← All talks

BSides LV 2023 - Hire Ground - Tuesday

BSides Las Vegas4:51:15284 viewsPublished 2023-08Watch on YouTube ↗
About this talk
BSides Las Vegas 2023 - Hire Ground - Day One 00:25:30 - Failing Upwards: How to Rise in Cybersecurity by finding (and exploiting) your weaknesses 01:27:20 - So Who’s Line Is It Anyway? Recruiter Panel 02:53:35 - Penetration Testing Experience and How to Get It 03:57:00 - You CAN get there from here!
Show transcript [en]

[Music] foreign [Music]

foreign [Music]

thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music]

hahaha [Music] [Music]

thank you [Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music]

[Music] thank you foreign [Music]

[Music] [Applause]

[Music] foreign [Music] thank you [Music] [Applause]

[Music]

[Music] thank you [Music]

baby [Music]

[Music] don't leave me alone [Music]

[Music] giving me Wind and Rain some kind of butterfly baby [Music] [Music] oh but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me five years I'm gonna butterflies [Music] don't leave me alone [Music]

[Music] baby you'll get me [Music] don't leave me

[Music] oh [Music]

my God [Music]

[Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] foreign [Music] foreign [Music] [Music]

[Music]

[Music]

[Music]

[Music]

thank you [Music]

[Music] foreign [Music]

[Music] thank you [Music] thank you [Music] foreign [Music]

[Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]

[Music] thank you all right and so you clearly all hate it and you're never doing this again right right I thought so it's amazing right I love this place you know I I can and will ruin these sides for you like I'm just just starting to start the ball really low that way it's nothing but impressive after that you know so I'm not touching the cables okay I'm gonna talk into this now

I'm gonna speak at you now how's that level can you hear that is that okay I'm so sorry you can hear me okay thank you cool oh that's the problem is it because I touch something

hello so apparently

how about now hey okay thank you oh don't don't ask me to do that don't ask me to project like my normal self it's gonna it's gonna be bad for everybody so you all have anxiety your mother's don't your mother's are disappointed in you this projection right that's that's what she that's what he means I'm a massive disappointment to my family so I mean I figure like I figured you are as well which is why you're here you know what it's it's really it's really about the journey you know oh my God is it time can I talk yet yeah sweet all right let's talk hi everyone so thank you for coming to this particular talk on this

particular day um we're gonna talk about failing upwards today and the fun part about it is um this is I think still the only presentation of its sort um I did a weird amount of research on the subject and when I did this weird amount of research on the subject I realized there are no other presentations on it so um here you are so how do rise in cyber security by finding and exploiting your weakness let's dive in shall we first who am I that's a really good question random person so my name is Wes hi hi oh I got waves oh my God thank you okay so I am currently living in Canada I am not

Canadian um I I move around a lot though uh previously in the Netherlands Japan China USA Belgium New Zealand um I keep moving around um I don't have a good reason for this I just keep doing it um so there's that what I do uh so I'm currently the Chief Information and intelligence officer it's a really long set of words I gave myself I have to type this in every time I do a survey all those words it's terrible um I'm also a data privacy Advocate I'm a hacker professionally and personally I also am a runner a gamer if I walk around the world sometimes and I'm also I need to talk into the microphone

and uh and I'm also a hacker in my free time now what's up oh don't don't encourage me don't encourage me I'm gonna walk around and it's just gonna be awkward for everybody thank you though um but why am I like this that's a good question also so I I like Puzzles and I seek novelty I think we all can relate to this that's pretty much me also anxiety lots of that um but before we start before we kick into this for real um just want to start off with some some basic level setting I'm going to start with the formatting today we're going to talk about failing upwards we're going to clarify what that means and then I'm

going to tell you my story it's gonna be story time I'm really sorry about that we have to suffer the pitch here's my pitch um and we're going to set some scenery we're going to like understand like what the situation needs to be and then we're going to go through the steps on how to actually fail upwards uh when we're done with all that I'm going to give you some final advice and hopefully we're all going to be failures very soon um some assumptions before we begin I'm assuming that if you're here you want to get ahead you want a better job a higher paying job a higher more responsibility something to that effect um I'm also assuming that you know what

kind of job you want to have and you currently don't I'm also going to assume that you have some basic understanding of what that job actually is like you're not trying to break into rocket science for argument's sake um I'm also assuming that you're willing to get weird about it you really need to get awkward about it get uncomfortable with it because that's kind of how it works um and some disclaimers before we begin any of these words um your mileage mate your mileage will vary uh because your journey is going to be different from mine it's just going to be weird for you it's like it was weird for me uh but how it's weird is up

to you um and also I see my privilege I understand that I am CIS male certain height certain build that's going to affect how I succeeded or failed in this context um however the reason why I'm talking about this because I have several friends in gender and ethnic minority space spaces that have done this too so I've seen it work for others which is why it's not just my story it's actually just my example and um that said a little bit of warning this looks easy and is hard it is actually really tricky to stick the landing on this however however ideally it's also fun because if you treat it like a game then it's gonna

then it's gonna be fun it's gonna give you that Charisma and confidence to do it correctly and that's what's going to sell it so it's going to be hard fun if that makes sense yeah okay cool now I'm not touching cables but I'm going to push the button there we go let's start with failing upwards what does that even mean if you if you just Google the term failing upwards what you're going to get is variations of to advance in one's career despite failure um that's that's not failing upwards that's career resilience that's different I mean that's important too don't get me wrong but it's not what we're talking about today what failing upwards is is different

um but why what why would you fail uploads I mean like first I'm failing upwards in this context is um have you ever just had like a really really mediocre boss like a guy is like how did you get here you're you're you're almost bad at this you're you're forgettable at best yeah that's what we're gonna do today we're going to get you in that space where you were that guy or you were that person um congratulations you're about to be very mediocre very successful so but why would you do that why would you choose this path instead of just working hard well that's the bad news and the good news um you may want to advance your career

just because you want more money you want more responsibility maybe it might be more ownership these are all good reasons but why you would do it just in general good employees don't usually get promoted they just don't I mean maybe a pay raise maybe some benefits extra PTO you're not going to get a promotion out of good work you just won't there's no reason for that we're going to get to why um and also uh if you're looking to like get a manager's job for argument's sake um look up a job description for a manager can anyone tell me what a manager does like practically like I am one but like I'm just curious what what

do you guys think what does a manager actually do skills emails emails are good what else meetings emails meetings what else yeah yeah there's a lot of things that you could do like in this room right now and be a manager it's like literally the there's no technical skill to this yeah there's no there's no degree for this you know there's I'm it's like it's like Ken and his job is Beach you know it's like that so that so how do you become a manager you fail at it and that's how you succeed at it anyway how does it work how does the actual mechanics of it work we're going to the details of how it

works mechanically but here's just an overview we're gonna talk about countersignaling uh we're talking about bias for Action we're going to talk about cronyism that's the exploit in this context is the cronyism and then we're going to talk about this the three out of the six principles of influence any social engineers in the room of course you wouldn't raise your hands oh there's one there's one okay there's always one it's always usually what usually the one who's more or less fashionable there you go um but anyway these are all like psychological and social situations that we literally can't escape we are all subject to this whether we like it or not that's how we're wired so that's how

we're going to make it work for us but first how realistic is this actually well here's some examples 10 years apart um failing upwards is not just a really common side effect of the business of the business world but it's also just like it's been around since the Industrial Age it's probably been around since since time immemorial kings and queens um so suffice to say everyone's looking for a solution because they keep having these mediocre managers um but why not why not make it work for you instead of working instead of having to work against you right so yeah it's real but here's the here's the here's the part I'm going to try to get through

pretty quickly because frankly this is not why you're here at least I hope it's not because it's a very dull life but let's talk about how I got into the space and it'll kind of give you context and maybe some examples you can draw back to so first real quick buzz buzz through who I am as a child um geek stuff I basically was the AV person in my house I wired VCRs and broke TVs um and uh game Genies game Sharks any fans of breaking games yeah there's a few of those in the room uh teenage years martial arts more geek stuff and also Robotics and social engineering I picked up I I competed

with robotics that and uh you're seeing some patterns here that I didn't see by the way because in the College Years I couldn't quite figure out what to do but as far as jailbreaking phones and writing cyberpunk novels uh very successful clearly um and then early career I just I was doing basic retail and Hospitality as we all kind of have right and and then every job I had it's like hey Wes can probably fixed that um and yeah I did but I never once figured out that I probably should pick up Tech as a as a field like it never occurred to me for some reason um yeah so then you actually get to the point where

I actually do realize I want to do this stuff so I moved to China I picked up a technical pre-sales job kind of got my first kind of technical job um and I go back and forth in Japan a lot and um I was Shadow I.T at every company I was that guy right so um but a certain point a certain point that's actually I started to make that an actual job and so I picked up a basic I.T job and a pattern you're gonna if you if you've known me for like five minutes you're gonna recognize this and that is that um that that feeling like you you have these things that are wrong around you

and you have to no one else is fixing it so clearly you fix it right like you can't just let this be a bad situation you gotta like manage that so chorus as an I.T person I don't hold still I pick up systems Administration I pick up risk management I pick up data center management um that's an Administration project management I did all these crazy ass [ __ ] part of my language um and then I burnt out learn out lesson from that is um just bit of advice if you you are about to burn out it's because you're still holding on to too many things so just let some of it go that should help doesn't solve it but it

helps so at the the pattern here is basically going to be that I keep doing all this work that isn't actually my job and then I keep getting tired that's going to be the pattern here so I do that again only this time I do in the United States for a while uh Cloud systems administrator site reliability work um a little bit of infosec work and here's where it actually here's where I actually got into security is this job right here I was basically just really tired and also mediocre I was like I am unexceptional as a man as an engineer I'm like truly like a beige pantsuit of a man of an engineer you can like walk

right past me and not know what I did and so but I'm also like tired and doing all these things I'm not supposed to so like hey you know what lunch is you look tired you look tired why don't you just go do that web application firewall for us because no one wants that I want you to do that and so that's how I got my start in security is doing the thing that I was I wasn't supposed to do so um because I was not great at the main job so that's how it kind of broke into security um so that said here's the actual pivot that we're going to talk about today this is the actual important part

so so I start off with doing some pla so I moved to the Netherlands in 2016. no particular reason 2016 was a good year to move away from the United States no specific reason at all um and and uh yeah then at that point I'm like that's my actual first named role is in a security engineer and while I'm doing this job uh I realize that there is no Security State to engineer on there is no platform there's no tooling there's no Services there's nothing so it became my job because again why would it be someone else's job when you know it could just be mine so I build an infrastructure out of it I

build a sort of a state out of it I you know I organize the tools I set things up I have a lot of help because I'm a mediocre engineer right so um I organize all the policies I organize all the governance and all I I build like an entire thing and I was really happy and then uh the new CSO comes in is like hey you look tired would you like uh it's like a slightly easier job where you just write the policies and do the governance on its own and so that's how I broke into an information security officer role is again doing work I wasn't supposed to and and apparently I was better at that

than the job I was actually doing so there's a pattern here right and then from there it gets really boring this is basically once your management your management you just go to another job it's just just ask and you'll get another one it's it's that's that's less interesting but like but at that point I'm like I keep getting tired and doing the work of someone else and then wind up doing that job instead and then getting a job out of that job and so I did that like three more times I'm not a CSO anymore actually I think that's a different title now but anyway um and then I moved to Canada long story short

so that's the journey let's talk about the actual subject matter though there's a there's a story here and the story is not actually how I how I move around or why I'm like this the story is I keep getting tired and getting a new job so let's talk about that failing upwards how does it actually work let's talk about the psychology for a second that's probably the most interesting to me personally counter signaling so when I say counter signaling what I'm talking about is is like it think of it think like a humble brag right it's like it's like you're saying something negative to indicated positive or something positive to indicate a negative that's one of the

key factors on this process um we're going to talk about how it connects as we get to the actual steps but that's like one of the things of how it works mechanically on on failing upwards it's gonna be a combination of this end bias for Action so um I'm I'm like a huge movie nerd and Bruce Willis is I'm going to say demigod level to me give or take you're not anymore not anymore God but like back in the 80s when he was like on his game bias for Action he is like Bruce Willis is actively bad at getting the job done he like Falls he breaks stuff he like he messes around he like like stuff happens

in this movie that's new to action movies in 1980s right bias for Action means that you're gonna be happy that he's trying regardless whether you're successful or not that's what we're going to do as well um cronyism though so cronyism is a negative and it's but we're going to make it work for us cronyism in this context is the idea that it's a it's a circle that you're not a member of or that you are a member of and others are not so it's exclusive that's the point is it's exclusivity it sucks but we're gonna exploit it how how it exploits is interesting basically if you treat this like if you treat this like an attack surface then

it becomes a different conversation entirely if you look at it as cronyism is a circle of trust so circles equal trust equals bias if you're inside the circle you have a natural bias for something inside the circle um example if you take your friend and you take a person next to your friend and they're like identical in every way let's call them twins but one of them you like one of them you don't you're gonna you're gonna naturally trust and relate to the one you like more than one you don't even though they are literally the same person just you know one one you know when you don't so if you consider it in that sense

biases are completely unconscious and we can't stop it we can't not be biased right so the exploit is this trust is an expression of time and exposure right so what you do is you just need to you just need to have a force multiplier on either the time or the exposure or both and that reduces the the amount that and that actually gets you inside that Circle that's it's a lot it's it's a little more complicated than Nuance but that's effectively what it boils down to but here's the part that's really interesting is the um there's a book called uh the six principles of influence it's a very popular book for the social engineering crowd and it's

actually just a good book to read in general but what they do is they cover like six six ways to influence people reciprocity is the idea where you give get something and you'll want and you'll want to give in return um so we all go grocery shopping and we walk down the store right and someone's giving away granola bars or something to that effect and you take a granola bar and uh you do not buy it you do not I mean like there there's naturally there's gonna be some psychopath who like makes a conversation with this poor person who's giving up granola bars that person's weird right no one's that no one no one like sits

down has a five minute heart to heart with a person giving away the granola bars but when we do even if we don't buy the granola bars we we at least say thank you we look them in the eye and we make at least a a general gesture of under General gesture of thank you you know unless you're a different sort of psychopath but point is is that you can't not respond if you're given something you just can't it's just innate human nature and then social proof is not a factor in this um so you know there's always that that one person who like crosses the the street before everyone else does and then everyone else starts to follow them

it's like that so uh there's always one of those people and that's that's what we're going to talk about here as well is the social proofs if you get if anyone approves that is approval of all and then the last thing and I really wish I could put more time on this because that would be its own talk entirely and that's being care that's being likable um if you're generally a dislikable person this is not going to work for you you've got to you've got to be um you've got to work on your work on your confidence and your and your charisma to make this happen um I can give tips on that but the short

version is that that's a really critical part as well that all said that's how it mechanically works is a combination of these uh psychological and social factors um so that said oh by the way um I will give this presentation to anyone who wants it so don't worry about taking notes um there's a lot on the slide sorry for that that's it let's set the scene so when we when I'm talking about the the circumstances in which you fail upwards you're looking for two specific situations you're looking for the energies of these two people I told you I'm a movie nerd here we go we're talking about Buzz Lightyear for a start falling with style

um so Buzz Lightyear I'm not sure who remembers 1995 uh very well I personally don't but it's a he but like Buzz Lightyear and he like Woody challenges him like you can't flies I guess I can and he jumps off a bed bounces on things but you know sales around with on a swing and sticks the landing and he says yeah you didn't you didn't fly you fell with style that's what we're looking for we're looking for falling with style bold confidence and in and bold confident and incompetent that's the that's one of the energies we're channeling second one Peter Gibbons from Office Space um now I have to be really clear about this don't do crimes

um I mean like this is a really good example just only for the first 10 minutes so if you really want to commit crimes I can't help you with that but I can tell you the first 10 minutes though actually I can't help you but just I won't um Peter Gibbons is the energy we're looking for in the first 10 minutes he basically goes through some life changes and then has a breakdown in the office stops working breaks drops his cubicle walls and they and and while everyone is getting fired he's getting promoted that's what we're talking about today that's what we're talking about that's the energies we're channeling so that said before we dive into this a couple more

words on this inside manager's heads um any managers in the room right now by the way I am so sorry for all of you I'm so sorry I had to pick on all of you it's going to get worse so um and and stop me if I'm wrong but I believe we can all agree as managers we do this from the management side there is no reason to promote an employee apart from morale there's no there's no motivation you're actively you're actively dis um you're active you're actively like discouraged in some situations to promote people um if you have an engineer who's good at their job why would you promote them why would you ever want this person to leave

you wouldn't want them to be better better at another job you want them to be really good at the one they have forever because then you can because then you're doing your job by them doing theirs so there's no reason to promote an employee a good employee ever that's why you wind up getting better jobs when you move companies rather than inside one so there's that but I think the real extra thing here is that when you do get promoted because it does happen eventually when you do get promoted it's because you have shown some sort of contrast against your current role now what you're going to want to do in this in the in the con in the context of

