of Technology, NIST, started working on a project a while back called the National... Yeah. Basically for cyber education. What they're attempting to initiate for cyber education, what they're attempting to do is standardize this framework. Many organizations do not know this

exists. The organizations that don't know this exists, their job recs are out of sync many times. They're not as easy to read. You can't, you're not actually able to get to what your goal is. Take a look at this. I want to bring up the webpage for this. This is actually very cool. So in this category, NIST has defined these particular categories as general topics. Oh my god, I didn't do that. Sorry. Can you see it now? Yay! Okay, so let's see. So what the challenge there is, there we go. You see each of the major roles? There's a lot of categories in here. When I got started, I was the security guy, the only one

for a Fortune 500 company. Okay, now they have dozens and sometimes hundreds and I have a lot of friends that have gone through this process Go find a title that looks interesting go read the job description It's interesting if you're passionate about this this can go very well very quickly Okay, and all the links by the way are in the slides just in case you're interested. Okay, so what NIST did was they created this great set of qualifications Currently seven categories. Wow, who would have known? 33 specialties, 52 work roles. Oh, by the way, these are major categories. These are minor categories. If I'm doing forensics, I may be doing forensics on an IoT device or an automobile, or I may be a specialist in

hard drives from a forensic standpoint, dead boxes, or I may be doing network forensics. Even under these categories, there's lots of specialties. Make sure when you're looking at the job request that you can determine what that specialty is that they're looking for so you can align yourself with that particular goal. Again, there's a link on here that will give you lots of details. Please take the time to do it. because it helps you again figure out what job position you're passionate for or to. Okay, the next thing, mapping your career goals. So, as part of the NIST initiative, they went out and had support from the industry. And what the industry did was they created some really cool applications to help people track their

career. I'm going to bring the webpage up again, if I can see it. Tab what? Oh, I can't even see the tabs. Let's bring it over. Oh my god. Tab two. Ah, there we go. So during some study, what they found out was that the vast majority of people that got into this field, they may have their degree or their background in something else, but as part of their background, their development, they had to learn something. They became interested in networking. They were the networking guy for a university or from a school. Or they were the software development person because they learned software development so they could do this other career. or they were systems engineered because suddenly you're

the only guy that knew about computers, therefore for this biological system to do genome, you basically have to set up a network for us. This is a real typical issue. Each of these have categories and information. General descriptions on price, If we click on this, we can see connections. These connections, hopefully you can see it and it's not too small, these connections between nodes are the optimal path that they've determined. What that means is instead of learning a whole new industry or bunch of stuff, it's a minimal amount of things. As an example, if I'm a professional investigator, I probably am not a guy that needs to know the bits and bytes of networking. But, to become a professional investigator i have to know other things and this stuff

okay so kind of minimalizes it uh what you need to do um again a worthwhile website to go to at the very bottom and again i'm not unsure what the size of that is if you can see it all can you see it there this provides general pricing which categories it gives you a good framework to understand how to make certain decisions and what decisions you need to make. By the way, did you notice it has certifications on there? Certification is what you need to get that current job and certifications to move to the next level. Okay, that's pretty cool, huh? So next topic, evaluate your knowledge. One of the biggest challenges that I see

in resumes is was I want 20 years of Golang development. Okay, Golang's really been public for five years, but I see people do that. Or, you know, I want, you know, 18 years of Android. Have we had Androids for 18 years? I don't think so. So... You have to actually understand where are you. From the hiring manager standpoint, if you notice there's levels and these are, I went out and looked at hundreds of resumes to say, you know, is it basic level or entry level? These are just the terms that are used. The hiring manager wants to know different things to find out how qualified you are for a job. For the first level, it's I want to know that you have knowledge of and you could

read a book and learn this. The second is that you have the skills to because you've already read the book and you've applied those capabilities. The next level for expertise is I could take that book and I could teach a class to my field or people in the industry. The last one really is, hey, I develop things that are completely different. I've developed books. I've supported the development of IETF RFCs or IEEE standards or whatever that is. That's the real levels of capabilities you need. You wouldn't expect a junior person to be told, "Hey, you need to help write RFCs with no networking experience for an IETF." So please help if you're looking at a company where there's a mismatch, have a conversation with them about it. And

if they're not willing to have the conversation, maybe they're not the right place to go. Okay, next item, geography. So there's so many jobs out there. except they're clustered in specific areas. I'm always told, "Well, I'm going to live in the desert someplace and I'm going to do the job there." Well, there's no employer mismatch. It doesn't work. As you can see from the right lower hand side, we can see the amount of job openings. each different area oh by the way I have my email address at the end of this if you wish please email me and I'll send you these slides as they are and the notes and things like that so feel free so if you notice on the left hand side it says states

