HG - Failing Upwards: How to Rise in Cybersecurity by finding (and exploiting) your weaknesses

welcome to Higher Ground I'm Kathleen Smith yes it's Kathleen on Twitter it is just so exciting and emotionally inspiring to me to see this room felt um wow I promised myself I wouldn't cry anyway um I started this seven years ago because I'm in recruit my marketing and I knew that the conversation was not happening in a valuable and safe space for people in our industry to find a job so I asked a few friends to come in and do resume review and career coaching asked a few people to do presentations that would help you with your career and now over seven years it's grown to a full room wow so let's talk about failing because we all know that we hate to fail God I hate to fail I'm the eldest of five kids I hate to fail I have to be perfect all the time but you know what failing is the best way to learn right yeah pretty much okay so Wes is going to talk about failing upwards in your career let's give it up for Wes so for those unaware uh my the previous speaker did not drink his water so I have bonus water no no no my water my water anyway so yeah so thanks for coming to this talk uh you know what's kind of fun is um when I was looking at how to do this I was looking up like presentations like surely someone's talked about this before no one's presented this yet as far as I'm aware this is the first time anyone's presented how to fail upwards so everyone in this room is a trailblazer today so that's um that's news right that's pretty cool um and everyone can hear me okay yeah cool all right just for that Okay so um one more thing to know and this is uh this is um just a little bit a little bit of a warning um as I spent far too much time on real cringe inspirational stock photos I spent real time on this I'm sorry I'm sorry in advance so failing upwards let's try this out let's start with who am I um my name is Wes hi how you going hey uh so you know I kind of move around a lot I currently live in Canada not Canadian um but before then I lived in the Netherlands Japan China United States these are places I've worked and lived uh for the last uh 15 years or so um also New Zealand UK and Belgium and for a tough from time to time I it's that's a story on its own honestly that's not this talk that's another talk uh but it's it's just kind of what I do um my current role what I do these days is I'm currently the chief security officer for a company in the in Toronto called order grid um I'm also a data privacy Advocate I work with the I try to do what I can for Electronic Frontier Foundation uh feel free to support them a lot oh sorry I feel oh yeah the fan yeah that's that's my competition yeah okay I'm stepping forward so you can hear me better so anyway yeah um and I'm all and I'm also a hacker as well um I put that on my professional list not that I hold that title it's more that that actually helps my job that actually helps me do my job so it's kind of what I do to help the main gig so to speak um on the personal side I do lots of running I do weight training um I play lots of video games when I have the time I walk around the world sometimes and I also hack in my free time my current hobby horse these days is RFID badge cloning who thinks that's cool because I think that's yeah oh so many friends yes okay um so and then but why am I like this um I like Puzzles and I seek novelty that's kind of the short version uh also anxiety so that's enough of me um before we start on this though just a few things just kind of level set and manage expectations a little bit um I'm going to start with by explaining by clarifying what is failing upwards in the first place um I'm going to tell you my story I'm really sorry about that you're gonna have to sit through my story to hear how to do this thing um and I'm gonna set some scenes for you set some mental space on what mental angle you should find yourself in if to try this out uh then we're actually going to get to the steps on failing upwards in the first place um and then we're gonna do some final final words as we go um and this is a really like long presentation because it's really nuanced and I'm sorry for that but uh if you want to ask questions feel free to you're going to dislodge me a little bit but I promise you're also going to put me back on track at the same time so feel free to yell things out hey you're wrong please do um that's gonna help that's help me Focus bring me up to speed some assumptions I'm expecting that everybody in this room has you want that you want to get ahead and that you know where you want to go and that you have some idea of the job you want to have um this is largely based on the idea of rising into management because I think we all kind of at some point decided we don't want to be on call anymore so yeah uh it's kind of like that also I'm making another assumption which is that uh most of you are already inside the uh it or security space already if you're breaking into the field this is also applicable just less so and uh then also one another assumption is you have is that I'm assuming you're willing to get weird okay yeah yeah perfect perfect um some disclaimers your mileage your mileage may your mileage will vary your mileage will vary because this is a very nuanced subject it's very personal to every person uh the reason why I'm telling you my story is because that's how I can give you examples it's going to be different for everybody another thing is I want to say out loud I see my privilege I recognize that I am CIS male I recognize I'm Caucasian and vaguely tall these things do contribute to this they do uh to the success that I've found that said the reason why I'm talking about it in the first place is because I have seen people who are ethnic minorities and gender minorities do the same