failing upwards is we're going to want to make that contrast not just go not just like here you are and who you want to be we got to make the contrast Higher by dropping down where you are so it's gonna we're gonna we're gonna expand the contrast Zone which is going to make it more obvious so better value elsewhere with higher contrast is what we're going to angle towards in the process that said last thing I promise a few prerequisites and then we're good nice to have should have need to have nice to have some experience on what on on what you're actually trying to do if you're trying to be uh like a knock

engineer if you're trying to be a manager ideally you have some experience that predates that your attempt that's nice to have should have at least some background knowledge of the job you're trying to reach for and you should but you need to have a goal State at all if you just want a better job this is going to not this is not going to work for you you actually have to have an active goal you're trying to reach um but nice to have as a startup mentality so if you if you're one of those people who just like rise and grind you know get this bread is that still the thing people say I don't know

um yeah that's cringe right okay anyway that's helpful here um but you should have should you should have the ability to or the interest to work outside your hours a little bit um if you work remotely it's probably fine to do it inside your hours but um this is going to require more of you outside of your outside of your normal work uh but need to have you need to be less good at your current job and and take that risk I'm talking about actually being mediocre in your job right now like you gotta you gotta be willing to risk that um but you nice to have though is a friend in high places if you have like a

particular a particular favorite manager of yours or someplace in the knock that you're trying to reach for as an example then that's going to that'll help um should have though is acquaintances in high places hello hey oh hi man hey how you doing doing good uh for everybody who doesn't know this already we have this thing called outrageous speaker requests uh when you apply to speak at Bayside there's a little field down at the bottom who says do you have any other outrageous requests whatever you put in that field we try to provide for you even if we have to evil Genie it a little bit sometimes yeah uh I had a request for tacky Vegas memorabilia so we have it oh

that is so tacky a very tacky shot glass oh that's horrible I love it uh I have a uh a slot machine 10. oh my God that's amazing and I have a pair of socks that you should probably put on before you go anywhere else but it says you know it saves me to the casino oh my God that's amazing so that is thank you oh my god thank you so much thank you oh yeah this is fantastic you're the one who you're the you're the one you brought me that poster last yes oh I was looking forward to you thank you thank you so much this is so tacky thank you I'm gonna put this in a place

of honor right here and put these over here thank you khaki but delightfully unrefined oh my God I love b-sides um that is truly tacky okay um anyway so um it's nice to have acquaintances in high places um that's that's not that should have you should at least have an acquaintance they should know who you are at least right but you need to have a high place to start off and what I mean by that if you're if you're a consultant or a contractor and this won't work for you because your company is over there you know you got to have a an inner circle in inside your company that you're trying to reach at

all right so that's that's the prerequisites we're working towards that all said here's the steps because that's actually why you're here um once you actually Define your next step and I'm just going to use the example of management for the sake of ease um let's assume you're all going to be managers tomorrow this is how you go go about it once you define what that next job is you're trying to reach for you got to power down this is where you become mediocre yourself I mean like meet your jobs kpis don't risk your com don't risk your job over this right but you need to start powering down you got to start looking at this like I gotta

like I think quiet Quint is a word people are saying now that's that's not quite that that's basically what we're trying to do effectively you're gonna need to power down it's okay don't lose your job over it just be mediocre at it um and then the next thing is you're going to want to immerse yourself in the culture of the next job you're trying to reach now what is that now an example of this would be like let's say management parts of the sake um you want to like go to meetups or hang out with managers in general you want to like get that use their words like get their there is a culture for

every job this is where you like become a member of that culture at least in at least in a pretending sort of way a minimum uh because that's going to give you the wording and the approach and kind of get inside their head a little bit and then you got to train yourself to be more likable now I have some resources I like to use uh one of them is actually it's a great YouTube channel called Charisma on command I think and use like uh like celebrities and pop culture references to illustrate the principles of how to influence and how to and how to be popular and how to be you know charismatic and um that's what you want

to do you want to start working on that Charisma you know any sort of self-help books here's the moment and phase one is going to take a little bit of time but it's actually probably the easiest part of this process it's not too bad but the goal of phase one is you're employable but not a rising star yet you know it's you're not great but you're not bad but also while you're while you're actively okay you're also in the process of becoming really good in the mindset at least of the job you're trying to reach phase two is starting with this this is this this is Fast Forward about a few weeks maybe a few months depending on

your process depending on your depending on where you're at uh you're gonna quietly start doing the next things work now if it's management you can do something innocuous like helping them help helping them like format it format tables you know whatever help helping them send emails right you know just kind of pick up those little tasks that managers probably hate to do and they're happy for someone else to do and but but here's the thing you can't be loud about it you got to be really like just be chill here's where you chill because it's going to come to you back in a moment in phase three but right here as we quietly do the next step without

permission it's important you don't have permission it actually is um and part two is you got to make yourself familiar with the next steps peer group and their management so what I mean by that here's we now is where you actually start you know kind of like introducing yourself talking to these people getting them to know you you know it's not important that they like you don't have to you don't have to go fishing with them you don't have to like go to the club with them but you have to at least they have to at least know who you are that's the Hope right so that's the intention and then you got and then at that point once you

got steps one and two then you then you got to begin doing more of the more of the next step just just start phasing it into your rotation just start doing this habitually and make it normal make it super normal that this is something you do now it's like why are you in the knock you don't work for it yeah shrug and like walk away like don't make a deal of it the goal of this is that you just seem to be doing it better at this other job that isn't yours right from the stories I told earlier here's here's what here's where here's where the lessons are so phase three this is again maybe a month

six months it depends on how it depends on everything depends on all the variables in your in your circle but once you have convinced yourself and others and it's important you have all that confidence in yourself and everyone does too everyone knows this is just something you do you just do this it's fine invite yourself or Shadow a shadow someone into the conversations and meetings that you don't belong I mean like just again be chill be cool just make it normal make it normal just follow a manager into the management meeting if as an example right and doing this will this is where this is where that's um what's the word I'm looking for this is

where the uh social proof comes in because here's the trick once you're in a room and no one tells you what no one no one objects you officially have permission of everybody you officially do you're in the circle if no one objects it just happens and then at that point begin doing less and less of your current job and more and more of the one you're about to do and this is where you actually start failing your kpis this is where they you stop doing your job well and you start doing another job better I mean like actively visibly because it's step three here's we actually once you've gotten into that Circle of trust here's where

you express your intent to move into that role and at this point it's going to be an interesting situation for you because this is the point of no return one of two things is going to happen either either they're going to talk amongst themselves if the circle is going to consult the circle or the circle is going to consult HR or they're going to tell you to go to HR if HR gets involved you push too fast because they should talk to each other first if they talk if they tell you to go to HR then you then you've gone through phase two too quickly so you gotta yeah phase two Builds on phase two is a requirement for

this but then for step four here's where it gets interesting because whether they accept whether they deny regardless what the circumstance is once you've expressed that intent the next thing is you wait a little bit and then you update your resume you update your LinkedIn you put on your LinkedIn profile all the things that you've been doing that is not your job do it who's gonna stop you there's no LinkedIn police this is not fraud well it might be depending on the job don't say you're a lawyer I've seen that I've seen suits don't do that either don't do crimes don't do crimes um but anyway so like put yourself out there as this new

person make it clear and then at that point whether if they come back to you with with the job perfect if they don't perfect because at that point stay or go becomes the next choice I think we've all been in that position hopefully maybe less than some um but the goal here for face to phase three is you're better in this other work and you will do it you will do it whether you're here or there but you're going to do this job now you've done it phase three is where you actually change into that person you've been trying to get to the whole time you just don't ask permission that's the key and you know

and you notice in phase three is where you talk about it because phase one it needs to be normal you got to normalize the job you want to have that's what's going to give everybody the understanding that you should just have the job right so that all said summing up how are we doing on time oh fantastic so much time oh I am so happy okay to sum up failing upwards is really commonplace it might as well work for you I mean this is literally happening every day we can't stop it we might as well use it right um It's a combination of normal human behavior when I say normal human behavior I mean normal human not normal

behavior because this is an abnormal thing we shouldn't do but we're going to exploit it anyway and be successful at it and to fail up you have to be employably mediocre you have to be like you can't be good you got to be mediocre at best properly unexceptional and then quietly achieve in a different space you're trying to reach and that's what's going to make the shift happen for you and then I have to be glib don't come in on Saturday and fall with style so that's that I'm sorry I had I had to do some stupid joke at the end um and that's the summing up of it now I told you I'm going to send this

presentation whoever wants it because there's a few resources so there is a lot to take in on this um I did a lot of research on this that the two articles I gave at the beginning they're here um but I think just some quick call outs um just to kind of channel the energies you're looking for again we're looking for like um the social engineering Village uh has their own YouTube channel if you catch up on the talks Charisma on command is good resource for building that building that confidence and the ability to talk and small talk like the obnoxious things we all have to do why not be good at it stuff like that

um if you want to follow some social Engineers like Elite Denise I think she currently uh yeah I think she's she's actually I think she's I think she's actually here today um Rachel tobac is another really good choice as well um and reading books is one of those things it's like we all say we read books some of us do but we all say we do here's where we actually books you should read I recommend specifically influence the psychology of persuasion uh this is the Dr Robert cialdini he's the one who wrote the six principles of influence he did from marketing uh which feels gross but it is actually a really good book on how to develop

those interpersonal skills that's going to give you that that edge right um and then also I think maybe maybe my favorite book I've read has got to be Joe Navarro's what everybody is saying what everybody is saying and xxb and ex-fbi's guide to speed reading people uh we're talking about things like the direction people's feet tell you whether you should talk to them or not stuff like that it's crazy I love it um social engineering Village if you're going to Defcon please please hit these guys up um and then yeah my LinkedIn is the bottom there it's uh yeah so you can it's a poorly tended Garden I probably I will accept it and then probably like

not look at it for weeks but I will get back to you promise um that all said we actually have a lot of time for questions because I was weirdly quick today so oh thank God there's questions yes

oh microphone okay oh sorry uh I'm gonna ask the question again um so you you talked a lot about it being important to be mediocre in your current job can you speak more to why that's important yes yes I think um somewhere in the somewhere I think slide five or six I mentioned briefly very briefly that uh you're looking for contrast the reason why you're looking for contrast on that is is because the you basically it's not enough to just be better at another job in most cases because again it's you're not going to get as much visibility doing it that way being mediocre at the other job is going to give you that push so it's a pull and

push effect um so I think that's I think it's a combination of higher contrast and a push and pull on the process yeah hi there he is um so I cut I love this presentation because I kind of accidentally did all that in my previous job um so that's social proof that he's right um excellent excellent um so the one thing that I had trouble with in a previous attempt to do this was doing something where it it just didn't exist there was no Social Circle at all like how do you do this where the company has no impetus no people no Circle for the thing that I want to do oh see that's the exciting

part if you're in that situation you gotta you gotta pivot a little bit and you gotta there's there's a circle somewhere you have to impress it's if it's if it's if you're trying to go like like into a different space and not the one you're entering you have to build the space yourself then it's probably you probably just want to swap the circle for management just like just make make it about management and then just like start doing the job yeah good that's a good one that's a good one oh yes hello how does how does your following upwards compare to the Peter Principle because it seems like a bit of an expansion of it

sorry can you one more time please uh the Peter Principle was a book published in 1969. [ __ ] that about people rising to their highest level uh possible and then a bit more due to incompetence and that's where they tend to stick yeah honestly it is it is very much an expansion of that you're right um no I hadn't thought of that that's a good point uh yeah no I think the the interesting thing about it is that it is that um this this process doesn't work very well in um in properly egalitarian societies for example if you do this in Denmark it won't succeed uh it has to be like a late stage capitalist Reagan

Reaganomics sort of situation you have to you have to um greed has to be part of this or also doesn't fit for some reason yeah it's it's weird but you're right absolutely it's very it's based in expansion good point yeah you sir would you consider attending besides I'll be a phase reactivity and if so what are some of the actions or activities some of the people in this room might be able to do while they're here I am so sorry I did not quite catch all that one one more time would you consider attending b-sides LV a phase three activity oh and if so what are some of the actions or activities that some of the people in this room

could do while they're here yes okay thank you sorry for that um yeah good point let's go back to phase three real quick just just for visual reference right okay so actually I would I would consider a lot I would consider b-sides probably more of a phase one situation because at this point it's phase one step two this is where it's going to be immersing yourself in the next steps culture so um however however um I know that there's some people hiring out there so so you could just bridge the gap you know so it's entirely possible to do both all right anyway oh sorry yes hey how's it going I really love the presentation I just wanted to

ask if there are any tips for high functioning perfectionists that find it difficult to be mediocre oh my my God my people my people yeah um actually unironically I actually have a tip for that um yeah just Express that Express that anxiety in the new job just pivot focus focus the perfectionism on the thing you're trying to achieve and then at that point you're probably too busy to be good at your talk do you want to take one more before transition oh I'm good just um I have to stop sometime right Drake how many more minutes till we transition 10. oh fantastic let's keep this going yeah who's next oh there he is I'm just curious how how

have your tactics changed now that everybody's gone remote because being in person it was a lot easier to just kind of stroll in behind somebody to the meeting now we have to get the invite yeah that is actually a really good point um so so let me just repeat the question make sure I got it right how does the remote side of it factor in okay yeah uh that's it's actually in a way easier in some ways because you can basically just like piggyback on it on a zoom link you know I mean the thing is unless it's actually like a properly locked down virtual meeting you can just show up to them I mean if you if you if you I'm not

going to name brands but there's a lot of Brands where it's like you can literally just like find the link if you're willing to scrape and like you can even like not even get permission into these meetings that's not a thing that's not formal advice I'm not going to give you advice to do crimes here's me not advising Prime but you could totally do that um but like that aside though um socially though that's where it gets interesting because how do you establish a rapport virtually right um a couple tips that I found were really helpful is um everyone does this thing and I think we're all guilty of this we're in a virtual meeting and we're all

like we're all like like we can see up each other's nose because the webcam is down here you know or we or we like Square on like we're like we're like like this and like you see like we're Square shoulders and it's it's it's a weird psychology but if you actually pivot slightly to the side put one shoulder back and just kind of relax into it a little then you're gonna you're gonna you're gonna feel more confident because you're more comfortable and you're gonna and you're gonna look more confident because you are because you clearly feel comfortable so just be more comfortable on camera that'll help if there's if you're in a company that is like no webcams

you got you got another set of challenges there and I can't help with that all right Ops gave us two more questions and then our next panel is ready to roll through I already told this person they could go next yeah where do you tend to find most people fail in the process what step along the way I'm sorry one more time where do you tend to find most people fail in the process what step is the most difficult for people to overcome yeah yeah um I I really I relate to this gentleman here with a fashionable beard um you could be a social engineer with that beard by the way um so um I really so that is actually

um I relate to his struggle specifically because I don't like failing I don't like um making mistakes I really don't like being mediocre I mean it's it's I I just my mother would be disappointed in me right so I can't I can't handle that emotionally that is usually the hard part for most is the idea that you have to just be just be not good to be better it's very counterintuitive um so if you it's one of those things that's where it's got to be you gotta you got to be at peace with that and that's that's easily the hardest part there's no specific failure in the process it's just that mindset that's a challenge

can I see the hand of someone who hasn't already asked a question I will be here and talk to you by the way that I might be on is ready to set up yeah how do you feel LinkedIn falls into all of this how does LinkedIn factor in well good question um it's amazing what it's amazing way you can get away with on LinkedIn um it truly is are you are you aware by the way just just Pro tip uh GitHub has repositories of all the answers for all the quizzes so you know this little like knowledge quizzes you can actually like go to GitHub and find the answer sheets for them so you know there's that

um so don't trust those quizzes but they sure look good to HR don't they um no the thing is that it's really just about self-promotion and the way the way this works so well the reason why it's so successful for people other people like I suppose like me is that um is that it's it's um it's a quiet it's a quiet sort of promotion of itself it's like it's like it's not it's more like you get to talk about yourself but you don't get to brag it's just it's just a statement of fact it's like let's let's talk about GitHub right same story if you have a GitHub repository that's street cred right so it's like that it's like quietly

promoting yourself without actually promoting yourself and so in that sense that's exactly what we've got to do because the whole point is normalizing the job you want to have right so if you put so if you just like say what you're saying with the job do you clearly have skills and abilities to do and you put that on LinkedIn that just establishes you to the public that this is who you are so yeah and I'm I guess they're going to take my microphone away at some point um they still do they still have those hooks by the way from those old-timey shows oh five minutes oh sweet stage Kate is that what they called it's

actually got a name it's called the stage cane I learned something today oh okay I learned something today thank you God besides is so informative we're gonna start setting okay so I guess I'm going now um but uh yeah just uh hit me up after this I'm gonna be carrying around some socks and some stuff uh foreign

[Music] [Music] thank you [Music] foreign [Music] thank you [Music] [Music]

[Music]

foreign [Music] all right [Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] thank you [Music]

[Music] thank you foreign [Music] foreign [Music] [Applause]

[Music] foreign [Music] foreign [Applause]

[Music]

[Music] foreign

[Music]

[Music] baby [Music]

[Music] don't wanna overthink it baby [Music]

[Music] baby you'll get me everything don't leave me [Music] baby [Music]

[Music]

[Music] thank you [Music] baby [Music] foreign [Music]

[Music]

[Music]

oh oh [Music] [Music]

foreign

[Music]

foreign [Music]

[Music]