it says metro and states on the upper left hand side it says size of area you want to be in some people want to live in a small city and want to see that there's actually jobs there especially if you have family or you're doing something with parents or whatever The other thing in the upper right hand corner, we have the public sector and we have the private sector. Do you want to work in government? Do you want to work in the private sector? Do you want to work in both? You're looking for the best places and jobs. Okay, I am going to bring up the next slide, which should be, there we go, there. So if you fly over,

you can get an idea of the amount of jobs. If I click on it, I can get a detail. If I go down here, I can see what the match of how many jobs there are in a specific area. Apparently this is updated about once a month, so it gives you an idea. Things that you need to be looking for. If you're somebody that wants peers to learn from peers, you want a larger population in an area, I lived in a place at one point that I was the one running the security group and the Lennox group and the networking group. I mean, there weren't a lot of people in the area I was with. I now live in an area where basically there's dozens of groups

and I can go to different meetups almost every night, sometimes two if I could be two people. But, you know, you can't do that. But if you take a look at it, it gives you... See the certifications? The orange is how many certifications in a specific area. The blue is what the hiring manager in the company is looking for. Can you see if there's a mismatch on required jobs versus certifications? And also you can see things like you will find certain fields where just being a high school or just being having an associate is not going to be enough. They're going to expect having a master's degree or a PhD. So again, this gives you a framework

to start managing your career. Mentors. How many people have a mentor? one of mine by the way is vince surf the father of the internet so that's kind of kind of fun um how many people help other people as men as mentorees mentors okay cool the best way in this industry to learn is to mentor somebody else because you're going to push yourself to understand what their needs are you're going to start reading about it you're going to start understanding it i put together a list of the nine major types of mentors Some people can only do one or two. Some people in their career as they've gone on, they've been able to be a mentor for each of these categories. One of my talents is a

connector. I have lots of people because I've been in this industry for years and years and years and years and years. Anyway, you know, educator, coach, cheerleader, coach. idea generator. Hey, I'm having this particular problem and you basically want ideas. And sometimes you just want an ear. You want somebody to listen to what you have to say. So please go out, become a mentor and go find people in each of these categories. It will help your career. It'll help you from not getting burned out in this field. This is a real benefit. Okay, final thoughts before I show you the list of good links. A job is something where someone else controls your investment and your future. That

kind of feels uncomfortable, doesn't it? Okay. A career is something where you define your future, but you work with the company you're with. to get investments in what your future education is. There was a presentation earlier today that showed that education and training is very important, especially when every three years the technology changes. You know, it's kind of like a physician going, "Yeah, three years ago the heart was here, but now it's over here." So things have gotten really weird. Also, if you want to be in this field, be the noun, but you have to be the verb. You have to take action before you can say you're a security professional. And there will be a day

that you go, holy snikies, I'm doing some really cool stuff. which can be had over adult beverage. Okay, some resources, because these are the things that I get from the mentorees, the interns, and other friends, which is, where do I get training? If I go to this link, I can find out What training is available for my subcategory that I'm interested in and where is it located? That's pretty cool. We've never been able to do that in the past and it's really hard to find some of these really unique training things next thing Two major links, if you're going back to college, if you have kids or grandkids that you want to get in the field and they're looking for money and they want to be

in this field, there's two opportunities that when you go through the system, you can have your, you know, bachelor's, master's, and PhD in some cases paid for. So these are things that are really, really important. The next one, if you're a veteran, any veterans in here? Yeah. This is awesome. These are free classes online. Sign up for them. If you're a government worker, a state, local government, this is also available to you. You have to sign up and you go through the process. Sorry those that aren't in that community, but this is important. Community college. Anybody part of a community college? Go to community college? Okay, so if you do, here's a set of links that you can give a professor

and say, "Look, you can teach one course in cybersecurity." You can even just have a meetup about information assurance so people can see if they want to be in this career. Pretty cool? K through 12. One of the biggest problems this community had is we went from being kids to having kids. And then realizing that during that period, we didn't have new kids coming into the field. So we actually had this gap of many years where we didn't bring people back into the field. Here are resources to bring your kids into. Personal note, I brought my three nieces to a hacker con that was at MIT. Two of them are going, one's going to school as a double E, the other one's a mathematician,

the other one's thinking about going into robotics. Introduce the girls, introduce the boys to this. This is amazing stuff. By the way, does anybody here have roots? That's DEF CON's conference for kids. On the B-side side, there are the 4Kids and the HackerKidCons. on about third of the particular conferences around the world. These are really cool. I have friends in the audience that have brought their kids to it and have just gone nuts. This basically then got them interested in all kind of things. By the way, this includes teaching basics of cryptography, tearing apart computers, wireless security. I mean, this is awesome for kids. And they'll teach you something. Okay, if you're a recruiter, here's two links for you that DHS push button PD

