CG - Rockstar Role: Security TPM

all right so this talk is from a rockstar herself this is on security TPM role so without further Ado I I'll just introduce Lee nider thank you all right awesome um so my name is Lee and as some people who walked in on time or early saw I actually got the title of this wrong so that's hilarious way to get started this morning um so I I am a principal security engineer and all of a sudden everybody in the audience is going why is the security engineer going to talk to me about the technical program manager role don't don't worry we'll get there um so you can read more about me in my LinkedIn I

also did an interview for uh tldd SEC about my life as a staff plus engineer um in my spare time I run a lot of security conferences so I used run bides Boston I'm on bides Seattle planning committee thank you um I'm also over at the Diana initiative see lot lots of fans um and it used to be a TPM right that's why it's okay I'm doing this talk um also my good colleague and friend rajie was supposed to be here with me unfortunately she had a family commitment and she's not here but she is a technical program manager today she is a TPM manager manager which is really awkward to me to say um so she helped me

write these slides she helped me write the abstract so it's not just my thoughts but my normal disclosure these are my thoughts not my company all right why this talk um I get asked all the time how do you become a TPM um how do you explore multiple domains in security like it seems really hard to move around in security so how do you do it and what are the two or three factors that were Central to your career this role by far and way is why I am who I am today all right yeah so this is bsid so you knew there was going to be audience participation at some point I made it

early all right so who in here is a TPM all right who's thinking they might someday want to be a TPM I got some hands all right how about people who work with TPMS all right how about people who work with TPMS and actually think you know what they do I know that that's a really I know um and then how many people are in this room just cuz you know me yeah okay thank you friends thank you for support all right so this is the classic thought process of what a program manager is and I kind of feel bad for the guy he doesn't look happy does he he looks actually really unhappy um I'm not a big

fan of describing the role this way I think it actually does a disservice to both the people in the role and the people they work with though I have a funny story I didn't actually know what this meant the first time someone said it to me so this is my thought process quite literally I went somewhere else because I have you know attention problems and then I went to like wait I'm going to have to hurt like at what like at so hurting cats is hard all right um this is going to be hard to read so I'm going to read it to you guys so this is a Twitter account called security TPM uh like an engineer who can talk to

people so what is a technical program like that's like let's start there um so TPMS typically will lead large complex multidisciplinary cross functional programs that was a lot of words um so what's an example of that so how many people remember preparing for gdpr yeah okay I would hope a lot of us remember that um see a TPM think about what would their role be in that type of program right they're going to work with legal to understand their requirements they're probably going to work with compliance to understand what compliance thinks they're going to work with developers to build the tooling that you need for gdpr and then they're going to work with the teams that got to migrate

to those tools so you can see that role is working across teams now today that would probably actually be somebody who specializes in privacy but the time that gdpr came out a lot of the people working in it were in security because that's what we had like people weren't yet specializing in privacy what's another example um often it's someone who works on something that's not a product what what what the heck does that mean so a good example is a lot of people probably have done this before you write your own detections so TPM is going to be a person who's analyzing the data all the different data streams coming in and saying okay cool I'm going to raise my hand and

figure out what we need to deliver and do that but the important part of this why we're talking about security is they do it with security right so they have that security Acumen and they can come in and Lead I'm just going to make sure I got all my points whoops oh yeah so what are some examples of programs I've LED um so many years ago if you were here at bides you may have actually seen me working in a booth I used to work for a different company and uh someone once asked me what do you do and I said I have the most awesome job ever I actually ran a program for developer education but I got to work on

gamification so I got to run a capture the flag program both internally and externally so what did that mean well I had to work with the developers who built the platform I had to work with legal because if we were doing questions externally we had to make sure that we weren't doing anything that would be objectionable I had to uh schedule the pen test right because we want to make sure the platform doesn't get hacked um and then I had to you know get people to write questions and what's interesting about this is that that wasn't anybody's job right I had no Engineers assigned to me I had no one right I'm just I'm on my