[Music] foreign

[Music]

[Music]

moving on [Music] foreign [Music] [Music]

[Music]

[Music] moving up

[Music]

foreign [Music]

[Music] foreign

[Music] foreign [Music]

[Music] thank you [Music]

[Music]

foreign [Music]

hello hello check check okay come take a seat come on more than Marianne okay so we um we did this talk actually last year with Kathleen as the moderator and me as one of the guests and we get to all switch around I get to be the moderator this time and ask the questions and I've got Kirsten Lauren with me here I'll let them each do an introduction and then I'll blab on in my not Australian accents please keep the accent and it's the most interesting thing we have yeah it's the most interesting I think you're gonna say it's the most interesting thing about me and actually some people do find that so that's okay

um yes so ladies after you all right I'll start with can we all give a shout out to Kathleen Smith who's not physically with us she's here in love and spirit and Higher Ground is her baby so she's probably watching this so we should like wait we love you we love you we miss you okay I am Kirsten Renner also known as cranner I had cooler handles back in the day but they didn't stick and that's sad uh I've been recruiting for decades and although I'm not currently recruiting I stay very engaged in talent and what makes it work so hope this is uh fulfilling for all of you and we'll be here for questions afterwards

hello I'm Lauren sheer I had not heard of this conference until about two months ago Kathleen reached out to me so super excited to be here and you know get to know all of you and be a part of this but I am a talent acquisition business partner which is a fancy name for a recruiter at Aristocrat I've been in recruiting for about seven years now been in Las Vegas the whole time I'm born and raised and I went to an lb and do you have a nickname all right so so I challenged you all throughout this discussion to think about what handle we should give her she's this is her first con right you

you you deserve a handle so we're going to figure one out for you by the way she whipped up this slide really quick we showed up without slides so keep that in mind when Solutions provider there we go um I'm Chris rides I'm the president of via resource that's quite a new title for me actually uh I founded a company called Tyro security about 10 years ago Professional Services Company and a cyber security recruitment company I just merged the recruiting arm with via resource that is a British firm uh actually one of my friends started uh back there that's they've been going for 12 years so we merged together we cover the UK Europe Middle East and here in

the United States I've been involved in the industry for quite a while now uh founded the cloud one of the founding directs to the cloud security Alliance Los Angeles chapter and a couple of times I've been president and been involved with b-sides for a long time and some of the other conferences and love it and my nickname actually that nobody uses here is ride Z that was it rides it everybody call me ride Z and then you know when I'm in trouble with my mum and dad they call me Christopher that's as we all know that's when we know we're in trouble so let's let's jump into the questions uh first things first what is

the difference between a direct recruiters and staffing firms Kirsten do you want to have a go at this one I'll have a go um excuse me the difference between like an internal corporate recruiter and a staffing firm um I think and there's going to be this might be I should have read the questions I'm not gonna I'm gonna try not to go into what I think might be one of the next questions because there's reasons to use both I highly encourage um taking advantage of both but the corporate recruiter is is working obviously directly for the hiring organization whereas the agency recruiter they are uh they are working for multiple hiring organizations right so they're almost

like your agent they're like you're Jerry Maguire right they are um they're they're your agent they're fighting for you to explore multiple different hiring organizations so hopefully that makes sense and raise your hand if it doesn't yeah and I can elaborate on that so I'm an in-house recruiter so I work specifically for Aristocrats so any positions that I'm filling are going to be for Aristocrat right um but we sometimes as recruiters cannot fill positions so we actually use agencies to support our hiring as well so I have you know a relationship with five different local agencies and I'll reach out to them depending on the type of role I'm filling so sometimes you know when you guys are getting contacted

on LinkedIn different things like that email it could be a direct recruiter right from the company but it could also be an agency so if you're ever not sure you can always look up that company that they're reaching out to you from and find out either way it's a good thing to be contacted yeah why not right now yeah we're very very selective and Accenture rare work about who what agencies we'll work with and we work with his agency because they're really good we're getting there thanks for saying that it doesn't come across so well and I just say it about myself right it's true um yeah it's so I've been in on the agency side of recruiting myself uh for

it's my 24th year I know what you're thinking Chris you look so young there's no way how could that possibly be yeah or maybe not got lots of gray hair um but it's really interesting we work with multiple clients as these guys mentioned we we actually find that our best relationships with our best clients so when we've got recruiters internally that we work really well with um and so that's really important if I look at our relationships with our best clients it's ones where the recruiters want us involved they uh we work together in a partnership we learn about the company so we're an extension of them um so yeah that's a big difference you

can often ask them and and often they'll tell you as well whether they're working with multiple roles or not um so yes so there's some differences there and then we went on a little bit as to why we why you might use one or another but I think going off onto sort of Outreach like interview processes that sort of thing can you guys describe what your process looks like in in your businesses so the initial Outreach recruitment interview and onboarding practices and I'm happy to share what it looks like from a an external third-party recruiter okay um so I'll say like in a perfect world situation as a recruiter so I will post the job I'll work with the hiring

manager who could be anywhere from a supervisor manager director VP depends on the level but we always call them hiring managers and they will you know give us their qualifications what they're really looking for in that perfect candidate so I go out I look either on LinkedIn if I'm not seeing the Talent come through our application system but if I do see the talent right that's the perfect world scenario I can find the candidate I need so usually candidates will be reached out to by a recruiter they'll have a phone screen which is usually just a 20-minute phone call from there if I confirm qualifications meet salary expectations align um you know all the boxes are checked

then we'll move you forward to a hiring manager interview that can either be just very like behavioral focused or sometimes that's really technically focused right we want to check the technical qualifications before then getting you in front of maybe the second round or final rounds where you're meeting with maybe higher-ups or different team members or sometimes we'll do like partners that you'd be working for in the business um so just people you'd be working with basically right we want to make sure you're getting to know the company the culture understanding what we're really really looking for in the perfect candidate but also giving us the opportunity as the business to really get to know you and what you could

provide as well and so all throughout I'd say it depends on the role right some positions move really quickly people aren't on vacation we can you know have that perfect process so I'd say anywhere from like when you apply it could be two weeks that very very quickly right but I'd say plan for like an eight week process so similarly uh when the when the hiring team identifies that there's a hiring need they're they're either it's internal on their team internally or it's a customer need the customer comes to them and says here's what I need here's how many positions there are the recruiting team will start doing intake calls with those managers to understand

the position now if it's a brand new position they've never done before they have to do an intake to understand the requirements they want to know all the nooks and crannies every little detail like if I'm doing an intake or one of my recruiters is doing an intake I want to know everything I want to know what the work environment is I want to know what the team looks like I want to know what parking is like I want to know everything about it so I can put it in the in the like cell area of the requisition so we so the recruiter can really speak to the position but then when the recruiter starts sourcing and

getting in touch with people so there's a big difference between when a recruiter starts to search for the people that they think meets the requirements and then actually getting in touch with them getting a response from them there could be a huge gap in in between there also because we have relationships with agencies we're doing intakes with them too take the time to speak with them and so that they understand a lot of agencies that are doing I don't know what the term for it is but where they're just like throwing stuff at the wall and they're like uh I'm going out there and this is this is this is typical that's why they're atypical is

those agencies are looking for their shot they're going to look at the company names they're going to look at their job postings and they're going to start doing searches I call it a non-authorized search right so it makes sense if you go back to one of her original points when you're the candidate ask uh are you do you work for the hiring organization or not right so just so you know what you're doing and then the recruiters should build a profile for the individual so they shouldn't be just thinking about the job in my mind as a recruiter to do the best job you should not be trying to fill the job you should be speaking to the human being finding

out what they really care about what they really want what they really need what really makes them tick and then you've built a profile for them and then you kind of do some searching for them too there's going to be things that you're aware of or that you become made aware of on the recruiting side that before it ever goes gets posted or before the requisition ever gets submitted you realize that team XYZ is either going after this big proposal or they just won this new piece of work so you think of that candidate you have such a good relationship with them and you keep them tight in your particular pipeline that you know you know what and

you say to them I noticed that you applied for ABC however here's this other thing I want you to keep in mind or here's this other team that might work good for you so I want the recruiters to and they do take it to the next level and really care about the human and really be actively helping them seek out what would be the best fit for them so the process I can't put a timeline on it because and it sometimes it takes months and it should right because you don't want to be Force fit into the first thing that you check the boxes for you want to be you want to be matched up like as if it were dating not

that I have dating experience but if I did I would imagine that I would want to get matched up with something that's going to last for a long time no hookups I am yeah and and I think well I mean I don't want to put pressure on on Accenture but our last placement with them I think we had an offer uh it was like a week and a half like we had verbal offer like so things happened really quickly so they can happen super quickly in all sorts of businesses that's impressive is that you Drake did you do that that problem so things things can happen really quick and he's hiring then yeah Drake in the white hat

um yeah we like we we have clients with all sorts of uh different lengths from fangs where we are seriously talking about months like nobody's getting a quick job uh at some of those um and then to startups where we're helping to build go to market teams or you know we work with cyber security startups so some of those if they're in their early stages seed or series a they might not even have an internal recruiter yet so we we are there internal recruiter and and I can think of one where we sent the resume on a Wednesday they interviewed the person on the Friday uh then they met the person for dinner Saturday and the person had a

written offer on Sunday and sent it back Sunday afternoon so things can happen like that is insane I would just say a long time in recruitment I don't see that very often but things can happen that quickly um and and so you know you never know when you know you might have been looking for a role for a while and then all of a sudden things can change tomorrow so it's important to it's one of the reasons why it's really important to stay very positive during your job search because things can rapidly change in terms of the process our process pretty much follows exactly what Lauren and Kirsten have said we're talking about us initially taking the job

description um usually it's with a hiring manager and perhaps one of the internal Recruiters on board and we'll go through because quite often some of the job descriptions that we see and what people are actually looking for there might be a little bit of a difference there and so we might ask things like right when you get your very first resume what are the things you're looking for and it's funny how you ask those questions and actually what they're looking for isn't the things that are at the top of the job description necessarily and so we can find out lots of information by following through little processes like that and getting to try and get in the

minds of of uh different hiring managers we also work a little with the pro success so we might find out who else is involved in the process if we get an opportunity to speak to everybody in the process which is rare but if we do it's making sure that everybody's on you know looking at the same looking for the same type of person and then one of the key things I always say to people is try and make sure that if it's your process make sure everybody in that process understands what their job is or what their role is in the process to include um you are part of the process right you the candidate are part of the process so

so I encourage you as you're rolling through the different stages that she was describing to say what can I expect next next and some recruiters uh I was one of them that was very poor at um not dropping the ball not intentionally in my heart I wanted to never drop the ball so don't be afraid to reach out to the recruiter and say I haven't heard should I be concerned right um sometimes it it's it's not intentional right it just depends on the volume and it depends on what's happening but if it seems like things are are taking too long uh Reach Out reach out and find out and and ask as you're going through the stages that she

was describing is okay I had this when should I expect to get that next phone call or when should I expect for the offer to to come in my hand probably not on a Sunday most of the time yeah and and uh it is one of those things where like we'll try and like manage your expectations we want you to have a rough understand so it's not like tomorrow okay what you said last time this this person got an offer you know on a Sunday well where's my offer okay well let's say it's not always the same so we try and manage expectations where we can um and and every recruitment even within a business every recruitment process

will will differ a little so hiring managers might have their own processes um as I said they might look for different things on resumes so you just got to be aware that everything kind of can slightly change um and on that to add we are all humans so we do make mistakes right um we generally the people that I know and respect don't ghost people right if you don't get a message back it's because we didn't see your message in the first place you gotta bear in mind that um even a year ago when when the market was really tight in cyber security there was still you know we get quite a lot of job applications and if you're

looking for a senior person we'd get quite a lot of job applications from people trying to enter the industry and so that that gives us quite a lot of people to get through and right now uh I think we've probably seen like a tenfold increase because of people that have been involved in in you know riffs and been laid off you know they're applying for jobs that maybe they wouldn't typically apply for if they were in a job and so that means that the volume of people applying have gone up and it's much harder to to find the people in in that big pile of resumes um so I think while we're talking about resumes this might be a good way to

maybe dissect you know what great tips you have on uh on writing resumes what people should do what they should do how the ATS systems may or may not work all of this juicy stuff that people are always busy trying to hack the system right Lauren so my biggest thing with resumes is you don't want the recruiter to have to ask a question right so if I'm a recruiter and I have you know 30 applications for a data engineer right I have to go look at every single one of those resumes and see the skills the years what companies they've been working for on average I always forget I think it's like 45 seconds we look at a resume something

close to that um and that's 100 True right like we we meet with the hiring manager during that intake call I get like the five top skills they need the years of experience and that's what I'm looking at a resume I'm not reading every single bullet point I'm looking at the number and what's supposed to be there if it's not there you don't meet the qualifications and I'm moving forward right so my biggest thing is making sure you have the right information and the way you know that you have the right information is by looking at the job description before you apply we get so many candidates who just apply and they just see the job title and then when I'm on

the phone with them they don't even know what job they're interviewing for which is a really big turn off so don't do that um but yeah you know read the job description it should say clearly like you need three years of experience okay if you have three years of experience make sure I can very easily see that on your resume if you need python make sure that's listed I always love a red resume where at the top and I think this might be like controversial but sometimes people have a summary at the top they'll have a goal they'll have they'll have an objective statement I say it's great because it can really highlight hey like

I'm a data engineer with four plus years of experience my main skills are XYZ and I'm looking for a new opportunity because X right that just lays it out for me I don't have to really follow up and ask any questions and you're making my job really easy so that's my biggest thing right like look at the job description see what it's asking for see if you have those skills and that experience and then make sure it's being shown on your resume another big thing for me is clear formatting and that's just again so it's easy to read right make sure your format looks nice things are outlined well it's clear where it's you know you have an

education title you have your professional experience title you have your skills like I can easily navigate your resume um and in my opinion we'll see what everybody else thinks but um I like a one-page resume because again it's all right there um some I've gotten 10 page resumes and it's just like what are we doing right like I don't need your whole life this is way too much um and I'm not going to read it all right um so you want to put as like much content in a like precise like summarized way um in one page if you can I always say like okay if you're an executive you have years of experience you know you've

done a lot you're serving on boards like yes two pages is fine but I don't think a resume should ever be more than two do you agree I do not but that's okay yeah because I'm technically not a recruiter um anymore um but everything you said mates absolutely makes sense um I don't want to steal his Thunder Drake's talking at two o'clock about Career Development and he has a whole section on resumes and he's really good at um helping people rewrite their resumes uh there are services for writing your resumes I don't know sorry for people oh [ __ ] I was just about to say sorry if you pay if people pay I I wouldn't pay

um but um yeah so I a good recruiter is going to help you redo your resume however one point that she made that is that is very valid and fair is you get resume fatigue you can only read so much right although I'm not going to say this is the the number of pages you should have or you're allowed to have um it gets to the point where it's impossible to to limit it to a certain number of pages you should be ready to customize it per the job every compliant job wreck has to tell you the difference between what is required and what is preferred so let me say that one more time a compliant job

requisition makes it very clear this is required this is preferred so hopefully the employer did that now you know however I also believe there's a way around almost everything right you got to understand enough about what you're looking for that you can speak to your equivalent experience right um I don't want to screw this up and get it technically wrong because I um I'm not super technical but if it I don't know if it says you have to have a specif it says you have to have JavaScript but you have Pearl right speak to that right that's just a random example um I think that uh your resume I if you if I said I could only tell you one

thing it starts with one sentence it does not have to be a dissertation I'm a this and I want to be a that never assume that the person who sees your resume because you just has to go through layers depending on the size of the organization you may have to get through multiple layers before a recruiter sees it then before a hiring manager sees it and it might even go through some film there's on applicant tracking systems most of which by the way are very awful right so you might have just gotten filtered out because of this stupid technology right so say I am a systems engineer looking to get into a Solutions architect job hard stop now I

know now I don't have to try to figure out by looking at the multiple things that you've done over multiple years I wonder what this person wants to do next if you tell me then I'm going to dig a Little Deeper so she said she's not going to read all the pages neither am I but if I know that you want to do the thing I need you to do now I am compelled to read for longer than three seconds then five seconds then 30 seconds so you're going to customize it you're going to start off with exactly what I want to be and then also keep one more thing in mind that those applicant tracking systems some of

them get confused if you put fancy graphics on your resume if you put little boxes or and I've made this columns please stop with the columns if you put little squares around it or whatever the more you put in your resume that isn't a letter a character the the applicant tracking system is just going to not understand and it's going to reformat it and then we never see it um I feel like I definitely had something else but I can't remember can I add something real quick yeah go for it yeah I was just gonna to say like you know we read them very quickly right we're looking at the qualifications but I do want to say like everything that's

on your resume does matter because what's going to happen is if I see you meet the qualifications I'm compelled to keep reading now do you have the preferred do you have those like great things that the hiring manager is also asking for and then if it's a like yes and I think I have a really great resume I'm going to send it to the hiring manager right away and they're going to read probably every bullet and really learn about your background and be prepared to really dive into that when you have that so I don't want to you know disregard like all the other content and when you put time into writing those bullets explaining you