process again just like me accidentally because I don't think anyone tries to fail upward necessarily until tomorrow right but in any case it's almost always accidental and I've seen people who are not like me also succeed this way and this is and just a bit of a warning this looks easy and is hard by the by trying to go through this process you're basically putting yourself in a position of vulnerability as a means of succeeding long term you're putting your Stakes up high I don't expect anyone to risk their jobs over this another thing I want to say out loud but um the way this works is that you're going to have fun with it and I mean that it really helps to have a good time doing this because that's going to sell the Charisma which is going to get you there in the first place so that's a lot of disclaimers I talk too long let's discuss failing upwards what does that even mean well if you look it up on Google these days it looks like this to advance in one's career despite failure and you know the thing is that's that's that's not exactly the thing I'm talking about today that's not exactly the process of failing upwards if you've ever had a boss who is just like how did how are you managing me you know he failed upwards he he found himself in a role that he is not trained to do by doing a job this by doing a job above his above his rank too long and somehow he somehow he's managing others that's this sentence to advance in your career despite failure that's career resilience not failing upwards there's a very big difference here that's not what I'm talking about today you can you can be you can be strong and powerful and employed but what we're talking about today is how to rise so but why would you fail upward why not just go the normal path and work hard and get promoted because it doesn't work it just doesn't work there's no reason not one reason a manager has to promote you for a good job they are literally disincent disincentivized at every single time how many Engineers analysts in the room like key stakeholders in the technology level yeah so I'm gonna guess each one of you has been told you're really important yeah yeah so the trick is is that if you why you would want to fit why you would want to fail upwards is because that's a because you want or need to get an advanced job maybe you have bills to pay maybe you've got maybe you've got maybe you've got goals you got that like eight mile energy on you um you know good employees don't usually get promoted frequently they do frequently they do but it's not guaranteed it's really not and managers if you're looking to rise into management what does a manager do truly I mean they have job duties but what does a manager what does management quality even mean right and there's you can you can I mean can anyone give me n a manager quality babysitters what else what else these meetings meetings yes yes what's that carrot and stick yes carrot on a stick even better do it double it up this is a special request thank you thank you this gives me Strife this is um I should explain it shouldn't I absolutely I did not expect you to do this thank you I made a special request when I submitted my talk uh to can I please have a giant picture of princess erulon from Dune in 1982 I am I I this this gives me strength thank you thank you very much I need yes oh my God this is a great thank you I'm gonna I'm gonna put it right here where she angling a little bit so I can see her no I can't you know what yes wonderful I did not expect this oh my God that is incredible never say beadsides doesn't take care of their speakers that is incredible thank you thank you thank you so much this guy this guy thank you very much what the hell was I talking about anyway did I tell you the okay so do 1982 was a real classic but it's really no it wasn't that um let's move on how do but but the mechanics are failing upwards let's talk about that um how does how does failing upwards work mechanically like what is the process of failing upwards um I'm going to go into a greater depth on this this is just a bit of a summary but the short version is counter signaling which in this case actually bigger summary it's uh subtle emotional um subconscious cues that you get and there's also social constructs like um which we'll get to in a moment so things like counter signaling which is for example to say something negative to indicate positive or to uh bias for Action you know just doing something is better than doing nothing um cronyism frankly that is the x that is the attack surface we're talking about today so cronyism how do you break into it it's exploitable print and principles of influence uh any social engineers in the room oh see I figured you would see that that much Style no that's a social engineer right there so right here the social Engineers are going to recognize the six principles of influence I'm going to reference three of them which in this case is reciprocity I give you give uh social social proof we uh we all approve this or likability because frankly that's needed um and I just want to apologize in advance because the one thing that I really wanted to spend time on and I can't is how to how to build your charisma and your communication skills because that is how this comes together I'm sorry I have resources at the end at the end of the presentation but we're just gonna have to take me on faith that that one matters so sorry about that that said is it really truly a thing people still do is this does this happen all the time as a matter of fact it does [Music] um two articles ten years apart these are things that actually are still subject matter today in business circles uh it is extremely normal to find people failing upwards people are seeing it as a problem because people are getting into jobs that they're not skilled to have but be