awesome stuff and also career development toolkit to simplify the development of the job requests and Also help you help us Get into this field. Oops. Sorry. Did it I just flipped did you get it cool? Okay building labs This is the link. Go home, please. Take this. Go home whenever you get home. Go try each of these labs. Literally, you will learn a piece of every single job role by playing with these particular labs. I chose them specifically for offense, defense, forensics, penetration testing, attack validation, intelligence. I mean, basically, it goes through everything. Next one, professional branding. You have a brand as you get into this field. Your LinkedIn is your brand. Go do your LinkedIn. 11 steps to create a professional WordPress.

Go do that. I have a blog that goes back to 2000 right now. That's pretty fun. That's pretty much just one or five times a year putting my comments and my references. Security conferences. Go find security conferences. A lot of them are expensive. B-Sides. I'm a big proponent of B-Sides. Shout out to B-Sides DC, Delaware, Philadelphia, and lots of others. They're low cost. They're free. Oh, by the way, all these conferences don't... It doesn't cost much if you volunteer. Okay, by the way, anybody want to take a SANS course? They have a volunteer program, which costs you a lot less. Okay, so there's a lot of resources. The other thing, how many people know Linux? How many people know it so

well that you can do kernel work? Okay, so Linux... Lennox Foundation has a bunch of free courses like free Kubernetes and learning shell and things like that. These things are free. Yes, you can put $100 and they give you a certificate and you can put it in your resume. Awesome. Or you can learn and become a kernel hacker and they have all the details there. Okay, lastly, there is no real shortage in my opinion in this field. What the problem is is a mismatch between our hiring folks and what you guys need for your careers. And that's it. I'm done. I've been cut off. Do I have time for questions? One question. Sorry. Somebody behind

you. Can you stand up? I can hear you. Please. It depends on the company and it depends on the job area. I'd suggest to go into the job area, the geographic, and see what specific title you have to see if they're looking for PhDs, masters, or just having associates. Okay? Some of those... are different for every single career path. Go take and get a degree, but understand this for your first job or your second job. Consider that a way of helping you make that decision. I'm gonna go right outside because this wonderful lady is next and I hate to walk out and not see her presentation, but I'll see it on video. Hi. - Thanks Joe so

much. Really appreciate it. Awesome.

And then you come to the end of it and you go, "What happened to the last 48 hours?" That's sort of me. This is the final panel. I figured that this would be a really good way to sort of close out. higher ground because this is something that I'm additionally very passionate about. The fact that there are so many conferences that are volunteer driven. So again I'm going to ask our wonderful sponsors if we could hold our conversations down. I have no problem calling you out if I can hear you. Especially Rapid 7 since Rapid 7's person is up here on stage. Yeah hush.

So as many folks have heard throughout the two days, there are many of you, I'm so glad that you have been part of Higher Ground for the last two days. We have heard that, and Chris Rides is talking so loudly that I can hear him up here, would you please? Mario? Jeez. Okay. Poor SOK, they're going to have to edit out all this. I'm Kathleen Smith, I am the Director of Higher Ground. And today we are going to talk about community volunteering, which is how this community actually operates. Yes, there are some very large conferences out there that are, you know, big ticket items, lots of sponsorship out there, but for the most part, our community is really driven by volunteers. And volunteers who have done just

an absolutely phenomenal job of adding additional hours to their work week to make sure that phenomenal conferences continue being pulled off. But what's been interesting in my exposure to the community is that a lot of people have not been looking at their community volunteering as a way to develop their skills. They just see it as a way to gain friends. They see it as a way to do a little something different, to connect with people that they know on Twitter or on Slack or something like that. But people don't understand that they are learning other skills. And when we talk about the skills shortage, a lot of people are not identifying the fact that with

all of these technical skills, being exposed to new technologies outside of a teaching environment is something that you're gonna wanna do to stay sharp. There are also the skills as far as the non-technical soft skills that people don't have an opportunity to work on in the work environment. Where are they gonna learn them? They're actually going to learn them in a volunteer environment. Cindy Jones here and I are going to have a big funny joke on this because we are missing another panelist, but she's actually in her volunteer job over at DEF CON and it is running late, so she can't make it to the panel. So if you see someone running in the middle,

that's Megan. So... In addition to this, volunteering in the community and looking at it from a career lens is a phenomenal way to look at your overall career development. But also, how do you represent this on your resume? How do you represent this on a social media profile? And how do you talk about it in an interview? So that is why we have Kirsten Renner here with us, who is a recruiter, a long time volunteer in this community, a force to be reckoned with within the community, and she's gonna share that. So we are first going to, okay. I have a new computer. So as you can see we have Megan Wu who is going