own but a lot of people are really interested in this kind of activity and it's a lot of fun um I actually used to write the social engineering challenges for the platform and we're going to get to why being technical matters to the TPM um another example we we kind of were talking about how we solve the same class of problems over and over and over again and working with some Engineers we went and did root cause analysis and what we figured out is that the reason we'd see the same type of problems over and over again was that we really need to harden our um platforms and Frameworks right so what does that mean well it meant I had to go

convince these development teams that they wanted to work with us directly to fix the problems in their platforms or Frameworks so there's like a wide variety of work that you can do but what would you say you do here so I gave you some examples of technical programs um I think the most important part is that you are still an expert right you are still a security expert that's why they hired you so you need to bring your security skills and your technical Acumen and come in prepared to deliver when you think about a TPM they are the person and I'm going to try really hard not to curse that get stuff done stuff okay I I did I did it

um but really they they're the person who comes in and leaves the program right they develop the strategy and then they do the execution end to end so so they've got to go get buyin from leadership they've got to convince leadership to staff that program right they've got to demonstrate how it's going to be successful so out of the gate you've got to be thinking about what are your success metrics what are your okrs right it's not just I got to design a solution but I got to show why that design will be successful again oh yeah some other points um so remember how I mentioned they're the leader of the program so you going to work cross functionally right

you're going to work across the organization and that's really where a TPM can add value if you have TPMS working only within their team and not working cross functionally and cross organizationally they're just not going to have the same impact it's why that often the ratios for TPMS to Engineers there's going to be a lot more Engineers than TPMS um but some of this kind of depends on the company I'll be really honest my background is entirely Fang so that's going to cloud my experience right like but really um you're going to find some places will just have a handful of TPMS some people have fleets of TPMS right so it really does vary but

the important part is you're the leader of that program you're the person who owns it and drives it end to end and you you bring in that security expertise and that that experience that you've had the funny thing is um I didn't start as a security TPM right so my background originally is pretty normal it trajectory right I started in the help desk I help people fix their computers it was not my favorite thing to do um I became a desktop engineer so then I could ship you know os's to people basically um I moved to a standard systems engineer role you know so then I would build systems and then eventually I landed in

identity and access management which I actually really like to this day I still like I am I think it's a great role um and that's how I became a TPM actually like I was an identity access management engineer I became an I am TPM and then I thought well security is kind of cool I could do that and uh hilariously got hired in appsc you all just listen to my background is there anything I just said that said I could code in case you're wondering I still can't really code I'm I'm actually a decent scriptor but please please don't make me code but that's the beauty of this Ro all right so what's the difference

between a TPM and a PMT so PMT is a product manager Technical and this is hilariously not lined up um so the biggest difference is a TPM remember I told you they focus on programs often programs that aren't products but a PMT is all about the product and they're all about the product like cycle they care so much about the customer needs the customer voice they are the what and the why that is what they focus on entirely the what and the why TPM does not care about the what and the why we care about the how the when and the who which is why we do things like develop workback schedules we figure out who we need across the

company and we figure out how we're going to to get it done often we have to figure out how are we going to get it done with the least amount of resources and as fast as possible and that's when that strategy and execution becomes so critical right so we focus on Milestones deliverables resource allocation and measurement like that is the bread and butter of the job okay so what's the difference between a TPM and an em em here being engineering manager they look similar right you got the how the when and the who yeah I did that right okay um but the biggest difference is the engineering manager is focused now this assumes they're also

just like a standard like I don't know what the right definition is but they just have a team they're not a senior manager they're not a director so just just go with me on this analogy for a bit um they focus on their team right like that is their Focus right they do team team deliverables they do team allocation they also do Performance Management um the TPM though is like I'm going to focus again it's the same things that was on the other side right and but it's across the org like that's the biggest difference I think is that really you're focused across the or across the company not just within a team now this changes