know the impact you made in your position and what you were doing in your jobs because that that information is important it's just as a recruiter when we get that resume it's we're really just skimming it yeah I'm gonna I'll tell you a story about that because I know it upsets people some people that we don't read the whole of your resume um and I know it's really important to you it's your career um the better your resume is written the more of it that's going to get read I had um I had a security person send me a 55 page resume and obviously I opened it up yeah that is too much um I opened it up and I was like whoa

okay and so I spoke to them on the phone and I was like yeah dancing around a little bit and I was just like okay so have you got like another resume because a lot of people have more than one resume right you have a general resume you have something that like people sometimes I've got something that goes through ats's and stuff we'll talk about that in a minute but um and the person responded said yes I can send it across to you so brilliant send it across to me and then we'll arrange another call 70 Pages the second resume so yeah this this is not a made-up story um and so I had a conversation with them

and and the person got really offended and basically said to me if look if the client's not willing to spend the time to read through my resume and understand my experience I don't want to work there to which I said okay I understand and that was the last time we spoke I don't know where they're working um but what I will say is you've got to think that you know part of your job May well be writing reports right being concise being able to put information down that's understandable and if you want to increase your career and move up to Executive levels you've got to be able to write executive summaries right so if your resume is this huge long

document the first question I would ask as a hiring manager would be can they not do this concisely right can they not get the information across and so I would say that I think one pages are fine if you're early stage in your career and and also it's different Industries as well you know if you're a marketing person you might have a much nicer graphic-y resume it might be a bit different from cyber security point of view if you've got experience you're gonna probably want something that's readable and it's at least two pages I haven't got a huge I don't get hugely upset if it runs to three two to three is your ideal and ways you can cut that

down anything over 10 years ago you probably can just put your job title the place you worked and the dates you worked and that's enough um I agree with the summary sometimes we for some clients they request that we add a page I know that sounds strange but what we have to do is qualify the candidate and in that summary page we summarize how we qualified them why they're looking to move what are going to be the buttons that are going to get them to make that move um salary you know location all of these sort of things so and some of the stuff that Lauren talked about in that first sentence covers that and what you want

is you want somebody buying into it you're trying to catch their attention so they do spend the extra time so that's just my little sort of tips on on resumes and and things I think you've got to remember resumes actually probably doesn't get you the job but it it's designed to get you the interview and that's the key so if you're writing something that that works for an ATS has loads of like the random words written or something on it bear in mind that if you if it's successful and It Gets You Through the ATS the first person that reads it's going to be like this is a mess like and not want to spend any more time so you're you're

just getting yourself along the process one tiny step but then you're going to cut yourself out of it anyway so just think about it from a hiring manager's point of view I have the job description here I have my resume here would I want to interview myself are there any projects I've done that are relevant just for this job and as Kirsten said every time right every time new resume for a job and I know that makes it difficult if you're applying for a lot of jobs but you're much better applying for a lesser amount of jobs and and sending quality resumes then you are doing it the other way around if one go back

if you know that what you have on paper looks like it might not be a match but you hope you get the opportunity to explain why you feel you're qualified right you can think of a million examples I would then go to LinkedIn and I would look for you know you can search by title or you could search by name when you look for the employer that's hiring I would look for people with the title recruiter and I would say I noticed you're hiring for this I applied please let me know if there's anything else you need from me something to that effect right if that doesn't work you could do the same thing with whoever you think might

be the hiring manager in that team but but that might be just what you need to get bumped up to get they're going to go maybe even look in the applicant pool that they haven't even had a chance to look at yet and that is also your opportunity to say I noticed you're hiring for ABC which requires blah blah blah you're not going to see that on my resume but here's what you will see or here's what I'd like you to keep in mind keep it short right but that's going to be the trigger to compel them to take a look right so especially if they have something automated set up that is going through the applicant pool

and filtering out the people who don't have that keyword that you don't have but you have something equivalent that you want to speak to that is your opportunity to do that in your in a personal message to the recruiting team and I know in our industry not everybody like loves social media or putting a lot of information on but uh honestly you're you're finding a role for yourself is much easier if you've got a LinkedIn um you know whether you whether you like it or not that's just how it is um maybe at some point we'll see people using them completely instead of resumes we've had a couple of clients do that um but it's really rare nobody's doing

it really that way yet yeah I was gonna say like I know I'm big on the one or two or even three pages for your resume if you want to talk about your children you want to put everything you've ever done LinkedIn is a hundred percent that place to do it include your LinkedIn profile you know URL make sure it's professional at the top and that it works there's so many times I go click on a link and I'm excited to look at their profile and it doesn't work um but yeah I I Source a lot and Linkedin is the number one place I go to source so we have a thing called LinkedIn recruiter right so that's like

the back end side and I can search by location keywords skill sets years of experience University like they're endless right so anything that you're putting on your profile I can search and it's either going to bring you into my search or remove you so the more information you guys can be putting on LinkedIn the more likely you are to be found on LinkedIn as well and if you want an idea of um how effective that is a LinkedIn recruiter if you if any of you sort of had a sales Navigator license or something to allow you to send messages uh recruiter licenses are between six and seven hundred dollars a month for one person and they generally don't do

much discount in so if you've got a big recruitment company with 100 people you're paying 100 times that so if there's that kind of value being put on it that's why they're going to make use of that tool so all right good um have you found some ways that job Seekers don't prepare very well for interviews of course there's some people that are very prepared and some that are not um where to start so I mean in general we'll say like with a recruiter screen right that's how you're going to get your foot in the door and get that opportunity to talk with the hiring manager do your research on the company whenever I'm talking to hiring managers

in that intake meeting I ask them are there any questions you want me to screen them on other than just the basic qualifications because really that's the purpose of the call for the recruiter is hey do you meet you know are you crazy you're a normal person okay let's proceed right um so I'll always ask like is there anything else and if it's a leadership role like they might say ask them their leadership style right like how do they lead their teams or how many direct reports have they had um if it's like a data engineer right and they're a really close-knit team and they work really well together like that teamwork's going to be important so they

might ask me to kind of dive into their teamwork and how they like working with others um so being prepared to talk about your experience but more importantly about the company and the role and show that you actually read the job description and what it entails and also be prepared to ask questions if I you know as a recruiter it's my job to make sure you don't really have any questions and I'm setting expectations so I love when they are like oh well you answered all my questions I actually don't have any I'm like cool I did my job but be prepared with questions as easy as why do you like working for the company cool I can always talk about

that and it's going to give me the opportunity to get you excited about the position or what's the culture like or what's the hiring manager like what's their leadership style you know how do they work um you can come up with a list of 50 questions if you really wanted so when people tell me they don't have any questions I automatically think you're not actually interested or really care about this role and I get the same feedback from my hiring managers if a candidate doesn't ask questions at the end they're like I don't think they really care about this opportunity they didn't ask me anything I'm like okay another thing with preparation I know Zoom like right video calls or video

interviews are really really big I always get feedback like oh they were sitting in their car on their phone like oh like that stinks they really didn't take the time to prepare find a quiet space so there were no distractions so it's it's all the things right it's how you're talking how you're preparing for it but also your setting what are you wearing you know everything you're doing is showing the person how much you care about the role um and then that like smiling is important right you want to smile it makes them smile and um yeah I think I think that's it I'll hand it over okay um I hope I remember everything uh a

couple things I just just a just a side point uh there are people who work in specific work locations where uh going to the car is the only choice they have um there's also situations where they can't get on camera I coach my managers to understand that a it might be because of the limitations within their work environment and or they should be if they're not comfortable getting on camera this is super controversial opinion via Kirsten do not judge what could you possibly as a hiring manager ascertain from physically seeing someone in my opinion no Bonafide occupational qualifications be measured by what you look like if you're not comfortable that's okay with me and I coach my managers to get over it

that's just me and plus I literally have people who work for customers where the best they can do is is take a train to a shuttle to a car to a parking lot to talk for five minutes on their phone and that's the best they can do I just wanted to make that I do understand that that's a thing um and I I I'm highly supportive um of the neurodivergent community as well that may very well just need it to be a certain kind of way for them and you should accommodate that manager should accommodate that sorry I just got like a little emotional um about that so um would you agree though that as the

candidate like it's your job to set that expectation right so I mean if a candidate ever said like hey I don't feel comfortable being on camera it's like okay cool thank you for letting me know all that the hiring manager know and we'd continue in that process but I think if you were to just like it's setting expectations I guess right and presenting yourself yeah it goes both ways right so she as the recruiter or you as the candidate are going to let each other know so that no bad assumptions are made right just let each other know it take you know it's it's a personal situation Let each other know um I love that she talked to Lauren

talked about questions questions are important I think that you the candidate should take that opportunity and we'll talk about this more at two o'clock but take that opportunity when you are offered questions to turn the conversation into a personal conversation that you're having this may be the most important revealing part of all the interviews that take place particularly with the managers more than the recruiters this is when you're going to say what did what have you learned why did you choose to work here and also especially especially important uh I heard someone say something with regard to managers it's not their job to promote people I personally believe and I learned this in um manager going into a manager role and

then an executive role that that my most important job is to promote the people under me literally nothing else matters and I and you got to give me one quick second I'm sorry timer guy there was a time when I when I rolled in and I was trying to impress my boss and we were looking for uh I don't know we were looking for an elastic engineer we were looking for something nobody could find and my team couldn't do it sorry buddy and I walked in uh and I was like guess who found an elastic engineer and he goes and I thought I was he was gonna go you are so amazing and he goes that's not your job

damn but it isn't my job it is not the manager's job ever to take credit for anything and their greatest responsibility all the way up the chain is to lift up their team so ask those people on the hiring team who they have promoted and what opportunities they have created that's very important for you as a candidate to figure out can I grow in this place in my opinion yeah I agree that's I mean that's good management and hopefully you rely on the fact that good managers see that about you right they see that the people below you are doing really well and they don't think it's that they're doing amazingly well is that you're

managing that process really well um so yeah I absolutely agree and and the other thing I would say is you you can only control yourselves right so if you're a hiring manager you can't control whether the candidate turns the camera on or not right so um you have to deal with your feelings right how do I feel about this and likewise if you're a candidate you can't control how the manager is going to feel about you having your camera on and off so so manage the process yourself so we set things up when we have conversations um with our candidates we'll prepare them for the interview and part of that will be right are you comfortable uh

being on a video call if you wish to have your camera off ideally we we know that in advance we can tell the client that but also we like our candidates to approach the subject oh just so you know I'm doing this or I'm like I couldn't get any time off work so I feel like I've come out in my lunch break oh wow it turns from this person couldn't make the effort to find someone somewhere you know in an office or something to wow this person is going to spend the whole of their lunch break talking to me instead of going and getting a sandwich right so you can control that narrative but you can only control what you can

control so right you've got to work in this gift or you haven't man but you if you have you understood yeah just communicate it is that what you're saying sorry it's all right we've known each other for a long time we do that um so two minutes left which means we've got two minutes for questions does anybody have questions please

okay so this Jen was asking about bullet points on a resume what works better Lauren Kirsten um for bullet points yes have your bullet points explain what you've been doing the impact you've made I always say if it's a like we'll say like a waiter right don't put in your bullet points exactly what you do because I know what a waiter does already most people know right they're Guardian customers seating people things like that so write what I don't know about you and what you did use those bullets to your advantage and put like those those achievements right the impacts that you've made um but yeah I always say also most prevalent right like whatever job you

have that's most prevalent do more bullets in those areas if it's not as relevant to the position you're applying for keep it like at three can you repeat the question real quick oh what is your feelings on bullet points versus like putting words in commas to save space on it um I think like Lauren said uh you're if remember if you're customizing it per the job you're comparing it to what what's being required and you're kind of making doing a matching game between what's required in the job description and what you want to make sure that you highlight and then another really important point that Chris made as you start to get to the point where it's too

many pages hope we never get to 17 or 55. um but that's when you like if you're old as dirt like me I get you know if it was over 20 years ago I just all I do is list a date range like these things I even have a section on my resume that says consulted and I don't even list all the companies I consulted with you know so you're going to talk about the things that are most relevant and as she stated and uh most recent yep what is what is the panel's opinion on like you said previously that you want your resume like you only want to apply for jobs that you are qualified for how

does the panel feel about that when I have heard a lot of people including recruiters say if you meet like 60 of what's on the job description just go ahead and apply I'll take that um there are some things that we that we don't have flexibility with so customer XYZ says these are the requirements you know um they have to have this certification or they don't this is the part where the recruiter is going to notice that you're close have a conversation with you and be able to speak on your behalf and say things like in the process of obtaining Security Plus which is a requirement in fact there are moments in the negotiation process where you have been

deemed capable of the skills but you don't have the certification that the customer requires and your offer could then say uh offer you know contingent upon obtaining such and thus a certification within a certain period of time and the organization will help you with that so it's going to come down to the conversation the intake that you know you're talking to Lauren and she says uh and she'll let the hiring manager know too because she's working on your behalf she's going to say although James does not yet have this thing that is required he's taking his boot camp to get the thing does that make sense yeah and you can also put all tennis so

if you've got a job description that says uh we we it's desirable to have somebody with Splunk you might want to put well I've not used Splunk but I've used arcsite or you know I've used um experience with I've got foy's experience with another Sim um something like that so that shows okay it's probably not going to take too long for you to pick this up now there may be other ones that say you absolutely must have Splunk in that case I mean you can still apply it but you just have to understand that that might be a definitive like we have one customer that has a really complex uh Splunk integration and they just it's

too much of a jump for people to come if they've got no experience of it at all um and so for them it's like a hard yes or no right if you've got it then we'll consider if you haven't you haven't so yeah I would say you can absolutely apply but just manage your own expectations and people get upset that they're like well I had 70 of what was on there but you had the 70 that was desirable and not the essential this is also your chance to do that LinkedIn note thing or a covered letter or a cover you know paragraph that says notice that I don't have this working on that or I

have this equivalent thing right especially if it's a note to the recruiter I mean as a recruiter would you agree if somebody yeah this is your opportunity to say please note I don't have this thing I'm aware so it doesn't look like you weren't paying attention I'm aware that you need this here's why we should have a conversation and we will try and read all of them it's like you know we get a lot of messages so again if you don't get the answer the first time don't give up try two or three times you know things slip through gaps easily I think one last question um I've noticed in you guys talk you've talked a lot about resumes and the

recruiting process and whatnot one thing that wasn't specifically addressed for very much was compensation and I know nobody likes to talk about money but where do you talk about money in this process and how do you all like to breach that subject I'm I'm more common now especially in the U.S but um first step right so I don't want to waste my time as a recruiter and put you through the end right if you go through three phases we've had four weeks of interviewing and then I go to give you an offer and I offer you a hundred thousand and you wanted 150 like what were we doing right so for me I'm like the second I get the chance to talk to

you I'm gonna check your expectations um sometimes I'll even just send an email and say hey this is our range does this meet yes it does okay let's Now set up a call because sometimes even it's a waste of my time to sit and set up a call chat for 10 minutes and then find out it just depends on the recruiter though and their volume like sometimes I have 20 positions I'm talking to 40 candidates 50 candidates a week an email is easier to check that but you know it should be in the very beginning of your your process um so I know Drake's going to talk about negotiation um there's a lot of things to keep in

mind it's not it doesn't come down just to a number there's a lot of other things to keep in mind with the benefits with the training and so forth that I want you to keep you know keep that keep flexible with that right there's also and I'm not going to get it right there's some kind of new legislation where companies are supposed to put the salary ranges on the job description however um be leery of that and here's what I'm saying they're never going to put a salary amount on there that they're not willing to pay however it what they put on there um I hope I say this right it might not even come close to what you can

negotiate okay not on purpose they're not being shady they're not being weird but they might I think it's I really think it's State Bound it's how the it's how the system is even set up so like for Aristocrat when I enter in like a specific what we call like a job profile associated with the job right it's going to come up with a range we'll say like literally eighty thousand to a hundred fifty thousand and then on top of that when it gets posted externally for you to see as a candidate it's also including the bonus and we do an annual bonus so a candidate will like when when you apply for Aristocrat we actually ask

like what are your salary expectations so I know even before I talk to you A lot of the times it's like twenty thousand dollars higher and when I talk talk to the candidate they're like oh I just thought this job paid more and then I have to explain it right so like I hate our system because it does that and it is misleading to candidates so just keep that in mind but yes it's going to be usually if you see a range the lower to like mid-range um I think it's called the transparency act or something but it but it is okay pay a transparency yeah got it okay you're supposed to mouth the answers to

me when I can't think but uh but pay transparency Act is is the companies are have to give you and it's it's location based okay right right yeah it's location based I'm I'm trying to tell you not to be afraid in in my experience the range is never going to be um higher than what you can expect but sometimes it's lower because it's not taking into a lot of factors uh to include if the job posting is tied to whatever location you had to put into your applicant tracking system but it could be Colorado Springs but we'll let somebody from New York do it remotely that's something you're only going to find out when you have the conversation

with the recruiter plus it's not including in our case sign-on bonuses you know of up to twenty thousand dollars holy crap that's not in the range because it's tied to the location they're they're uh it's it's automated we don't even get to decide what we're putting in there so if you look at it and it even comes close start having the conversation everything's negotiable yeah and and just uh I guess to sort of tie it off obviously I work across multiple clients that do compensation way different you know from startups that give you Equity to companies that don't do bonuses and just bases um like there are different ways of doing it now just there's a good explanation