to join us later, Cindy Jones, Kirsten Renner and myself. You know about me. Cindy tell us a little bit about you. Sure. My name is Cindy Jones. I am currently a principal security consultant with Rapid7 back on the back wall. If you're interested in any kind of prospective hiring opportunities go there. I have been in information security for I've been in IT for a really long time. I have a Microsoft certification number that's six digits and starts with a three. So I've been in IT for a long time. It evolved to a security program and I've been with Rapid7 for about three and a half years now and I love what I do. And Kirsten,

tell us about you. Is this working? Hello. I'm Kirsten Renner. I'm the director of recruiting at Novetta, an advanced analytics and cybersecurity company. And to tell you how long I've been doing this, the first and only program that I ever wrote was in Visual Basic when Visual Basic was new and exciting. And I can code in index cards, but that's how long ago my coding career is. It's another story for another day. Yeah, I can do punch cards. Actually, my alter ego is the car hacking village, which is, thank God I have a Hermione time turner, because I'm actually there right now sorting out boxes. Magic. So one of the things we're going to touch on is why volunteer? You know,

a lot of us think that volunteering is cool and you know you're part of the cool kids club to do it, but I wanted Kirsten to touch a little bit more on the car hacking village and why you volunteer. And then Cindy, I love your story about how you got into volunteering. So Kirsten? Thank God for my relationship with you because while I've been so passionate about the things that I've learned in the, primarily in the DEF CON community but in the InfoSec community, it never occurred to me until we started having these conversations hey, these are skills. I have to manage humans. I have to manage a schedule. I have to react to problems when vendors don't show up or things don't work out. So there's a

lot of things that you can translate into actual work-related skills and areas of expertise that are occurring while you're volunteering. So in particular, just every little detail and all the things that are going to pop up that you didn't expect or that you tried to pre-plan for and so forth. All these things are going to, you know, you've got to remind people that you are running on volunteer time and sponsor dollars and everything's not going to be perfect. But, by the way, 20,000 people are showing up, so I hope it works out. So, Cindy, tell us about your volunteering. So I've always been somebody who likes to get involved with things. I like getting in on the ground floor, finding out how things

work. When I first started getting involved with, I mean, I've been volunteering since I was probably, I don't know, a Girl Scout. I don't even know. It's been forever. Volunteering. sucked into a sorority in college and became the head of just about every gosh forsaken panel that there was there. And when I got into IT, I would start going to conferences and I was attending a lot. But my background isn't in IT or in security. My background, as far as school went, I was a psych major. So I intrinsically want to help people, right? Psychology's scary as heck. I don't want to know about the human mind anymore. I found that out going through school.

But ended up going to, just started getting into IT, getting into security. And when I'd show up at a conference, if I didn't know anybody, it was like, hey, is there anything I can do to help out? What can I do? How can I help out? Because of that, I started developing an amazing... I mean, my contact list is stupid. I've got more Chris's in my contact list than anything. I know, wait, if I say Chris right now, raise your hand, seriously. I know I see one, two, at least three in the room, okay? But you end up getting all these great networking possibilities and options to go ahead and reach out to people to get insight into what's going on in their field or if you're interested in

checking out their field and what's happening there. But my initial intro into... volunteerism was started really young it's all because I want to help but what about your first time when you went to DEFCON when I went to DEFCON yeah my first DEFCON experience helping out no didn't you go to DEFCON for a while and not volunteer oh yeah okay so that's another thing okay so I spent when I lived overseas for a while and there was a gap in my volunteer world and I have been going to DEFCON since DEFCON 13 and I was always Before I started building this wonderful list of Chris's, I had basically been going there and I've been hiding

in my room. I'm not a really social person, believe it or not. I mean, I know a lot, I've probably talked to like at least a third of you guys in the room today or over the past day and a half. I am not a social person. I love being quite happy in my room, watching the stream of the talks or going to the talks and then going back to my room to recharge or what have you. And I realized I was just taking. I was taking a lot. So that whole wanting to help people thing, aspect of my personality, I was just ignoring it. It wasn't happening. So when I finally was able to

go ahead and make that connection, going, wait, I need to start giving back a little bit. That's how I discovered B-Sides. B-Sides was just starting out. It was the second B-Sides Las Vegas that I got involved with at the very beginning. And I'm like, "Let me help with registration. What can I do?" That was one of those things, like, "How can I help? What can I do?" Because I really wanted to be able to give something back. That in and of itself, I actually, it allowed me to learn how to communicate with people. It was a starting point of starting to develop some skills that I didn't think I had. I was always the one