obviously as you go up the engineering ladder as an engineering manager you start obviously looking across so I don't want people to get the wrong impression one of the interesting things is a lot of times people forget that the TPM can help you let's say you don't have enough resources to get something done the TPM is the one that's going to go and Advocate it doesn't necessarily have to be the engineering manager advocating for additional resources or let's say the project has gone totally off the rails the TPM is the one that's going to go explain into leadership why is off the rails and what they are going to do to fix it again helping the engineering

manager um so those are the differences the interesting thing is that often people will start out as TPMS and they'll learn a lot about strategy and execution and let's be clear you learn a lot about people management and they'll go on to become engineering managers it is a very very common path I've done it okay so we talked a lot about like what they do what's not in scope for a TPM I mean there's a reason I say just right if you find yourself just taking notes just scheduling meetings just reporting guess what you're not you are not a TPM I don't know what that job is but it's not a TPM um I mean I kind of I love this I

started the day with problems and now I've lot of spreadsheets again not a TPM but pretty funny so what if you find yourself in this situation like how do you get out of it I've had to coach a lot of people who found themselves in these roles unexpectedly wildly technical people right wildly talented great at execution but for whatever reason the orgo is just like I just need a note taker so here you go there are so many ways so let's say all you're doing is taking notes well out of notes come action items right you're in a meeting you're taking a notes you're discussing what should happen start suggesting the action items start demonstrating that ownership

um let's say again you find yourself only doing reporting for whatever reason that's all you do just send status reports like start owning some of that right do the data analysis show that you can do the data analysis write the dashboards there's lots of ways to also demonstrate your technical skills you could script something right automate a simple thing but make everybody's lives better go chat with the engineers hey what's your big engineering problem and try to show how you can help solve it right look for pro like literally seek out problems and fix them that's how you demonstrate your value now this one's probably a little strange people they're like why is mentoring Engineers on this

list so think about what a TPM is good at they're good at problem solving they're good at execution they're good at leadership they're good at program management right they're good at getting people together moving in the same direction to get things done guess what you have to do as you climb the engineering ladder as an IC everything I just listed if you cannot do that you can probably get promoted still like you can probably get promoted purely on technical skills and congratulations you want to be a phenomenal leader that's not going to get you far enough okay so what makes the tpn successful we talked about a lot of this already right but a big one is you

really do need to understand systems architecture and design um so think about it like if you're having a conversation with your engineering counterpart and you don't understand what they're telling you go get a book like go learn that system you are paid to understand how systems work together how to anticipate the bottlenecks in them you're paid to find the problems that people create in their own designs um what's really interesting about this to me is that background as we talked about came up as an engineer this is the easiest part of the interview this is like the most delightful part of interview for me they were like just design a system for me I was like great can I do this all day

like when we got to the tell me how are you going to measure success I was like I've never done that before but here are my thoughts um if you cannot do this I have a slide later that will give you some great uh primers for how to learn how to do it you really need to have security knowledge or interest and why do I say or interest so remember I said I came out of I am right that's an adjacent field I think it's a fair call right and I remember my interview being asked like everything about authentication and authorization we like geeked out on certificates which still cracks me up to this day but you had I had all these

transferable skills yeah I as I said I wasn't a developer I didn't know how to code but I did understand systems design so they threw a system and they're like what's wrong with this and that was an interesting experience because I wasn't yet as experienced in security as I am now but I could I could find the flaws in the authentication and the authorization so pass that interview um okay that's

neat all right I won't walk that way um okay what else so you're there to drive Clarity right when there's ever confusion or people are on the same page you are there to ensure that we all like March to the beat of the same drummer right so that you're really driving that Clarity you're either removing blockers or you're trying to anticipate blockers so a lot of ways people talk about that is you're looking around corners right so you're anticipating when something might go wrong and calling it out and this is actually um really interesting to me because more Junior folks will often try to hide these problems when their TPMS so the a classic way to talk about a program and