Recruiters on human resources people that there's a we're very different a lot of people think that we're HR people we're not um we might form part of the HR team um but we're not HR people so I I don't know the legal rules and regulations around that stuff but yeah he doesn't care if we just do what we're told whatever yeah but but um what I will say is some companies include bonuses in those numbers some don't as Kirsten already said some companies are giving it a wide range where you know if you're in San Francisco you may be able to get the top of the range whereas you know if you're somewhere else you may be able to

get lower now I'm saying that not because I'm not judging whether you can do the job or not right you should all get paid the same that's not my point um my point with it really is that if you go in and you see that advertised and you think like a lot of people do let's not leave any money on the table right it can go up to 152 300 oh guess what I'm gonna put I'm looking for 152 300 right and the truth is that they could look at where you are they could look at other factors and you might actually get reject and never get a chance to get a phone call so just be

aware of that if you are automatically going to put yourself at the top and and don't be running if you were looking for 170 but you take that then put yourself at the top but if you're looking for somewhere in between work it out be honest with you and as you go through the process you might be able to negotiate a bit more on where you're at you said something very very important that I that I want to kind of just highlight another you're thinking about the cost of benefits and you're thinking about the 401K matching and you're thinking about the training budgets and whether or not they're going to send you to besides and pay for it and stuff like

that all matters but you mentioned Equity um some like you know our company has a thing where you can um you can get a discount on purchasing stocks that's huge depending on where you are in your life Journey you care more about things like that there's companies that have esops and esp's that's also very important and people need to keep that in mind too so there's things that are bigger their sign-on bonuses there's shares there's a lot of different benefits make sure you're having that conversation too so the the salary amount good question it's just a ball that's just a starting point right yeah get it in get it in early and if you want to soften up that that talking

about which some people feel it's easier to soften it up a bit you know just going Direct in right and how much is this paying and I'm looking for this can sometimes can feel a bit aggressive so um it's not aggressive it's something that you have to do you can practice soften it up so it might be like I'm really driven by this job because I've always wanted to work for Accenture Federal Services right um I'm a really big fan of Buffalo the casino game I want to work for an error scrap right so you can soften out by giving them reasons other than money that you want to work there but then then go into it because it's one of the

key things so there are ways you can soften out but make sure you have the the question early because as much as it might waste our time with a hiring manager's time but waste your time you could be interviewing somewhere else that is going to pay you what you want so just bear that in mind and you know how you phrase your answer start with these words here's the other offers I'm seeing there we go you're a star thank you sorry sorry about myself no we're good you should do it um so we've got Drake on it too he's going to talk about recruitment related stuff you should definitely come back and see that hey you should definitely

hang about until two o'clock who needs lunch right just hang out um That'll be amazing if anybody's going to Defcon I've had the pleasure of talking a village once but somebody on this stage is going to be talking on the main stage her not me don't Heckle me please I'm so nervous thank you very much Kirsten thank you very much Lauren you're both absolute Stars appreciate your time [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music]

[Music]

foreign [Music]

[Music] foreign [Music]

foreign [Music] thank you [Music] all right [Music]

[Music] foreign [Music]

[Music] thank you [Music] foreign

[Music] thank you [Music] foreign [Music] [Applause]

[Music] thank you tonight [Music] [Applause]

[Music]

[Music] foreign [Music]

[Music]

foreign don't leave me alone [Music]

[Music]

giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me [Music] away guess I'm gonna butterflies [Music] don't leave me alone baby you look at me [Music] baby

[Music]

[Music] oh oh [Music] foreign [Music]

[Music]

[Music] foreign [Music] foreign [Music]

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music] [Music]

[Music]

move it up

moving up

[Music]

[Music]

foreign

[Music]

foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] thank you foreign [Music] foreign [Music] foreign [Music] thank you

[Music] thank you [Music] thank you [Music] foreign [Music] thank you

[Music] thank you [Music] foreign [Music] foreign

[Music] foreign

[Music]

[Music]

[Music] thank you [Music]

[Music] thank you [Music]

foreign [Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music]

good afternoon and welcome so my talk I'm giving today is pen testing experience and how to get it so I'm Phillip Wiley I have my cisp oscp and gwpt certifications I'm a Security Solutions specialist and evangelist at PSI I've been working in offensive security for over 10 years I spent five years in Consulting worked as an internal pen tester led a red team for a global product consumer product company I've worked as an instructor I used to teach at Dallas College I taught pen testing web app pin testing there and I'm also the concept Creator and co-author of the pen tester blueprint which is based on my College college lecture from Dallas College which I gave

at the each uh the beginning of each semester telling my students about pen testing and what it took to get into pen testing and so by the end of 2018 it turned into a conference talk and I presented that at besides DFW in Dallas Texas and it was really kind of cool because when I gave that talk there were some people from our community I offered my classes continuing ed and credited because I knew there's a lot of people in the community that wanted to learn the pen test but they didn't have to worry about transferring credits taking all these prerequisites to get in to the course so really had some really cool people from

the industry so when I gave that talk besides DFW in 2018 some of you may have heard of Juno from infosec Twitter she works for Bishop Fox she was one of my students so she sat in on that that talk I knew her from the community but I recently found out like last year this year that that's what motivated her to become a pen tester so she ended up taking my class the next semester one of my best all-time students a total rock star she's part of cult of the dead cow now and and doing some really cool stuff in the pen testing world uh one of my favorite moments was uh when I was the red team

lead at the global consumer products uh manufacturing company I had a pen test done so we did all the network pen testing and red teaming but we outsourced the web app pin testing we had uh different Consulting companies do that so one of those pen tests I had Juno and another former student one of my very first students were on that pen test they were working for the consulting company so to see the email come across them getting ready to start the testing was kind of a a proud teacher moment to see my teachers my students go on to be pen testers and kind of a cool fact most of uh the people that went through my class

that got jobs were were mainly women that actually got pen testing roles so there's quite a few in that class that went into pen testing or went into it years later I had another student that was taking my class another one of the rock stars like Juno that was a junior in high school and he was taking college classes so he took my pen testing course and now he works at one password in security research there he helped create one of the uh some of the Technologies for the key exchange for their for their their apps so it's it's a lot of fun and I really love mentoring and teaching I kind of learned in 2018 I've always been

very competitive always trying to be the best pen tester I could be but all honesty I never thought I was the best I tried to be really good and then in 2018 I decided to focus on mentoring teaching and helping others so it's been a good change it's something I'm a lot better at and one at the time when I started that I thought you know the world needs lots of teachers and mentors and so it's been a fun fun Journey I've got to meet a lot of people through that it's been very fulfilling so I'm also a podcaster so I have a former podcast called The Hacker Factory there's 118 episodes out there on the podcast platforms but

recently went independent with the Phillip Wiley show same similar format but I'm also doing video now before it was mainly just geared towards people's stories and advice and get in the industry but I have different people sharing Technologies and we get into some discussions about content creation because you'll see in this presentation later on one of the things I highly recommend when you're trying to break into the industry is content creation so that's a good way to get noticed recognized information that you can go beyond your competitors that are applying for that pen testing role to show them some of the things you do that are above and beyond what that role entails so always like to share my story of how

I got into defensive security and part of this is to motivate and encourage other people so when I graduated high school I didn't know what I wanted to do with my career I didn't take High School seriously I love science so science was the one class that I would take I didn't have to study for the exams because I took notes paid attention loved it when I was a kid I was always checking out science books instead of uh you know novels and so forth and fiction so that's what I was really into when I graduated high school I didn't take it serious enough so my grade point average was too low based on my college entrance

exam scores I could have got like eight references from teachers and got into the school but I just really wasn't into it really didn't know what I wanted to do so being a power lifter at that time Still Still power after but back then my my classmates told me say why don't you be a pro wrestler because where I lived was a big wrestling area in Dallas-Fort areas because the Von Erics were very popular there so I went to wrestling school and so I got married and I had to have a job that had benefits because as a pro wrestler you don't have life insurance or health insurance if you get injured that's out of your pocket and I wasn't

you know when you start out they referred to you as a jobber or a job boy so I was paid to lose I was paid to make the superstars look good I mean some of the people I wrestled were like Mick Foley uh the rock and roll Express The Fabulous Freebirds uh some of the The Rock Dwayne Johnson's cousins wrestled as the Samoan SWAT team and so I had to change jobs and so I worked in retail sales tried to go into the military but for health reasons I couldn't get in when I was 15 my brother actually shot me so since I had a bullet my body the military wouldn't take me either one

branch wouldn't take me because of the bullet or other branches wouldn't take me because as a power lifter and I was too heavy so I gave up on that so I tried retail sales which was probably one of the things I enjoyed the most because working with people but then also try construction which I absolutely hated roofed houses put up fences and for me I've got to have a job that I enjoy I mean because my first year out of high school I had 20 years 20 jobs my first year and that's because none of those jobs I liked so I had to find something I was passionate about so one day I was home

at this time I was working is a jewelry salesperson at this jewelry store and I was always like the Top Nut top salesperson either number one or number two the family that hired me on to work in this store wanted me to be eventually an assistant manager move into management but the guy that was the manager of the store had someone else that he had considered for that role and they were highly qualified and deserved the job just as much as I do and I understand that but what I decided is I needed to acquire a skill where I could get a good job regardless of politics you're going to have politics everywhere you go or

sometimes not even politics it's just someone thinks this person is another candidate doesn't mean it's right or wrong so I knew I had to acquire these skills so since I was working jobs where I was home during the day one day on daytime television they were advertising this trade school that taught CAD drafting so I liked drawing when I was younger I took some drafting classes in high school so I decided to give that a shot so when I became a cat drafter I was exposed to the world of I.T when I went into cat drafting I had minimal to no computer skills probably the worst of my class by the time I got out of CAD

school got into the field doing drafting my computer skills surpassed my peers I would find just different features in the latest version AutoCAD that my peers had been drafting longer than me didn't pick up Windows 95 was fairly new I was able to get like Windows 95 printing to work with the novel Network whereas one of the the IT people there that was actually was an accountant that that did it because the main IT staff was two hours away he couldn't figure it out and I did and it was funny the first time I ever got called a hacker was because I was working these systems but I was trying to get things to work and I

was successful so I decided because you know the company had one of the previous companies I worked at they had a a consulting company come in and so as a drafter I was making 15 an hour we're being built out of 30 an hour so this consultant coming in building 50 you know 15 an hour so I knew he was making you know more money than what I was and it looked a lot more interesting so I taught myself how to build computers took a novel Network course and so I worked as a sys admin for six years and then in uh January 2004 I moved into infosec and then about a year and a half later

the company hired a new CSO the CSO came in had a better idea of the way security organizations should be run and set up so fortunately I got put in the appsec team and being on the appsec team I got to find out about pen testing I was managing third-party pen tests I was performing vulnerability scans with web inspect and appscan and so I really got interested that so in 2012 I got laid off from my job and I applied for a role at Verizon as a pen tester Consulting as a pen tester and one of the things that helped me on that was I had vulnerability scanning experience some security experience in appsec but what

really won over the hiring manager is I was self-taught on a lot of things he was a person that believed in building not so much learning the hacking stuff if you know how it works then it's going to be easier to hack into it or secure it so from that he took a chance on me so I went to work there spent about five years as a consultant got tired of all the travel and then moved internally so if you ever get the chance to do Consulting that's a really good way to get a lot of experience pretty quickly so as an internal resource uh for a bank I used to work for we got

four weeks to do a pen test whereas the consultant we only got one week so you had to do things quicker so you're doing so many more pen tests so many different uh variety of pin tests all these different environments because it's not always the same company so you're able to pick up a lot of experience quickly so I went into the internal side also worked as a red team lead for a global consumer product company so that's kind of where I got started I like to share the story because you know you hear of imposter syndrome or lack of confidence I never thought I'd be using my mind for a living I always thought it'd be the physical

because of the pro wrestling you know I used to be a pro wrestler and back in my pro wrestling days actually Wrestled a 750 pound bear so I never thought I would do that and so I like to do one of the things I like to do is encourage people and that's one of the purposes of my podcast a lot of times people just need to realize that they can do it when you think a good analogy is a sports analogy you look at any records Olympic records Running Records uh distance and time or whatever or even weightlifting competitions any kind of sport sometimes those records stay there for a very long time but once someone breaks that record

you notice how all of a sudden it starts getting broken easier it's because someone proved it could be done it wasn't because people couldn't do it it's been proven that it could be done so that's kind of the purpose of my podcast and one of the things I hope you take away from this talk is you can do anything you want to you just have to put your you know put your heart into it if it's something you're passionate about you put the work in you will succeed so kind of just to briefly go over what pen testing is so it's assessing security from an adversarial perspective using hacker tools and techniques also sometimes referred to as ethical hacking

but truly ethical hacking is really the hacking part of the pen test so you can do ethical hacking not necessarily do a pen test uh but this is some of the terminology that you'll hear so there's different tools that you need to get experience with and then also too you may hear about uh red teaming and Pen testing there is a distinct difference because real true uh red teaming is adversary emulation so you're going in trying to find a foothold in and sometimes it requires social engineering or uh you know fishing sending a phishing email to gain a foothold in so you're looking at one way in you're trying to go undetected uh you try to maintain access so you're trying

to emulate a real world threat actor so sometimes you'll actually be using some of the things you see on miter you look at some of the apts and you emulate that so one of the things you could do is look at popular apts that affect your industry and base your attacks off of that with pen testing you're trying to find every vulnerability that's exploitable and make sure you validate that they're vulnerable and then try to exploit them and exploit anything to be exploited to make sure you know what can be done if it's exploited anything during post-exploitation but they're both both important so you really want to start out with the pen testing and as you

mature add in adversary emulation because you can get really secure but maybe you're easily social engineered or fished because some of the fishing tools out there companies are using less pen testers to do it they just get some package that sends out these random uh phishing emails and what those do they they check for clicks they're not really seeing what happens if someone clicks on that link you really need to see what happens past that can someone get initial access into the organization you know sometimes it may be really secure but if someone with the right access clicks on it then they can get access to the environment so they're very important so with the pen testing you're

making sure you're finding all the vulnerabilities trying to exploit those and document that with the adversary emulation then you're just trying to see if you can emulate a breach you're also testing to see if the Defenders are able to detect and protect against this is the technology protecting against this so someone clicks on that email are they able to gain access so you so you're also testing the security and one of the quotes I like to share with red teaming is the founder of Dallas hackers Association wirefall his description red teaming is a very simplistic form is the red team tests The Blue Team so that's a really good thing to keep in perspective for that

so some tools that you need to to get experience with to be a pen tester is vulnerability scanners so mind you still want to learn how to vulner to manually test for vulnerabilities but you also want to use vulnerability scanners so you got Network scanners nessus nexpos qualis is another one not listening open boss and nuclei are free and open source vulnerability scanners but one of the things with the vulnerability scanners is as a pen tester you're so limited with time so you need to be able to do things quicker at one time there weren't vulnerability scanners and what vulnerability scanners have done is help pen testers scale their work and that's one of the things too that I see coming

with AI I'm really looking forward to some of the tools that AI produces because you look at tools like Metasploit trying to obfuscate your payloads I can just imagine what you know you can do things with chat GPT to do that but I see some of the next generation tools making that even easier so for your web app vulnerability scanners web inspect app scan acunetics net sparker nicktoa nuclei and so there's also vulnerability scanning capabilities in the commercial version of burp Suite the professional version and then also Oasis app does some vulnerability scanning so you need to learn operating systems for pen testing and also this is a dual purpose so you need to understand Linux

and windows because most the environments you're going to encounter will be Windows Linux or Mac OS so understanding how to use those can be very helpful if you get command on access also referred to as a shell to a system if you know the operating system how it works you're going to be able to to do a better job because if you have to Google everything it's going to take you a long time so understanding pen testing operating systems such as Cali Linux and windows is going to help you uh do a quicker job so you don't have to do all the all the different all the Google searches try to find that so having that as a sysadmin level so

you're able to connect to the to the network able to understand basic TCP networking and so forth and so other pen testing tools like nmap is a very popular one it's a port and service scanner there's a lot of really good plugins for uh nmap that you can actually actually function as a vulnerability scanner sometimes when the latest vulnerabilities come out they create a script to look for that so like log4j came out they came out with a NSC script that you could quickly test everything in your environment to see if it's vulnerable and so Metasploit is an exploit framework so most of the exploit Frameworks don't have a free version so but Metasploit is a really good one so

understanding how to use these tools and then web app pin testing tools like burp Suite zap and then the web app vulnerability scanners as we mentioned earlier in this slide and also fuzzers learning how to use these so when you're learning how to use these tools when you're going through a job interview you're able to discuss that because someone may say ask if you have experience with burp Suite maybe you don't have it professionally but maybe you've done bug batting which that would be professionally or if you've done a lab environment if you're able to answer the questions for that a lot of times that's that's uh that's good enough so the skills you need is networking