in my room. I was always the one being shy. Now I'm like, "Hey, what's up? What's your name? How you doing? What do you do? Who do you work for? What's going on with you?" And just learning how to communicate with people on a level that hopefully isn't too intrusive, but at the same time just being able to communicate in a means that was effective. And your confidence level? Oh my gosh, out the wazoo. My job now, I'm on a routine basis have to speak to whether it's board members, whether it's a C-suite, whatever the case may be, and tell them basically that their security program sucks and this is how it sucks. I'm able

to go into an organization now and confidently sit there and explain to them why it is that their baby is ugly. you know what's wrong how they can go ahead and fix it and because that is strictly due to the fact that i've practiced communicating with people at all levels at all skill levels in all levels of within organizations in order to be able to express that to them effectively and the i did a survey over the last three months of the community to sort of say okay how many of you are volunteering in the community and what are the skills that you are gaining through that and what was interesting is that Teamwork and

ability to collaborate was a skill that 82% people were able to say yes, this is something that we got. Organizational skills, 75% said that was one of the major skills that they learned. Communication, we're so big on communication. Can people write? Can they speak? 76% said that that was the major skill that they learned by volunteering. Planning, 75%. Networking. So it was these... key skills that we're needing in the workplace that we're leading in teams that people are automatically learning by volunteering in the community. So Kirsten, sort of put the recruiter's lens on this. So when you see someone who volunteers in the community, what are some of the things that you're looking for them

to say on their resume? I see a lot of resumes that say, B-sides, B-sides, B-sides, but that doesn't tell me anything. How would someone write their volunteerism on a resume that would pop out for you? So before I was doing this, earlier I was over there looking at resumes and nine out of ten of the resumes that I looked at I discovered while I was talking to those people that they did things they did things in the community they did things that aren't on the resume and it's important it's important that you identify people are like should I talk about my interest should I talk about the things that I'm studying yeah you should you should reveal to us what you're proactively doing to develop yourself and

that includes going to conferences and volunteering and and maybe For me, because I have been a volunteer for so long, maybe it's something that I'm looking for, but I absolutely think that people should include that in their resume. And what I think is interesting is a lot of people just say, "I volunteer," rather than say, "I'm in charge of sponsorship, so I'm in charge of going out and securing funds. I'm in charge of overall conference management, and we're going to go into that a little bit more." But being very specific about talking about, are you the subject matter expert that presented? Are you the person that managed all the volunteers? Can you delegate? Can you plan? Can you organize? So don't just say I volunteered, add what that business

component is. Now if it's you just showed up for the day, that's fine, but you showed up, you participated, you were out there in the community. These are all things that you know recruiters are going to be looking for. So let's dive a little bit more into conference management. Cindy you started B-Side San Antonio, so let's talk a little bit more about what the skills were that you learned being part of B-Side San Antonio and how did you work with your employer on being able to do that? So when I first started B-Side San Antonio I was doing I was working with the government as a contractor. The Depending on how familiar most of y'all are with the government contracting world, but you get very limited PTO

and there's also very Little room for negotiation in those contracts at times So they get paid for having a body in a seat for X number of hours. That's all there is to it When you're going above and beyond that you're it's not gonna you know and these government agencies and the contractors that they work with don't receive the same benefit from being involved with a small security conference, a localized security conference. My bosses were all in DC. They really didn't care about security conference in San Antonio, 'cause number one, they weren't really in the business of security anyways. Number two, they're in DC. That's got no impact on them. So working with them in that regard was very difficult. I ended up going the whole with PTO. When

I left my last job with the DOD, I ended up, I think I owed them my last paycheck after my last paycheck. It was nothing pretty. But for me it was worth it because I was doing something for the community and that was something that really, really mattered to me. Since then, I've been very fortunate to have handed off B-Sides San Antonio. I did that for three years. And that was while I was working at DEFCON and while I was doing my job here and while volunteering for the rest of B-Sides Texas organizations, DFW and Austin, and we had one in Houston. So there was a lot happening there when I was involved with that. But all that time was on me, right? This is something I chose to

do. Now, since then, I've been very, very fortunate When I left the DOD world and working as an Air Force contractor, I fell into, gratefully, into Rapid 7. And as you can see, Rapid 7's pretty present in the community, right? We're everywhere, right? And there's never been a case of them not being supported. As a matter of fact, the reason why I was recruited by Rapid7 is because of the community involvement that I had. And that was one of the reasons why they hired me. They like it when people are getting out there and spreading their word. Perhaps you're going ahead and branding your slide deck if you're giving a talk. But they know that I am with Rapid7. I carry my business cards.