how it's going is it's either a stoplight right it's either red yellow green green means everything's great program is super healthy we're going to meet all our deliverables it's awesome yellow means we're at risk there's some problems we need to develop a path to green red means we are blocked and we actually need help figuring out a path forward too often a junior TPM will tell you it's green right up until delivery and then suddenly it's red and the problem with that is they're afraid to ask for help they're afraid to show any sort of vulnerability and I can't stress this enough go get help go ask Engineers for help go ask other TPMS for help go ask

your manager for help go ask for help never never hide just how off the rail something is going um you need to be able to communicate with all kinds of people so remember how earlier we're talking about the program might involve legal and it might involve developers and it might involve product it's going to definitely involve leadership every single one of those audiences is different and getting in front of all of them and being able to communicate properly to all of them is a learned skill I was not good at it at first um came from an engineering background I talked like an engineer I really did have to learn this but this is a huge skill set so think about it

you want to climb again as an engineer you're going to be in front of a VP or a director you get to do this way earlier as a TPM you know I was a very Junior TPM when I was talking to VPS um I was talking to svps and I remember thinking I don't know why I'm in this room I am not high enough I'm not important enough but that is the Brilliance of this role you're going to influence up down across often people say this is without Authority and I think the reason they say that is remember you're not responsible for the engineers that are on your team you're not responsible for the engineers you're

working across the org you're not writing their performance your RS you might influence them but you're not actually leading that team here's the problem with that you're the program owner you are the authoritative source for the program you have authority use it so getting hired or hiring and I will have to check my notes because rajie wrote a lot of this slide I did not um so you do need technical program or project management experience and so often people people ask me well you know like I'm an engineer how do I do that run a project raise your hand say hey I saw that we're going to do this smaller thing just in our team it's not

going to involve a lot of other people figure out how that works show what the Milestones are like figure out the success metrics I mean that's that is literally what I did as an engineer just because I thought it'd be interesting right I I like weird things I'll admit that um but then what I was able to do because I had done that right is is tailor my resume to demonstrate hey I have some PM skills I could probably do the rest um so and let's say you can't even do that at work for some reason remember how earlier we're talking about Community experience raise your hand and volunteer for an event like this try to

get on the organizing committee that will demon at your PM skills right like run something end to end talk about how how do you measure the success of a conference by the way that's really hard but now you have something you can go into an interview and talk about um we talked about systems design I okay so the first one is the thing I send to people because I think it's a great resource and is free the second one is the one that rajie recommended I've never read it but I trust her a lot so she says it's good it's good but I also feel like I have to warn you I've never read it you need to have communication skills

and collaboration skills so any way you can demonstrate thinking about different audiences and how you collaborate with people across the aisle really helpful so are you the kind of person who runs towards problems or do you run away if you run towards problems Great rule for you if you run away this is probably not the rule for you I'll be really honest you got to have a lot of tenacity to be successful um you need analytical thinking you got to think through problems you're going to be throwing stuff at the interview you've never thought about and you're just going to have to work through it on the spot like seriously when I first interviewed for a

TPM roll I still I will never forget this I had explained the project I was running it was an active directory upgrade pretty standard kind of thing at the time right and the TPM interview me is like okay well how you if feel successful and like frankly my first response was well we upgraded and we didn't have an outage he's like it's not really a success metric though is it and I was like Oh no you're you're totally right to this day I have no idea what I said cuz like this was the most stressful interview ever had but I kind of walk through like well you know thinking about it I would ask stakeholders they we do appropriate

Communications you know obviously it is a success is was it successful or not did we do it on the budget do we do it on the timeline so I kind of walked through and the guy just kept I he just kept going at it like what about this and what about that and like I do think just if you can think quickly on your feet you'll be okay but if you're not used to talking about what makes something successful I do think that would be some time to spend you want to demonstrate leadership skills again you're going to have to cral a bunch of people we talked about a little earlier without Authority again you have