operating systems as mentioned you need to know that as assist admin level hacking and Pen testing so when I got into pen testing this is the piece that I didn't have I didn't have the hacking piece I didn't know how to hack so I took the oscp certification so reverse engineering is another important one too so I've seen cases where I've done pen tests for companies and went in and found like a Java jar file and is able to reverse engineer it and sometimes they have hard-coded credentials in there like database connections username and password and sometimes this is a way to get in the system uh so be able to reverse engineer is a

good thing and this doesn't take this take doesn't take a ton of effort it doesn't it's not as intimidating as this sounds also you can find some good stuff in in like APK files for Android apps sometimes you may find this on a website sometimes you'll find apis in that so uh a tip that I hear from a lot of bug bounty hunters is to look for those apks reverse engineering to look for any kind of any kind of apis that are in there and as far as getting the skills it depends on what you're wanting to do so if you have an application background then application pin testing may be a good route to go

and so this is going to kind of determine the skills you need what area you're wanting to pen test if you have like an ICS iot background then that's going to be valuable then understanding that and learning how to pen test those environments so you need to get the hands-on experience and what we're going to cover in this presentation is just actually uh environments that you can use for educational reasons that help you gain those skills so mind you even if it's a lab environment you write up hack the box or try hack me box you do a write-up on it do a walk through of it you're able to prove that you're able to use these pen testing

tools and that you know how to pen test

and even though you don't have the professional experience if you can demonstrate that that goes a long way because you take some people coming in may have like a ceh or pen Test Plus but they really don't know the hacking piece of it if you're able to just you know able to show people demonstrate that then that's going to help so some good options there are ctfs you hear some people that put down the oscb saying it's ctf-like but the thing about CTF ctfs are not easy sometimes they're not real world scenarios it could be something more difficult like going through the oscp it can be more difficult than what you would see real world

but doing hack the Box try hack me and then creating your own lab using vulnerable VMS is a good way to to get experience and so getting that experience you're able to prove to an employer you know how to perform a pen test you're able to answer questions during that job interview and so to get real world experience in professional environments stuff like bug bounties are great crowdsourced pen testing these are even better options so like bug bounties uh you're paid per bug you find and one of the things I like to describe there if you really get good at bug Bounty and stuff like that you're going to be a better a better pen tester

because as a pen tester you're paid for the pen test if you don't find any vulnerabilities you still get paid with a bug Hunter it's like someone that fishes or defeat themselves or fishes for game game if so if you're going out there just doing it for fun if you don't catch a fish you're still going to eat that night but if that's the way you have to feed yourself you don't you're gonna get better at it you're gonna try harder so these are good ways to learn and some of the best uh pentas are a scene do bug bounties uh bug crowd hacker one and cynic do bug bounties but then you have some pin test

as a service and these are ones I really highly recommend like Cobalt so Cobalt is nice because you get paid for the pen test last time I heard it was like fifteen hundred dollars per pen test I don't know we got an expert here and she validates that that's true so this is kind of a better option in my opinion if once you get those skills down you learn how to do a pen test you you pass their skills evaluation then you're on their platform you're able to pen test so you're able to get real world experience so once you get that Real World experience it's going to help you to get a role as a pen tester uh

you know opposed of not having the experiences sometimes these are easier barriers to entry even like cynic has an online uh challenge you go through if you've got certain certifications that bumps you up in the interview process so these good places to start and like bug crowd and hacker one doesn't require that you have experience you just sign up for the platforms and you start off right away so it's a good way to get practice but don't get discouraged if you find duplicates because you find duplicates that means you're still finding vulnerabilities so if you're performing a pen test on your own then you're actually finding actual vulnerabilities and you can also do pro bono or low-cost

pin testing for non-profits or business you know a mom-and-pop business that needs some security work maybe you're able to do one for free a pen test for them for free either that or low cost so if you're doing it at a low cost you're getting professional experience you're actually paid to do it so there's something there maybe it's not that much but still you're getting something for it and as you get the experience build that up you could actually have your own consulting company and then maybe you get into where you're getting jobs that are paying a decent price but the pro bono work works really well too because you can find churches different religious organizations non-profits that

could use a pen test and you're able to do that for them and another thing you're doing there when you're doing the pro bono stuff the security Community people involved in the industry they like to see volunteering and helping out so that's good to have on your resume and another one I really like to emphasize too as far as trying to get experience is getting common vulnerabilities and exposure cves so this is one of the things that I see more value in over a certification although if you go through the oscp it's tough and it proves that you can do a pen test but finding it doing finding CVS you're able to find vulnerabilities they didn't previously exist

which even a vulnerability scanner doesn't find that so you're able to find cves which is basically kind of like a zero day because no one's discovered it yet and you're able to document this on your resume or your LinkedIn profile so really what brought my attention to that is the the mayor also goes under the uh Joe helle calls himself the mayor he did a medium article on one night he was born and found two CVS so basically he was downloading free and open source software for like Hotel registration systems installed it on his Home Server he did a pen test against it found vulnerabilities wrote it up submitted it and he got cves and so you can put this

on your resume or your LinkedIn profiles and that's going to help you get that job you're able to actually Define vulnerabilities and these are more difficult to find than uh you know running a vulnerability scanner finding stuff that exists so that's in in my opinion that's a lot better so cves is basically a database that that's kept by like miter that they keep all these cve numbers when these cves are are detected so what you could do with these is you can go in there take that CV number put it on the publication section of your LinkedIn profile so that way people don't have to just trust you that you got the cve they can click on that link

they go to the vendor site and they see the cve the details of the CV and your name associated with it so some really good articles on that Bobby cook has a article on his blog that's called beginner's guide to zero day and CV appsec research so Bobby was going through the Os Os we certification through offensive security it's an advanced web app pin testing certification so to prep for that he was doing some uh looking for cves and then Joe helley has his article his board one night found two cves so if you go to his medium page you can find multiple articles so since he did that he's done several past that he does a conference

talk on that that topic but I think that's a really good way that people Overlook I mean I'm a pen tester I don't I've done pen testing for over 10 years and I don't have any cves to my name but I think it's to me I would be more impressed with someone with cves than a certification so demonstrating the skills so you've been going through getting this experience so how are you going to demonstrate that so if writing is your thing do write-ups you could do articles blog posts on GitHub medium or your own blog and these are things that you can put on your resume put on your LinkedIn profile so people can go through if they're

looking through your profile they can see some more in-depth information than just I've got this certification I did this or that you're able to uh you know kind of show people write-ups so if you find a hack the box that you you did a we're able to solve you can do a write-up on that or or you know and keep in mind the different platforms because like try hack me there's certain boxes they don't want you to reveal the answers to so be careful what you're doing that so you write this up you can create sample pen test reports uh and that way people can see that you can write a pen test report see the way you

think detail that really what well and also if you if you are writing scripts that you could put that on your GitHub too as well and as far as trying to demonstrate those skills uh if writing is more of your thing then gravitate towards that in the CV cve IDs as mentioned you can put that in your resume or LinkedIn profile and also tool and Tool techniques and walkthroughs on YouTube so if you like video then do video walkthroughs if you don't want your face seen online you don't have to turn the camera on just show the screen so I'd recommend find the platform you're comfortable with because content creation is a great way to get experience and get exposure we're

kind of living in what I would call the Golden Age of content creation for cyber Security Professionals I've seen a lot of cyber security professionals that have started their career based on they were studying and they were creating videos to kind of show what they were learning in their journey to share with others and so a hiring manager can see those videos and see your thought process and see your your Hands-On skills and see some proof of that uh so also like scripts or programs that you write that you can put on GitHub so as far as the content creation find an area that you're comfortable with you know speaking at conferences are another thing speaking of meetup groups there

was a recent college grad at our DC uh 214 meeting in Dallas that had just completed their degree they were doing like a a talk on malware analysis and there was a hiring manager from Citibank an audience saw that demo ask for a resume they basically already had a technical interview they could vouch for their skills and so they got an interview with the company and then end up getting a job so going to these conferences and speaking doing demos of the stuff as a way to show people not only your your technical skills but your soft skills a lot of cases you're going to work for a company you may be presenting uh you know two clients or if

you're you're doing you're a pen tester then you do the debriefing meetings where you read the pen test report so be able to do this stuff is helpful so you can do video content creation streaming YouTube or Instagram writing speaking at conferences and cyber security meetings so professional networking so this is probably one of the biggest things there most of the jobs I got in cyber security since 2012 my first job was actually applying for a job but I think I've only actually applied for jobs that I wasn't recommended for people didn't reach out to me so get to know people when you're at these conferences make it an effort to meet people talk to people someone

that you may know that you've seen that may have been in the industry for years don't be as afraid to talk to them because most of them will be happy to help you out and so just network with people when you go into your meetups don't sit in the corner if you're introverted you know you're amongst your crowd you're in your tribe they understand this when you're talking to people with similar interests it's a lot easier to talk to so do that get that helps get your name out there people get to see your skills uh what one of the one of the people from our community had recently graduated from college and a lot of people reached out to me for

junior pen testers since I was teaching pin testing and one of the people I knew from our community I knew they wanted to be a pen tester so I was able to refer them and he got his first pen testing job and that's because I knew him in the community he talk to people let them know what he's looking for so people knew him if he'd just come to the meetups and be quiet no one would have known and you know he probably would have missed that opportunity so there's other opportunities there too like your online communities like Discord slack Reddit and so forth and and Twitter whatever they're calling it this week uh I still haven't give up X

yeah I really think I can think of other things to call it you know he walked Elon walked in with the sink he really should have walked in with a toilet because that's kind of where it's went but fortunately it's doing okay it's doing okay it's still a good source it was really weird to see how many people left Twitter because I used to monitor my follows and unfollows because I really put a lot of effort in my social media and I noticed at one point I'd lost like four or 500 followers I looked at this unfollow app and actually people deleted their accounts but people are coming back too so so those are good really good places

that's where I get most of my information infosec Twitter is how I found people in the community so that concludes the presentation so if anyone has any questions I'll be happy to answer your questions yes

okay so the question was uh they're already creating content and asking how to get views so if you can find anyone to collaborate with find people that you know have is a good following ask them to to share the content find people that you can help with a member of a Discord and it's a content created Discord and we share for each other we so we ask each other find people to help share that and if you could ever get someone you ever have guests on or something you could collaborate maybe someone else has got a bigger audience get them on to do that so really just kind of really sharing with social media and then maybe if you

remember some Discord servers especially if your content is like cyber security content then find an area that people are trying to break in the industry they're always looking for for new content a good example of someone that built their brand off of beginners is the Cyber Mentor so he had a lot of information out there to help beginners and so really also if you're doing this on YouTube uh I actually started using tubebuddy and it gives you some good recommendations on what type of tags to put in to your content tube buddy tube like short for YouTube tubebuddy uh there's different levels of it I got the the lowest level but it's really helped me increase my SEO and

gives you some useful things to to help you improve the views on that uh that particular video and so also too when you're where you're creating that also put like uh a call to action so at the end of it have like a screen for people to subscribe and maybe even uh recommend another video or something that's what's what's kind of helped me out with that so really collaborating with others helps a lot I was on David bumble's uh show a while back and I picked up like probably about 2 000 new YouTube subscribers it's also kind of being frequent with the content you know consistently created uh some of the things I've done to help enhance

some of my uh content for like my podcast is using some of these AI tools I use a tool called descript so it'll write a transcript on that content so with that the cool thing about dscript it'll write it'll take the transcript create a transcript for you create show notes even create an article so then you could put repurpose on a Blog not Everyone likes videos or repurpose that on your blog and so that's a way to get more SEO Improvement to your website get more views to your YouTube channel and stuff like that so that's been really great if you get like the pro version of the several a certain level uh it'll actually uh give you like

short videos it automatically pretty short videos with the subtitles like you'll see like on Instagram and it also creates like audiogram so short audio clips so you can take some of that and and also like creating shorts from your videos so if you got a 30 minute video maybe if you can work it out to where you can create like 10 or 20 minute chunks and just take that one specific piece that's one of the things like David Bobble does and he's got like two million subscribers uh when I was on his show he went back and cut it up so he may have done one thing on recommendations and learning resources or certifications or books goes back and

clips that specifically and when people go to that shorter form content maybe that's what they they recommend you know attention spans are getting shorter and so you have to kind of uh you know like Tick Tock and Instagram reels and all that you got to kind of feed that audience and sometimes it brings you people over to the the longer content form anyone else first cool hi how's it going uh I have a question for you so I'm assistant administrator my guys here are uh support guys if you were to give us one thing to do today to get started on our path as pen testers what would you suggest we do I know that you had those

tools listed there where you can stand up some environments but what's like one thing you would do if we were to go home today and we could start and really get the most experience and the most interest to stay focused on on this career so if you hadn't started yet I would start out with try hack me yeah try hack me no okay how's that spelled try hack me oh try hack me yeah try hack me because it's very educational it's similar to they came out after hack the box but they had the educational piece so it takes you step by step through there and as you graduate from that then you can move on to hack the box and then hack

the Box Academy hack the Box Academy is one of my favorite resources and if you go to my YouTube channel I've got like a whole uh semester's worth of lectures on my pen testing class which was based on the pen Test Plus certification so if you go to my YouTube channel it's just Philip Wiley and so if you go there I've got a there you go that make it easier to see how my name's spelled but if you go to there I've got like a whole semester's worth of lectures and I've known several people that have taken the pen Test Plus that said that actually helped them on their pen Test Plus so getting started

and the thing I like about try hack me is it starts out kind of easy and they walk you through it and you actually do the Hands-On activities and you'll build up a good base knowledge so they've got tracks there based on pen testing like vulnerability management there's even one that you go through you're using nessus in that lab so it prevents you from having to build a lab which is building a lab is a good thing but sometimes you can spend more time troubleshooting and fixing a lab than actually doing the Hands-On work plus the cloud-based stuff you can do it from anywhere you can study at work or home or if you travel or whatever so try hack

me be the first step cool thank you you're welcome I have a question uh about AI tools you mentioned there was um AI powered red teaming tools or pen testing tools and I'm worried that uh a lot of jobs will be automated out of existence as far as pen testing so what particular um subsections of pen testing are would you say more uh AI resistant and um and what is your take on AI uh taking over some of the uh roles I think it's going to be difficult because one of the things I joke about and I wouldn't want my manager to hear but I think I think AI could out could uh replace management before he could

replace pen testers because you know you decide and there's it's more easy to decide until they get really we don't have to worry about much until they get General AI because AI now uses large learning models so you have to train it and feed it information once General AI comes around it can do its own decision learning and all that on its own fine things but I think really what it's going to do is it's just going to help the tools help automate it help us automate things so I would say use things like chat GPD to help you be more effective one of the my favorite quotes I've heard is you won't be replaced by

AI you'll be replaced by someone that uses AI so I think it's it's that stuff's really hard and it's you know honestly because if you look at some of these vulnerability scanners you know there's breach and attack simulation tools that will find things that you have to find in the with your vulnerability scanner and use something else to breach at the chain net altogether try to find zero days that's gonna there you were a long ways from that really the more medial jobs it's going to probably replace now like your vulnerability scanning and some of the preliminary boring stuff like validating a certificate based stuff like that I think it's going to help in some of those areas and give pen testers

more time to focus on the the hacking piece and more the manual pen testing so I don't think there's really anything to worry about I think you should embrace it and learn how to use it in your workflow hey if that's been a question before chap GPT became popular that people have been asking for a long time this isn't really a question but more of a comment I've known you for several years and I've seen you take people under your wing and Foster them and teach them and I've seen you literally change lives so I just wanted to say thank you well thank you it's an honor thank you it's really an honor because when I started out doing this like I

said earlier that I turned my focus towards mentoring and teaching and all that and I never expected anything in return but my gosh the the what you get in return just from the satisfaction to helping people is great but I get opportunities for jobs and opportunities to make money all the time that wasn't the intent but it's a nice side effect and I don't know if you're what your religious beliefs are I'm a Christian but I think also if you buy into the universe the universe or whatever there's some mechanism there whether we can explain it or not but if you do good things good things happen to you if you're if you're negative all the time

putting negative out there then you're going to return negative you're always looking for the negative that's what you're going to find but if you're putting positive out there and just helping other people because you never can't tell these people you Mentor could end up being a CSO of a company down the road and you work for them I've seen a lot of cases where people have been like Junior to me and they've went on to be you know higher up in company and being highly successful and one thing is to keep in mind when you're starting out don't think you're starting too late you see the pen testers got 10 years I can show you a lot of people that took

less time to get there that are better so don't worry about time restrictions that you have to be a pen tester for 10 years before you get that level because you have your natural intelligence to begin with the amount of work you're willing to put into it the hard work and time you know that will beat out tenure one of the things I hate to see in in companies is too many times they focus on tenure the amount of time you've been there maybe you've been there 20 years but did you bring any value are you actually doing your job are you just showing up for a paycheck you could take some young passionate or just a

passionate person in General trying to break in that's willing to work put in the time work circles around everyone else and those are the people who should be rewarded not just because you've shown up for work for 20 years and I mean there's something to be there if you're doing your job and you've been here a long time you deserve it but that's just kind of my my thought we need to change the way we see these things if you're coming in doing a good job you shouldn't be restricted I mean for instance my wife works for a company and they told her a couple years ago oh well you have to be here so long so and

so was here so many years but yet you know she's outperforming her teammates like three times or four times the bill rate of them working that hard and so you really should warn people because especially your company and you're making money off of Consulting if they're helping you build more and be more uh successful you should help them out because eventually they're going to leave and one of the things I tell you when I'm Mentor if you're somewhere two or three years and you're only getting three percent raise when you first start out yeah you're gonna have to start out lower but at some point you've got the skills if you left to win somewhere else

you make more money so you really need to reward those people to keep them around if you give someone a career path uh get them training be you know good about giving them raises and stuff they're going to stick around there's gonna be loyalty loyalty is a two-way street sometimes companies worry about the Loyalty of the employee but you know that goes both ways yes hi um so you talked a lot about technical skills uh so what would you suggest to folks who have built up the skills they're really good pen testers but they need to work on their writing a little bit they need to work on their report generation and I know that sucks but it's one of the more

important parts of being the pen tester because you have to deliver the report so what are some of the recommendations sure that you would give for communication yeah one of the things I would do and this is before I got into pen testing you know I went back late in life well I still in my 30s when I went back to school for uh to get my associates degree one of the best classes I took it took was an English composition course so one thing to do if you're really not good at that I would recommend going to Community College taking an English composition course learn how to write another thing is just practice start

writing just like mention writing blogs and stuff start working on that one of the things you can do to get practice too is go through and find some cves from like nessus or whatever go back and work on rewriting those vulnerabilities because uh you know one of the consulting jobs I had some of the vulnerabilities did come directly from nessus but I worked at a company I really thought this was a good idea they went back and created custom write-ups for that cve so that way it doesn't look like a nessus report so maybe go through find some different cves and reword it or practice writing executive summaries so like you did you know a pin test or you did hack the box

or something write a pen test report so the best way to get experience with writing is writing so if you really need a lot of help then do you know take a course English composition course and also using tools to help with your grammar stuff but one of the things too you'll find out some of these tools are not foolproof I use grammarly a lot and sometimes it's incorrect but just practice writing or take a course to help help with your writing and one of the things I'd advise too is writing pen test reports if you I found a better experience if I try to enjoy it if I try to not only just show some company how

bad you hack them but look at it as more of a way this is how thoroughly I tested you you may come back and not be not find a bunch of findings but if you go through and say this is what all I did and really explain that in depth that way they're going to see that they've got a quality pen test even though maybe you didn't find a lot of things but yeah so that's one of the things every time I found that I tried to enjoy writing the report it was a lot better experience take pride in it uh really you know work hard to create a good report and that's been one of the better experiences that