I hand those out. And they're very supportive in that regard. They ensure that I get to conferences because most conferences don't pay for them. So can you drill down a little bit more in conference management? Did you know what you were doing when you started B-Side San Antonio? Oh my gosh, I had no idea. It was such a mess. I was really lucky I had some mentors. So that was hugely important. But I... had no idea what to deal with when it came to, I didn't realize, you just don't think about it, right? You guys, people come to a conference and they're not involved with it. They're just like, "Wow, this is a really cool

show. "Oh, look at the cool artwork. "Oh, look at, you know, I register here." Or, "They have sponsors that are doing this." People don't have a clue on what goes into conference management. Besides, San Antonio is tiny. I mean, and you look at something like this and you're just like, it's mind-boggling. So finance management. Finance management. You're dealing with personnel management because you have to go ahead and get the crew that's going to run the event. You then have to manage that crew. You have to hope that you're finding responsible volunteers, which... Sometimes don't show up. Yeah. That's not a hit on Megan. That's not, I don't know. No, no, no. You know, we, you

just, you're stuck in a position where you have, this has to be done to a certain level of expectation that you set for yourself and it doesn't always work out the way you want, but you learn so much dealing with people gathering money. Oh my goodness. I'm horrible at it. I learned this because I dove in headfirst, got it done, but oh my gosh, so difficult. Yeah. So, Kirsten, talk to us a little bit more about, you know, if you saw all of the things that Cindy does, now, would that turn you off as to her for thinking that she's going to be out in the community and not doing her job? Or how can

you drill down in interviews and find out the skills that she has been using? I mean, would you find that valuable in her, beyond her technical skills? So, from a recruiting perspective, I... I have an unfair advantage in the lens that I'm looking through. I realize that just organizing a village is not the same thing as organizing an entire conference, but the volume of people that we have coming in and the amount of things we have to deal with. Today we realized, this morning we realized, oh crap, we need insurance. And we aren't sure if we have all the dedicated power grids that we need for all the things that we're going to be plugging in and we don't want to blow up the Flamingo. Maybe, probably. So, for

me, I'm going to look through a different lens, right? But typically, if you as the candidate or as the potential candidate are able to articulate all the many things that she was describing or that anybody that is volunteering even if you're just strictly the person managing the sponsorship if you're oh my god did anybody think about up lighting is that a thing do we need that do we want it to be dark and why are we just realizing this now a year you know a year into it so for me I encourage people to make sure that you are able to articulate those things. Find a volunteer at a place like this, Higher Ground in particular, that can help you articulate those things on your resume. But I

can't imagine any recruiter worth their salt that isn't going to see value in your volunteer time. The fact that you are... outside of the things that you have to do. This is what I say to students, this is what I say to engineers at every level, tell me about the things that you're doing that help you develop professionally that you didn't have to do, that you're not getting paid to do, that your coursework didn't require you to do, right? No recruiter worth it isn't gonna see great value in that. So one thing that I always recommend and I rarely see anyone doing this is any volunteering that you do take a few moments after your shift, after the time that you're there, and write down what you did. So

this pertains to volunteering for the day, this pertains to a competition. It's keeping that sort of journal of, did I, you know, de-conflict a situation? Did I verbalize something in a way that someone else understood it? Was there a technical problem that no one knew how to solve that I was able to solve? It's really being able to create those real life experiences that you can share in an interview. Because how many of us have gone into an interview and they say, "Explain to me a time when you learned something new." - Oh, can I talk to that right now? - Go right ahead. - Oh my gosh, so okay, I don't know how many

of you were impacted by the kerfuffle with the badges yesterday. Okay, it was a mess. Thank you for your patience. We appreciate you. I basically had to stand in front of a line of people and say, there will be no walking badges. Go home. and that was devastating for me. This is like, this is, I've been here forever. This is my con. People come in, yes, this is awesome, and they had to kick people out, and they don't care what I'm feeling. They're like, well, dang, I've been sitting here since 6 this morning. What the heck's going on? So to be able to say that I de-escalated that to a certain degree and assisted with

that in that manner, that's a major skill that I wouldn't have had if it wasn't for the participation that I have here. I basically had to tell about 300 people, get out. And then I got to welcome them back with open arms afterwards, which was wonderful, but that's besides the point. And you're going to go home and write about that. Oh my gosh. Conflict resolution, so good. Yeah, so I think you have to understand that these are real life experiences that you're going to be able to use in talking in an interview, in a face-to-face interview, being able to talk about it when you're on a phone screen. I know we're running out of time,