authority please own it um and you really should have security interest or exposure so Raji obviously hires a lot of TPMS and I was asking her for some stories about like what did what what's memorable about candidates and she pointed out something that I thought was really interesting so TPMS really have to listen they really have to engage in active listening and to be frank everyone should engage in active listening but they don't always right and she's explaining that she's this great candidate super excited by them and they they weren't listening to what she was asking in the interview and in fact they got kind of belligerent and angry at because she just kind of kept asking them questions

you know trying to really understand their answers and she was like all right that's that's neat that's that's not the right person right and so her point was you know if you are in an interview situation you know engage in the act of listening demonstrate like even if you're confused I think you can respond in a way that's super helpful right like oh I'm not sure I understood that question could you reframe it could you rephrase it like people ask me that all the time and I'm fine with that right what you don't want to do is tell the person basically I think your questions are dumb like don't do that so here are things you don't

need you don't need to understand specific technology at the company now obviously if you understand I'm trying to think of the all the like actual programs out there let's say you don't understand jira you've never used jir but if you've used a tool that's like jir like you're going to be okay right because you can talk through you know how do I think about Milestones how do I think about deliverables but you don't need to know the exact program the company's using and people actually get really tricked up on this they'll write me and say but I don't know J and I'm like oh my God but have you used Ado like have you used

anything what have you have you used spreadsheets they're like yes and I'm like great we'll walk through why that skill set will actually work for jir so don't don't get too upset if you don't know the specific framework or technology um you can learn a new security domain so here's the really interesting thing I think right came from an engineering background I worked really hard to develop those skill sets and I was really good as an i IM engineer I mean I was really good I would find problems and i' call Microsoft and be like I don't know what to do here's like the 20 things I've done already and they'd be like please hold and I was like oh no I've broken

support um and eventually they would you know find somebody at the company who was a principal and they would work with me and i' be like great and I fixed the thing right and I so I thought I was really good at it I can't go be a different engineer not easily like it was much when I thought about like when I wanted to grow I was like you're really cool to go do something else but my background was I am and I knew it inside and out as I said it worked really great for my abc TPM interview but I'm not convinced that it would been as easy to move into a different engineering field as it has

been for me to move around as a TPM right so as a TPM you know as I said I did IM and then I did ABAC and then I did portfolio management that was weird um I did privacy right like I had a lot more opportunities to move around because I had all these other skill sets I could learn the next domain so some examples of what other people have done I had a friend who did security awareness right so that's very much rooted in like teaching people about Basics and security and she was really interested in incident respon response and when a job opened up she moved into incident response right like not as an engineer

to be clear again as a TPM but think about it if you're doing education how easy would it be then to move to incident response I'm not saying you can't do it I'm just saying this is an easier path I had another friend who did uh developer educ I have a lot of friends who do education I'm realizing all my examples are are based on that they did developer education right and so that's all very much about teaching developers you know the basics like OS top 10 making sure they understand like security policies right and that they can do all that and then they move to security assessments for m&a they're similar but very different

skill sets but again as a TPM you have the ability to move around a lot I'm I'm really not kidding it is just about anything um I was an engineer that is a very common path I'll be really honest they get Engineers that are just like I'm so sick of building can I do something else and they become a TPM that's what I mean literally that was the conversation I had with the hire manager I said I don't want to build anymore if I never have to be in a data center again I'm good it's cold it's loud it's annoying if I never have to deal you know with the private Cloud CU that's what it was at the time there

wasn't I mean there was a public Cloud but most of us for you know using VMware but I never have to think about moving my all physical servers to VMS I'm good I really want to do strategy like I was like I got a roll for you um a lot of people were engineering managers but remember how I said earlier at TPM becomes an engineering manager and then sometimes people get sick of Performance Management um I talk about this all the time when people ask me why aren't you a manager anymore I truly hate Performance Management thank God there are people who love it because I hate it I hate it so much it stresses me

out I just I I'm not I will Mentor all day long but I don't want to be responsible for the growth of other humans I really don't and I think some people just get burnt out as engineering managers they you know come up back and be a TPM um you got project managers program managers product managers so sometimes folks will start in a non-technical role right they've got that great like writing background they've got a great education background they can they can really do great communication skills but they need to grow their technical experience and there are people who've done this I think that's awesome um assurance that one probably feels like a left field one but I know