I've had you know when you when you wrestled what name did you go by I just went under Phil Wiley because at first you have to lose all the time and I didn't want to ruin my gimmick although names I'd considered one name I'd considered was Phil Ferrari because I like Ferraris this is back in the 80s Miami Vice you know they had a Ferrari on there Magnum PI but I did wrestle in Florida once like under the the name uh Corporal chaos so I painted my face with camouflage makeup and all this so I did that one time but yeah I just wanted my own name because like I said you have to lose all the time it's really funny the

way wrestling works because I was the guy that had to lose all the time and there was one time that they did some they had some storyline that they were working where this one bad guy turned good guy and the fans were really starting to get behind him and I never really got cheered when I went to ring because as a nobody but he was getting beat up so I went in to try to help him and I get beat up too and so after that for about a month people would cheer for me coming to the ring because I tried to help their their their hero of the star uh hi I'm over here yes

um so you mentioned infosec Twitter which is something that I've recommended for years uh for people like just getting into um security but uh there was a data scientist that posted I think like a week or two ago a little while ago um about uh how infosec Twitter has actually dropped 87 since the day before Elon Musk took over um and so I I've noticed the big drop in the amount of like learning material and connection points in there and I know that a lot of people are have gone to Mastodon but there's also things like blue sky and Discord but there's not really a centralized Place anymore like there was with uh infosec Twitter

um I guess I'm wondering is uh is there any place that you think any any social outside of Twitter um that you could point someone to that is looking for a community community of learners I think you just really have to get on several of them because everyone was going to Mastodon and so several of us from like our Dallas uh DFW hacker Community went over to Mastodon several years ago but it just really never did seem to catch on much but my opinion is to get on Mastodon get on threads get on Blue Sky and just kind of see which one benefits you the best but I do see that Twitter has been coming back which is because

all of a sudden I wasn't I used to pick up like 100 couple hundred uh followers pretty pretty consistently and then all of a sudden that big drop and it really dropped off and then over the past couple months I've seen them a higher uptick you know I gained like 500 uh followers like a couple weeks ago so it's kind of getting better but I would say just get on the different platforms I don't know if if Twitter is going to tank but I think it's a good idea to look into other Platforms in case Twitter goes under and really don't underestimate like LinkedIn so if you know these other people from these other platforms follow them on

LinkedIn that's one platform I don't see going away for a long time so I'd say uh put a lot of effort in there a lot of people are starting to put more effort into LinkedIn because they're worried about Twitter all right so my question is you know the recommendations and how you set yourself up and everything like that is there any difference between the goal being more of the contractor Consulting do-it-yourself get hired for a specific job version versus the in-house do it for a company on their product full-time pin testing I guess that's all going to depend on your risk if you want to go into business for yourself you could do that and I've seen several people do that if

people know you're pen testing they may come to you because you may be less expensive than some of the big Consulting companies Contracting is a good way I think sometimes Contracting is probably easier to get into than a full-time W-2 pin testing role plus you can use multiple companies to contract through so I know people that'll contract for multiple companies and sometimes you pay out it pays better but sometimes you don't get the benefits but one thing is once you get the experience then you can go pretty much anywhere you want to starting out and some of the contract roles pay pay pretty decent because I know several of those you can find around 100 bucks an

hour or so and so yeah it just depends on what you want to do if you like being in business for yourself contract Maybe what you do there and I've and one of the things I've constantly had people reach out to me knowing I'm a pen tester asking me if I was interested in doing work so once you kind of establish establish yourself then people may reach out to you for that work or just you know connect with people in your local community because not everyone has the 250 the 300 an hour to pay an organization but maybe you're doing on your own you could charge 150 bucks an hour they're still coming out cheaper and then you're able to to make

pretty good money that way all right I did a I failed at keeping us on time so uh and we got to get ready for the next talk so one more question raise your hand if you have not already asked a question all right and if you have questions after this feel free to reach out to me I'm happy to answer your questions thank you [Applause] all right we have Career Development next starting in five minutes [Music] foreign [Music] foreign [Music] thank you foreign [Music]

[Music]

[Music] thank you [Music]

[Music] thank you foreign [Music]

foreign

[Music] foreign [Music] foreign [Music]

foreign [Music]

[Music] foreign [Music] foreign [Music] thank you

[Music] thank you [Music] [Applause]

[Music] thank you [Music] [Applause]

[Music] thank you [Music] thank you

baby [Music] you're giving me wind away [Music]

[Music]

[Music] don't wanna overthink it baby [Music]

[Music] don't leave me [Music] but I don't wanna jinx it baby again

[Music] but I don't miss you baby oh

[Music] oh my God [Music] baby [Music] don't leave me alone baby you look at me

some kind of butterfly baby

[Music]

[Music] oh [Music] [Music]

[Music] foreign [Music] this is not part of the show all right I'm not going to read all of this I'm going to just tell you real quick um I have been in the infosec community for I don't know 15 years or so or so I claim uh started out in recruiting I still support recruiting through way of talent engagement I this fine gentleman and I have uh we keep we keep working at companies that get bought by other companies so uh we started at a small boutique shop got bought by a big company and then we went to another Boutique shop got bought by another company and now we work for I think the world's largest consulting

firm and because they bought a company that we were working for so that's the thing um tell us a little bit about yourself Drake so I'm Drake um I started out with the I.T background did a pivot into recruiting helping out a small company um been there I landed there and just kind of been there since um gained a couple certifications some I.T certifications I have been with the center now two years two years with Accenture but prior to that we've been I've been in the space for over 10 years doing you know Intel recruiting so we both started uh on the I.T side and then moved into recruiting and we have a little some stories that we can

share with you about pivoting into different things if any of you got to catch the last talk which was fantastic by the way there was also stories about pivoting from wrestling into cyber security so it's just really good testimonies of moving into different areas throughout your career I hear a lot from especially active duty service members which is a passion of mine not just because my son's in the Army but who struggle with how to enter into our community and our industry and I hope that we touch upon those things for you all I'm kind of an interactive speaker it would be fine with me if anybody uh thinks of a question while we're talking

and just wants to raise their hand that's fine with me the only person who might not like that is whoever's running the microphone right because we want uh I'm sorry babe because we want the camera to be able to hear you or the people uh watching online to be able to hear you so feel free to interrupt I'm Italian I always interrupt okay so we're going to go through uh we're gonna go through some fundamental things about being a either a Searcher for a job or a person who's just interested in pivoting into different areas or breaking into different areas we're going to talk about targeting that search and also how to kind of stand out as a candidate

we've done a little bit of talking all throughout this day about resumes resumes are important um Drake is literally one of the best recruiters I've ever worked with in my life and he's kind of fantastic at redoing resumes and keeping track of people so if you can connect to him and network with him throughout your journey throughout your path he can help you so a little bit more about networking and volunteering and well you can read the slide so uh on we go all right this adorable thing that I threw in here at the last minute uh I'll tell you why I did it I cannot remember uh how old this is one of my

hiring Executives one of my vp's daughter drew this and and sent it to him um and it's her depiction of his career journey and the thing that stood out to me number one the company that we were working for uh was called novetta and she brilliantly if you Google it the path that she Drew here her little her little chart here is based on the uh the novetta logo so I thought that was brilliant but the thing that stood out to me is that she does she is depicting human connections here she is talking these are little conversations that are happening and then the little lizard or alligator is just confused and doesn't know what to do and is trying to connect

to people and that leads me to this and this is where I'm gonna look at you Drake to help me out but uh I I normally get permission from people before I steal anything that they said but this was on a public um this was posted publicly uh so they were talking about AI which came up in the last talk as well um in fact somebody was texting me during the panel earlier and was like why aren't why aren't all recruiters already replaced by AI if it's just a bunch of keyword matching and uh similar to what uh Bryson and and Jake were talking about here I really want you all to understand the importance not because

I'm trying to save my job because I'm not in recruiting anymore but I really believe that uh networking doing what you're doing here connecting to people and having a human connection a human to guide and help and represent you someone that you can trust whether it's someone on the agency side or someone internal um is is super impactful and uh yeah it is very impactful I believe that as a candidate looking for for an opportunity you should definitely connect with your recruiter and just let them guide you to a certain degree of you know to the direction that you want or the location or opportunity so just having that connection is always a plus because you can reach out at times even

if you don't get the job and say hey um I'm back in the market again I get it all the time like I may reach out someone may reach out to me I'll talk to them six months or nine months down the line and I'll say hey hey John I remember you I got another opportunity opened up so just having that connection is always a plus um LinkedIn is always a good great way to start but again you can do more than than just LinkedIn try you know these events to be sides the meetups the it talks things like that just any to advance your career or switch career you know paths depending on which which one

you just decide to go with but it's always a plus just have that I believe you should always have that communication with the actual human I know they may call us Bots sometimes but still have that connection with us I think it's a plus to get to get you to your next steps to where you need to go so I I referenced earlier uh this morning that your recruiter is like your Jerry Maguire they're your agent they're your person who should care about you and and help you go through all the different stages of what you're looking for so I know that there is there's kind of a a reputation in recruiting and and it

takes it takes a special person to kind of go beyond that where they're like oh you're just trying to they're trying to get commission off of you you know what the internal commit the internal recruiters they don't get commission they have to really care about you and they have to really care about the mission that they're supporting to help match you up in that way does anybody have any questions so far about connecting to recruiters or yep yes it's going to be trial and error when you're building a relationship like any other relationship building experience I was mentioning uh before that imagine if uh when you apply and you think who when are they going to pick it up there's a I

call it the black hole right so I suggested that perhaps uh LinkedIn might be when I think of recruiting might be the best place where most recruiters are active so different recruiters are going to be in the meetups and be at the conferences and be in different places like for me um I have a oh I have I'm embarrassed of the unread emails or messages rather on my LinkedIn sorry but I see it if you send me a Twitter message isn't that weird but so everybody has their place that makes sense for them but if you're paying attention my LinkedIn says don't send me a message here send me a Twitter message so um so they're all different but when I

say trial by error you're going to get you're going to have the conversation and you're going to send the message like I said start on LinkedIn hello so and so well first of all you're going to go this is the company that I saw the job posting and I'm going to search it says look for keyword look for job title whatever you're looking for and you can say okay I saw this Accenture job posting and I'm wondering what to do so you're going to search for um uh job title you're going to see recruiter you're going to see his name you're going to send him a message he's going to respond right and you're going

to say I applied and now he's going to go find your application and I know that that feels like something's broken right um why didn't he already see the application uh it could be based on volume it could be based on the out the applicant tracking system you just got lost in there somehow it's checking all the boxes so hopefully that made sense um so I'm not gonna drain this because you all are capable of reading but I just these are some things that um we're going to touch on in a little bit more detail moving forward and you can reach out to either us of us afterwards to talk more about any of these things

um uh Drake is going to talk to you a lot about kind of targeting you know anybody with an engineering experience experience or any kind of solving a customer's problems you've done at some point in your careers you've done requirements analysis or building or ranking right where you're like okay well what are the problems that we're solving here's all the things uh you're gonna treat your job search or your career advancement problem the same way by building a requirements Matrix right and and building your target search that way and so we're going to do a little when people always tell you that you should do your research on your company they're like oh you should show up to

the interview with knowing all these great facts about I don't care I don't really care if you did that I don't care if you know who our CEO like I don't care I personally that's my opinion but if you go in especially on social and I know Twitter's weird right now and yes I still call it Twitter but there's there's communities that are comfortable in places that are having conversations about their jobs and about their companies I think from a research perspective that's a really good place to discover if this is a fit for you or not if you have any further I think you nailed it okay all right so here's that requirements uh

Matrix thing and I take it away Drake yeah so what you're in my opinion so for for a candidate that's looking for an ideal role you're you don't have to be 100 onto that role with all the skills all the years of experience and things like that but if your requirements if you're close if you're about I would say 75 let's just have a conversation let's see because a lot of times the the actual job description it's not giving you what they need it's some words on so in the National Security um Lane so they can't say a lot of things so until I get you on the phone I can maybe ask for certain tools that

you may know about or heard about so that's where I I say have that conversation so just you know just it's not 100 matched with the requirements but again if you're close let's just have a conversation reach out to your recruiter or apply to that job if it's close enough the recruiter should reach back out to you first I do think that a lot of times as recruiters don't go through their emails of all the candidates think they should do it more but I mean sometimes it's hard to wake up when you have a hundred emails from 10 people that's qualified so how do you take your how do you manage your your desk what would you suggest if you see

the the job postings uh to be in order to be compliant are supposed to break down everything according to what is required versus what is preferred if you're interested in a position and you don't meet one of those basic qualifications what would you suggest that you do in order to apply and be seen if your resume isn't going to be a point-to-point match what by the way this is someone's earlier questions why AI won't work right because there are people who in my opinion if you are willing and able to learn you're qualified so how do you bridge that Gap right like how how would you apply for the position I don't have a degree I've

never been qualified for the last 10 jobs I had but I got them right like so what would you suggest um just I always tell people just apply to the job do your research um find the recruiter find the hiring manager find I mean research research research find the person that you need to get in touch with send them an email again look at the follow their page on LinkedIn see if they're at a meet up in the area or you know something like that just pop up on them be aggressive with your search to get what you want you have to go after it I mean you have to be aggressive sometimes so and what are the

other paths that people should take besides job boards um again uh meetups these conferences networking just your social network your social network should it should have some connections that will give you pointing in the right directions just utilize all of that use utilize your friends your you know look into the company see if you know someone that works for the company that you're trying to apply to that could be a great way to to to walk yourself in go sign up like if you need a a Security Plus go to the schools go to umgc and and meet the meet the people there just have conversations just be again aggressive in your your search so I have a few uh opinions personal

opinions about resumes and how they can be effective and then I'm going to hand it off to my resume expert but I think for me um as someone who I know I no longer recruit I no longer look at very many resumes but when I did I would get resume fatigue right people would go why are you asking me that question did you read the resume I'm like make it easier for me and never assume that the all the there's a lot of different layers that you have to get through like you might have to get through the first level of screening or you might have to get through some automated screening process that was set up I hate those by the way

inside of the applicant tracking system so I think that the first thing you can do to compel anyone that is reading to keep reading is to tell them I'm a this and I want to be a vet make it crystal clear and be ready to adjust that according to the position that you're looking for so be able to say I'm a systems engineer interested in becoming a Solutions architect now I know and now I'm interested in continuing to read and to look for the you know for the keywords that make you a fit for the position and so forth what else do you think is really important in terms of it in terms of resumes

so I I always tell people please add your clearance to your resume some people say don't put it on your resume all of my positions are cleared so if it's not on there I can probably guarantee I'm going to say I'll put you in the pal to check you out a little bit later I say put your clearance on there that's always or even if you don't have a clearance just put something on there to say I can obtain a clearance willing to obtain a clearance or if you can't put the levels you can say that you are clear and then that's going to still compel the respirator to ask you a little bit more questions