but I'm still going to move a little bit farther. So... Competitions. It's interesting that many recruiters are now starting to look at which competitions are you part of. And really looking at are you learning the skills that you need in the competition. So I would highly recommend that if you're in a competition, even if you didn't win it, Definitely list it on your social media profile, definitely list it on your resume, and also be sure again to look at it after the end of the competition rather than you know high-fiving we won, having that beer. Definitely say okay what was the technical skill that I learned? What did I mess up on? You know what

did I fail? We learn more when we fail than when we succeed. How did I communicate with other people? Because you're actually in an environment where there's a time crunch, there's a resource crunch, it's a problem you've never seen before, and you're working with people that you've never worked with before. Gee, what does that sound like? That sounds like work. Okay, that's real life. So why are you not journaling those situations so that, yes, you may not have all of the work experience that the job is asking for that you can say on your resume, but if you've done 10 to 12 competitions, I'm sorry, but that translates into work experience because you've been in

that work environment. If you're looking to get into another industry, if you're looking to get into another skill set, broaden your horizons, go to the car hacking village, go to Cyber 912, which is a cyber policy CTF, go to any other CTF so you can expand your knowledge if you're looking to move into another industry, really consider going to the CTFs there because not only are you going to learn the skills, you're also going to network. And we all know the number one way to find a job is networking. The other thing, and I'm going to ask Kirsten to talk about this as well, is presentations. So you may not be the person that wants

to de-escalate 300 people having to walk out the door. You may not be the person that wants to be in competitions, but you do like to present. Now, Kirsten, what would you look at if someone presented a lot? What does that say to you? Do you say, ooh, I don't want to talk to them, or do you say... I do want to talk to them. It just so happens that when we did our call for papers, you know, we had to look at a lot of presentations and then all those presentations had to be scrubbed. So that I guess I need to remember to put that on my resume that I can scrub presentations. You know, it takes bravery too, right? The people that are smiling, maybe me, maybe

you, maybe we're tired, maybe we're nervous. Imposter syndrome, it's a thing, Google it. Sometimes you feel terrified, like why do I even deserve to be here? Why am I an expert, right? It's all normal stuff, right? So the majority of the people that are getting up, that are doing their presentations, They may say something you don't agree with. You can collaborate with them. They're taking the time. They're probably not getting paid to do it, but they're putting together their presentation and there's a lot of planning that goes into that. the one time you made me put an actual, for Recruit DC, actually put some slides together, I can't tell you how much I stressed over

every little graphic. Are people gonna laugh at that? Is that funny? Is that cute? Is that relevant? Right? A lot goes into it, right? So absolutely. And I also will encourage you, if maybe it doesn't make sense for you to be in a competition, you can still go to them and you go to the talks too, right? There's so much to learn. And besides the competitions and the CTFs and the cool prizes and all that stuff, it definitely shows that you worked on a team and some of the best lessons, my unsolicited favorite question for if you're recruiting that you should ask, and if you're the candidate that you should volunteer before you get asked,

and I know I told this to a couple people today, Talk about your failures, right? You don't put it on your resume. You don't say, I messed up the thing. But so when you talk about your accomplishments, you're going to reveal so much about yourself when you describe, give your testimony to the thing that broke, to the thing that blew up, to the thing that didn't work. Do you blame others? Do you figure it out? Do you learn from it? Are you prepared in the future to not blow up the robot? So I would recommend to think about Catch your interviewer off guard and talk about what you did and how it didn't work and

what you learned from it. Because everybody makes mistakes. So the one thing I would say about presentations, realize that it takes a lot more time management than you would think. So understanding that, you know, the RSA, if you're going to submit for an RSA, they close tomorrow. Yeah. And that just went out this morning. I don't know how many of us missed, you know, that the deadline's for tomorrow. Yeah, that sucks right in the middle of... Yeah. But understanding that one of the reasons why people think that presenting is a hand-picked club, and it's not. It is someone who puts through a defined outline of what they're going to speak about. They know when to submit it. They know how to fill it out correctly. I can tell you

there is not a uniform way of filling out a proposal submission. One of the most difficult that I've had to do, even more difficult than RSA, has been Grace Hopper. And it's an eight section proposal. And it's great because then it's now my foundation for every single other conference that I submit to, which is, you know, I did all that work in a week. So, but realize if you're going to present, if you have to engage your employer or not, I know that one of our resume career coaches over there, we had to engage her employer nine months ago to make sure that she could present here. And then you can also decide, do you

want your employer to know that you're presenting or are you doing it on your own? And that's your own decision. So we're gonna move into some final thoughts here because a theme today, a sort of underlining theme has been burnout. And one thing that happens when I did the survey, 80% of the people who said that they do volunteering, they said it stresses them out. And what was interesting is that they said that they would still do it, But 80% of the community says that burnout, stress is a major part of them volunteering. It's back stress, it's headaches, it's migraines, it's anxiety, it's depression, and they still do it. One of the things that I want Cindy to sort of touch on is how you