people who are like got sick of writing bunch of QA jobs and decided that they wanted to go organize humans instead but often what you find is they're just not candidates that fit neatly into another box this is like the everything role the other thing I forgot to mention is it's actually a lot easier to move to TP TPM in your own own company so if it's something you really are passionate about I would recommend just trying to convince somebody at your own company I tried that they told me no so then I went and interviewed at another company who said sure So don't let it don't let someone who says no deter you just find

somebody else okay so why I love this job and then I'm waiting I know somebody's going to ask why I don't do this anymore um there was never a dull moment there really wasn't there were times that I wanted to scream there are times I wanted to literally throw the computer out the window and send like a carrier pigeon saying I quit um it's a trying job at times but it was never dull um you have so many opportunities to grow like please please please if you are interested go read my t DRC interview I talk a lot about how this role was so critical to my own personal growth I went from being as I said

really good engineer to being able to understand how to communicate with leadership and it just it opened the door to so many opportunities um my path was weird Well everybody's path is weird but what I did an IM engineer and then an IM TPM and an ABC TPM and then I became a security engineering manager and then I was like I kind of missed TPM so I went back did a principal TPM and I was like I don't really like this then I went back and did privacy engineering then I really hated that that's a different story for a different day um and then I was like now what do I do and so I interviewed for a bunch of

roles and I had like an offer to be a SEO and I was like oh I am not ready for that um I had an offer to be a director and I was like I don't think that's a good thing and so I ended up being a principal security engineer again and that's what I think is cool like there is no one-way door right and I used to joke but uh TBM is the only job you are paid to Network I'm not kidding like you have to be okay with picking up the phone and calling a random engineering manager a random director a random VP a random engineer another TPM and you have to build your network and get people to

trust you and that's what makes this really cool because you're constantly networking and because you're constantly networking a whole host of opportunities will just open up for you and that is what I have my friends another joke for you

does anyone have any

questions that's a great question so the question okay everyone else I was just asking comparing the TPM role to the principal security engineer role so I I will get in trouble for saying this and I will have other Engineers tell me I'm wrong I think a principal security engineer has to be a really phenomenal engineer and a really phenomenal TPM often you're going to be the person that's advocating for the new thing and you're going to demonstrate how we can do the new thing you're going to run the POC yourself you're going to demonstrate what what does success look like right and so you have to do both as a principal security engineer and I think

all the leadership skills you get from being a TPM make it possible for you to be wildly successful principle engineer that's just my opinion anyone else oh come on you don't have any

yeah uh thank you um are there any obstacles or challenges regarding being a TPM that's unique to being a TPM That You Don't See in other engineering roles or any kind of security role yes um so the reason I have the like just doing X is because often people will discount your your capabilities like they will just assume you are there to like I'll give you an example this engineer pings me on you know whatever chat platform we have I really need a meeting with so and so I'm think myself what you don't have Outlook but whatever I'm really good at calendaring no problem I'll schedule the meeting for you don't do that gets worse we go into the meeting I

get a high priority escalation from leadership and at this point I'm no longer paying attention to the meeting right like I'm trying to address what leadership needs because that's way more important than whatever the heck's going on in this room we get done and he's like can I have your meeting notes and that was when I blew a top I explained what my role was and that that actually I think is a real big challenge you will constantly have to remind people why you're there and what value you add which is weird because as an engineer I never had to explain the value I added but as a TPM I always did and I politely

pointed out that he asked for the meeting he owned the meeting it's his like why didn't you take notes man like it's your meeting um so I think that's the biggest challenge of being a TPM and it was not one I was prepared for thank you any more questions well you can find me on LinkedIn you think of anything else I really hope that I encourage at least one person to consider this role we desperately need more security TPMS I think it's an awesome role so please reach out I'm happy to help you figure out that path thank you

Lee