Twitter has an IQ of over 75 like I I they should be able they should operative War being should be able to figure out this person had a clearance previously right which is a good thing although I mean we could talk for an hour about clearances sometimes it's easier to get one if you never had one than it is if you're trying to upgrade or something because the process is bizarre um and that's a really good point you know what sometimes you can figure out what the recruiter should be able to figure out and the hiring managers definitely can figure out just based on either your employer if you list them even maybe your location and the type of

work that you're doing um I don't want to give an exact hint because I don't want to say the wrong thing but I'll be like oh they work in XYZ town and they're doing XYZ job it it it seems obvious to me who they're working for let me dig a little deeper and find out especially if you have some specific technical skills or you're in a certain geographical location those that's just that's just extra recruiting right like looking at it and going oh well there and they're in this town or that's where their employer is um you make assumptions in that way so yes anything else got it all right um I feel like it's important to uh when

you're thinking about what those questions are I've seen some bad advice out there people some really makes me sad breaks my heart bad advice on how you should go into an interview I've seen a lot of things trending about um exactly how you should dress or exactly how you should behave or exactly what you should say I kind of feel like you should be who you are right because if you're pretending to be anything other than who you are and that gets you a job it also gets you a job that you're probably not going to be happy in in the long run right um so depending on where you are in your career Journey you may be more or less

you know desperate or eager to land said job but in order for it to be a good and Lasting relationship I I highly recommend being Who You Are a last job I interviewed for my hair was blue so me personally I think I'm on I'm the opposite of that so I believe this that's okay so if you're my candidate and I know that your personality is bold it's loud it's all over right I can tell on the phone if I'm one if I'm not on the phone with you for 15 to 20 minutes probably not going to go to the next steps right relationships You're Building relationships with your recruiter if I say to you hey this manager is

really mild and the team is really relaxed and laid back when you interview can you please just scale it back a little bit don't change your personality to the oh the way but scale it back let's get you through the door I believe you should listen to your recruiter and let them you know it's a coaching thing that's just That's My Method because I see it a lot of times I see candidates come in they're not they're the opposite of loud you know it's real introverted I'm like hey man you know I need you let me get a little energy when you get on this call tomorrow you know let's have three cups of caffeine in you

just smile smiling is contagious if you smile while you're on the phone the manager May pick it up and they they may you know just to interaction just try your best and especially if you're doing zooms you're doing zooms hey don't be in the background again unless you you're coming out of the skiff or something and you can just go in a car pull over just say hey um let me pull over I'm in a Starbucks or something so I just believe you should let that let your recruiter coach you to the steps and then you can let your personality out but let's get you in the door if you need if you need a job

that's that's just my strategy you know and I think it's a little bit of both I think I think that's a really good point and I think the key thing there is when you are figuring out like if you go back to the requirements Matrix when you're figuring out what's important to you is is being is expressing yourself and having blue hair the most important thing to you so that's just part of what while you're doing your search and when you're valuing you know what it is you want to do next I think that's a really good point so it's in it is incumbent upon the recruiter to offer to you what you can expect you know in terms of you

know he he knows all of his managers a couple of them are in the room I ain't gonna Point them out but he knows you know what makes them laugh or or cry um so he's gonna he's going to be like I said you're Jerry Maguire and he's going to coach so that's a really good point so then you decide how you want to behave based on what is important to you and what you want to do next how bad do you want it right how do we get there from here nobody's gonna throw a question at me stump me all right yeah

I think I heard you say uh how can you find that right recruiter how can you recruit that recruiter

how can we build that relation what should we look for that's an excellent point I think that specifically in in our community maybe you figure out who Who's involved in your community who's who's having actual uh valid important conversations with the people who's who's participating who's at the places like you don't have to be a technical expert he went and got a bunch of technical certs I have never done that um but so he can actually have technical conversations with you I think it's going to be based on those things too you're going to look at his profile and you're going to see that he went and got an Amazon cert or he did he did these

things that may make him a more attractive recruiter to you so are these people volunteering in your community are they speaking in your community are they in the places that you're in I'm not saying that they all have to get up on a stage and do things right but I think it matters when you're searching for recruiters um how how much impact are they actually having in your community how much do they actually understand it because think about it if they if they actually have relationships in the industry that you're interested in that's a valuable relationship for you they're going to introduce you to people in fact they're going to say they're going to care about

your their relationship with you and they're going to say and I've seen him do this you know what I don't have anything for you or I can't do this however I'm going to introduce you to some other place and then maybe you become this referrer you know you got it becomes mutually beneficial at that point right so he's going to straight up say you know what you're not a fit for this here's why but here's this area where you can go so he just didn't fill the job but you're going to remember that and maybe six months from now or a year from now or whatever uh when you find out that your friends looking for

something you'll probably send a referral to him and get paid up to twenty thousand dollars by the way I would say use the 15 to 20 minute conversation most of us are brilliant enough to to kind of gauge if we're you know having a good conversation with someone or just a relationship and about 15-20 minutes if you're a recruiter and you're on the phone I'm gonna have you on that phone for 15 20 minutes I'm asking questions I'm drilling questions to you and then I give you the opportunity so again build the relationships just have the relationships I have candidates that literally text my phone okay no no no no so I'm gonna ask you guys a question

real quick and then I'll let you go um raise your hand if recruiters send you surveys or questionnaires before they've ever even spoken to you do you like that I don't know I really don't know um and how much time do they did the recruiters spend talking to you is it a five minute conversation raise your hand did they talk to you for 30 minutes nobody ever talks to a recruiter I'm very curious yes

from there we decide okay yeah let's perfect okay perfect okay so and obviously you guys get paid off of the final product of you know turning the job in what amount of time is really acceptable for you guys to build a relationship where it's almost free working away and also like I've heard people say in the past like oh treat them to a cup of coffee or take them out to a meal how do you feel about that yeah are you suggesting that the recruiter gets paid based on filling the job well I'm saying you get paid based on your final product so like your job is to fill the fill a position if you're

spending your time talking to somebody else you're not necessarily working on filling that position I understand um so it depends on the type of recruiter right corporate recruiters are are not receiving it compensation for filling the position they're does that make sense like they're not they're not on commission um for the relate from a relationship standpoint I mean I don't have to go you know buy coffee for everybody but that's part of a relationship too right so um you can't take all you can't take all the candidates out to coffee but um but it is work worth making the connections and maybe I find out that you're coming here this weekend and I say let's meet up while we're here

you know what do you think yeah same thing I was going to say that um but yeah we don't get um commission off each hire but um we just I would just say you know the the once you have your recruiter working with you if they offer coffee take it you buy me coffee yeah yeah you can buy me coffee all day I mean are you scared are you skilled enough to feel this role will be my next question right I mean it's always a great thing right I mean you'd be surprised um normally the recruiter normally recruiter makes that first this is a dating thing but dating a gesture right so we're reaching out like

hey I'm reaching out it's almost like dating you can I date you today I get a call tomorrow can we go to lunch at 12. this is a cause that's a set of phone screen up so it's kind of a you know uh black and not sweet like my soul um so but but definitely um when you're having the interview particularly with the managers in my opinion be ready to tell stories or examples that answer the questions that they're like a time that you failed or a time that you learned or a big problem that you solved you're the thing that you're the most proud of this this week or this month or this year be ready to

actually answer those questions in the form of a story to make it more of a personal conversation and my favorite thing of all is to be ready at the very end the last thing they're going to say is do you have any questions for us so you want to know about the 401K matching and you want to know if you can purchase stocks and you want to know all these things that are very important especially at the negotiation table but be ready to ask questions that are going to reveal to you this might end up being the most important part of the interview don't forget you're interviewing them so make them into a person for a second

you'll catch them off guard and say why did you end up working here why did you choose this job what have you learned in the last six months and if they're in a management position I think you should ask them how many people that they have promoted or put on a growth path or provided training to on their team

how are you doing on time okay all right so uh if you go to uh if you go to the this is really not a Shameless plug but if you if you do go to Defcon and you do go to the uh to the welcome panel you're gonna hopefully I I won't beef it and you'll hear me tell stories about my first ever Defcon how I did it and but the but the reality of it is it goes back to the the little picture that the little girl Drew and about networking and about making um contributions to the community like when I didn't have anything technical to say or when I didn't have any you know

cfps that I was responding to um and before I helped you know co-found the car hacking Village oh my God nine years ago um before I started doing actual contributions to the community I was reading books I was looking online I was trying to figure out why do these people go to these conferences who's talking what are they talking about who are they connected to and what are the conversations that they're having and can I be part of those conversations right in in a way that is Meaningful it was like the beginning of the journey and I think it's probably in our community and I don't know what's going to happen to Twitter I don't know where

we're all going to end up um and yes I still call it Twitter but um it's but but we find a way as a community you know um United by a passion for teaching and learning to have a place that we're comfortable in places like b-sides right places like Villages um so there are ways that you can contribute even if it's just being a micrunner or getting water for people or there's just so many elements of all the things that you're experiencing this week that uh if you raise your hand people need your help and that's where you're going to network I I will tell stories um also about I met the CEO of the last company that hired me that got

bought by the company where I am now literally at a pool uh at black hat um doing jello shots at 10 o'clock in the morning you never know you do not know uh everyone that you're talking to whether it's you're going to learn in talks and you're going to learn at Villages but hallways and lines and pools apparently are also places where you can meet either the next person that you want to hire or the next person that will want to hire you so yes ctfs and everything I think we got it on yeah just join the ctfs um I want to tell a story about him since he's acting shy this is his first

talk by the way is he doing great awesome [Applause] so just really really funny so funny story oh [ __ ] oh [ __ ] funny story so I'm going out so I'm working everybody's like you know I'm like I'm gonna go to this conference so so I want to go to a conference because I'm trying to gain some more certificate so a certification with AWS go to the conference I go into a hackathon come to find out look unbeknownst to me I end up winning second place me and my team so it's like when we when I got there I was you know my ex-boss ex supervisor gave me the opportunity she saw something in me she said go after it I

went after it and she's been running from there which gave me a lot of you know training and schooling and I met so many great individuals there still connect with them over the day over the to these to this day um really smart people brought some to the the company um at Defcon I brought some guys just with like some literally rare individuals in the world with the special skill set to the company so um again Network and just have conversations don't be afraid to just start a conversation and um and don't be afraid to take a leap just do it right just jump in and just go after what you want and when you have someone to give you the

opportunity run with it well he goes what should I do at my first Defcon and and you know I was like well you need to go into there's going to be these rooms and they're dark and that's a CTF and well there's there's other rooms that are dark but anyway you're gonna go into the CTF and you're going to you're gonna bring like Red Bull what did I say Red Bull and pizza and you're just gonna offer it to them and they're gonna love and appreciate you for doing that and then somebody got when he got back I was like how was it did you bring Red Bull and he goes um well my team won I'm like really you

had to go all the way but anyway it's it's about you actually making contributions so that's yeah and it was a great well and thank you for um giving me the opportunity so if you're if you and when you were hearing the last speaker talk about uh writing is important writing is all like you can't be a pen tester if you can't write hell you can't get anywhere in our in R there's going to be writing and reports that you have to do in every position that I can actually think of at the moment and the more you advance in those roles the more you have to write so if you don't love writing um yeah and and thank you Jen for

reminding me of that um you should practice that as well um and you can do blog posts and you can get on GitHub and good recruiters are looking there they're looking at what you've written so do that as well and also for even some of the older ctfs we have we can give you some links you guys can just check them out and just you know you can ping me back and say what you found and we get because we do it quite often we have them up we'll just keep them running just to to search for talent that way so even if you're not looking right now just you can get I'll give you some links after you can just

kind of track it for you know future just playing around messing around with it and then let's stay in touch because you'll be surprised um some of the skills that you have meet a requirement that's not even out there right now because a lot some of the jobs that we have we they're just not out there right now but I can put you with them if I know your skill set search for employers that are doing like hiring happy hours and different types of events that they're hosting internally as well in your area sometimes they're doing ctfs at their events or they're doing demonstrations and things like that giving away cool prizes so and those are

great places to network as well you don't have to get hired by the company doing that but guess what the other attendees are like-minded attendees and more networking is going to happen for you there as well questions um I I started to do stories and weird you know um you heard a lot of good really really good stories that I can't top earlier about um taking the leap into doing something that you've never done before is going to be about when you're following that path of doing the networking finding somebody that'll give you that is willing to give you the opportunity to do something that you haven't done before um and I I personally believe that it

and it's a discovery you know process it's going to happen through conversations if it's just one-on-one matching and this is why that will never work many people who have the ability and the willingness to figure stuff out and learn how to do stuff who don't meet qualifications are going to be overlooked I hope that never happens or the technology gets smart enough that that that it won't happen but that's you know that's the human element and that's the reason why somebody's going to get to know you and they're going to figure out how the best Recruiters on the the on our team never recruited before right um maybe we have people I have I have I

have an infantryman who's retired um we have analysts all kinds of linguists um it's just a really uh good example of a barista a barista that's true that's true and you know why there's a lot of books out there I can name them a whole bunch of them right now about how to get a job and how to advance in your career and I don't love them all but Alyssa Miller's book is fantastic and she has a whole chapter about why Baristas are qualified you should read it all right anything else by the way when um you're in your either negotiation phase or you don't have one of the specifically a certification that you don't have that's missing be willing to

start at the conversation with the recruiter first so that they have a heads up I don't have a security plus I see that it's required I'm studying for it I know how to get it I'm going to get it that can actually be a contingency a lot of candidates don't realize this there can be contingencies in your offer letter that say like you all every offer letter has some contingencies in it already like I'm not going to murder anyone and or I haven't in the past but also it can say and my continued employment is contingent upon receiving this certification within this period of time and then the company should help you get the training to get the

cert and pay for you to get it and we reimburse so if you're looking to gain one it should come with the censure we will reimburse for your certifications um a lot of companies do so we're the best all right I don't think you should ever bad mouth your current employer I don't think that your motivation and this is this is between you and you uh not just what you should and shouldn't say your motivation shouldn't be that you're running away from a thing right um your motivation shouldn't be that your situation is bad um there's no right or wrong way at any point in your career you can make a change everything it should be on the

negotiation table every single thing I had somebody oh well Laura you'll remember this somebody asked for like PGA tickets or something I'll do that oh do whatever you want like everything's on the table right so so ask for the things that are important to you whether it's you know I have to be off every Thursday or I want to be primarily remote or I want to be half and half Flex schedule think about you know when you're thinking about just the offer that is interesting to you you may care less about salary when you think of other things like um our company after 10 years gives you health care for Life what I've never even heard of that that's awesome right

so um things like that at different stages of your career are going to mean more to you than your paycheck I think um but so everything's on the table ask for the world and figure out sometimes if you don't ask you don't know what they're willing to do um be on the lookout for a bad advice I literally yes go ahead excuse me phrase that whoever mentions numbers first losers like how do you how do you enter the contract negotiation how do you ask for the right amount and get the right amount sure that's a really good question the question was um it's not advisable to start with salary um I don't think that any conversations

or I personally don't think any conversations are a waste of time so if you're going to end up asking for a million dollars and we had a conversation I don't feel like you wasted my time we still had a conversation it might be valuable to one of us someday but I think you should bring it up early on right but remember to go all the way back to the requirement slide and think about all the things that matter to you besides just a salary um so think about the bonus structure the performance bonus structure whether or not they offer sign-on bonuses sometimes you don't know unless you ask sometimes it can be a phenomenal bonus

think about if they have ESOP or espp and what their 401K matching is there's a million things there's training there's whether or not they will pay you uh one two three four five seven people in this room are being paid to be in this room by their company that's cool right so will they send you to conferences will they pay for your certifications be thinking about all the things but don't be afraid to say the actual real number and I personally think you should answer the question like this when the recruiter says what salary are you looking for you can answer it two ways you can say what is the range or what is the max

flip the question on to them and or say here's what I've been seeing right and there is a somebody reminded me earlier it's called I think it's called a paid transparency act they put salary ranges they're supposed to on the job postings now however don't be afraid of those numbers and when I say that I mean um they they're required based on the job location and sometimes you have to put a specific state in there you have to put Colorado you have to put whatever don't look at that number and think that's the the end-all be-all it might not be considering again all the things we talked about like sign on bonuses and stuff um aren't going to be captured in that

number and neither is um clearance premiums if you have one right or if you're willing to obtain one so there is the ability to earn greater than what you see in that range that's very it's very regulated what they have to put in there so don't be afraid don't be afraid to apply for a job because of what you see on that number it's very regulated what they put there so I hope that makes sense and sometimes you can go over that number so don't think that that number is the the end-all um again depending on the role you can go above that number so don't be afraid to ask for it if you want that if you

know you have a certain salary range to make you stay ask for it and then then I think it works it works out better it might be I don't think you have to apply for everything I think you can start with a job and then you make that connection and then you let that recruiter know that you saw multiple other jobs so don't I don't think you should go to XYZ

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
How to Start a Cyber War: Lessons from Brussels – EU Cyber Warfare Exercises
BSides Las Vegas · 2018
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
From Email Address to Phone Number: A New OSINT Approach
BSides Las Vegas · 2019
20:51
One OSINT Tool to Rule Them All
BSides Las Vegas · 2017