look at delegating your succession and how you look at how you move on. Because the one thing that I will say is if you tend to burn a bridge in a volunteer situation, you are probably doing the exact same thing in your career. You're probably taking, you're probably going much farther than you should and then you're doing the high middle finger and walking out and trying to find a next job the other day rather than planning your exit. So Cindy, how did you plan your exit with B-Sides San Antonio or any other situation? - So with B-Sides San Antonio, my first year there, as I mentioned, I had a spectacular mentor, Michael Goff, who was

with B-Sides Austin at the time, and he was just feeding me information. Hey, you need to time this, you need to time that, you need to time that. So he basically trained me, which was wonderful. I, with his help, and what I thought was the help of a committee, which ended up not being a committee, even the guy who was only supposed to get the beer moved out of town and didn't even find the beer for me. Didn't even source it. It was horrible. So I ended up doing that myself with his assistance. So the next year, I had it planned out. I knew how I would go about doing it. And I tried bringing

in a couple of key people who seemed as passionate as I was about it. By the beginning of the planning cycle for the third year, I knew I needed to step back. Three years doing an entire conference on your own is exhausting. The stress levels were ridiculous. The amount of time it was taking me to take off of work, I didn't share that with anyone. And I was fortunate enough to have somebody involved, kind of on the periphery, but a lot of that was my fault because I wasn't very good at delegation yet. that was willing to take it on. And I basically kind of said, "Hey, by the way, this is my last year.

Here you go." About a year out. So we had a year to get used to the idea and a year to object to it. So I was very fortunate in that regard. Other scenarios are much more touchy, I think. I think, you know, you're basically the Wikipedia for your subject, right? So for instance here, I lead registration for B-Sides LV. I ran registration or been a part of registration since B-Sides LV 2. That's been a while. I've got the historical knowledge. Me and three other people are the oldest tenured staff members here. I've got the historical knowledge. How do I hand that off? If I were to say, next year's my last year, who do

I hand that off to? do you groom staff members and are they willing to stay on after you leave? You know, I mean, you end up building a pretty tight team. It's just like any other organization, but because it's volunteer work, it's, I don't want to say it's easier to step back from, but there's more, I think it's a higher likelihood that a team of people would remove themselves than in a paid position. So, it's looking at succession planning and leadership planning and it brings back to the point that someone is not responsible for your career. You are responsible for your career and you are responsible for having that conversation with your manager as to where you go in your company. And if you're

in a volunteer position, you need to be responsible enough to say, "I'm starting to get burned out. I'm starting to get tired." A lot of us who get involved in the community say, "No one can survive without me. I'm going down with the ship." And that is where burnout happens. You have to say, "I'm at this point where I'm tired, I'm still having fun, and I need to plan it about two years out," and let the people know. Don't hold it as a secret and say, "Oh, by the way, tomorrow's my last day." I think we would all get shot if we did that or something like that. Sorry, I shouldn't have said that. We

would all have people get very upset. So Kirsten, I know you've been involved in a variety of things. How do you handle sort of succession planning or handing things off or delegating, or do you not do that? I could, that's an area where I can definitely improve. I'm just going to be honest with you. Delegating is also an area where I, I don't want to say I struggle or that I don't get it right, it's part of management every day, but asking for help is something that you need to, you're like, wait, I'm the helper. Learning how to ask for help, right, is sometimes a struggle. I have a New Year's resolution for three years running, that I will do less and not

overextend myself and I'm not gonna call out any conference in particular, but there's one, there's a lot of conferences happening the week of summer camp, and one of them I'm not attending. You can see me here, and you'll see me somewhere else in a couple days, but I just, I'm not stepping foot over there, I'm just done. Just for me, it's exhausting. It's too much. So you have to, that's humility too, right? To realize when you've reached your limitations, and then to... It's your own time management also, right? Besides the resources and the vendors and all the things that you need, you need to manage yourself. So you have to give in a little bit,

surrender. So this is the last presentation for Higher Ground. And before I start crying, because you know, this is always a labor of love. Do we have any questions about volunteering or do we want to just have an offline, not videotaped conversation about this afterwards? What's the vote? No questions? Okay. Thank you so much for listening to our conversation. It has actually been videotaped as well. We're going to be doing this presentation again at DerbyCon. We actually have all of the community survey data about community volunteering and career development that we're going to be releasing there. Thank you so much, and thank you for being part of Higher Ground. Thank you. Thank you. Thank you.

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