that as it may uh this is actually a really really normal thing to do every company experiences this every company deals with this this is in fact a way of business that goes back as far as corporate life does so take me on faith on this believe me there's lots of examples of failing upwards now let me go through let me go through the boring stuff then we'll get to the interesting stuff so I gotta tell you this for for the reasons of giving examples here's a here's here's kind of how I got into this and how I failed through this process on the childhood side you know I was I was into geek stuff you know video games and movies mostly kind of was the audio visual guy from my family small hands behind the TV sort of stuff and um and I also in my free time I I messed with my game genie it was a man in the middle device which allowed you to input new codes into games and change the gameplay this guy knows what I'm talking about game game shark is good too okay that's that's PlayStation era I like it and um and so yeah but uh so I went so I and I was like and turns out old TVs older CRT TVs turns out you can brick them um by playing with the settings too much so fun fact um teenage years I got into martial arts that was helping my anxiety a lot still lots of geek stuff but now I'm into robotics now I'm now I'm now I'm like building stuff and I'm social engineering I did not know that's what I was doing but that's what I was doing in college Years I was into politics I I flunked out of a double major in politics in fact um then I got a degree in education I couldn't quite pick a lane um and in my free time I was jailbreaking iPhones and writing a cyberbunk novel um still still in progress and um and then early career I you know while I'm flunking out of your University I figured I'd pick up some retail Hospitality work you know just kind of pay the bills and while I'm doing this people keep asking hey Wes knows that West knows that he can fix that um because it at no point in my entire childhood did I connect that I should probably get into technology not once it had occurred to me maybe I should pick up Tech work as a as a profession um but I finally eventually did crawled my way into that space um starting with a job in China I was a technical pre-sales in China now uh for those less aware of the way China sells to China uh there is a there's a when you do a business conference and you want people to see your business as prestigious and international even if it isn't uh you hire a white guy to stand there in a suit and be Caucasian and white in your booth I was a booth babe for about a while um no no don't talk don't talk you're not supposed to talk do not use your terrible Chinese on your customers um stand there and be Caucasian uh but in my free time I learned some of the technical stuff and that kind of but I was doing that to move to China to move to Japan because my goal of time was in education to be a teacher in Japan for the rest of my life you know that worked well um I went back and forth and back and forth for a while and I was doing Shadow I.T the entire time and it finally occurred to me maybe I should get into it eventually so I so I pick up this basic I.T job tier one help desk at a foreign currency trading foreign currency exchange company in downtown Tokyo and um yeah so there's all that I finally it finally I finally got there I got like all they you know I can finally this is my job now now I can fix things all the time and of course everything's broken so I see everything needs fixing so I started off with help desk and then I see that no one's working on the data centers I think of some data center work then I then move more synthesis admin that it morphs into Data Center Administration I.T risk management I.T compliance um uh multi-data multi-data Center Administration project management for the Asia Pacific region um I burned out I burned out real hard just like university only much harder and uh there's a there's a separate and parallel lesson to that which is that if you're gonna burn out just before you do let go of some of the things that are keeping you and that that you can actually like not burn out as hard so holding on to everything is how you burn out faster so Pro tip but anyway here's where the failure really kicks off is I I burned out so hard I had to fall back to the United States for a while and I picked up a cloud sysadmin job uh just something kind of basic just get the job done um it was easy to get work as engineers in the room probably are aware um especially when I was doing literally everything for this company for like a period of six months and so but they hired me to just basically kind of be there but it kind of occurred to me as I was in the process of helping with their Cloud migration and their and their their systems Administration for AWS it occurred to me I'm not great at this like I am mediocre truly I am I am unexceptional and they they did not hire unexceptional they they hired this rock star from Japan uh but no no I'm basic I'm like super basic really um and I was tired and so as I was tired as I was trying to figure out how to go about this job that I've signed up for that I you know I liked I loved technology and um what do I do what do I do and so it's like you know you look really pretty tired you want to just manage the content delivery network no one likes that um and that's true no one likes no one likes CDs no one not a one um and so I I liked the what I liked doing was fine-tuning the laugh I'm That Kind of nerd and um and it kind of got me into doing security Cloud Security Administration to a lesser degree very beginning of breaking into this into the security space but the pattern here I think you're going to start to see is that I I kind of over delivered over here and under delivered over here and they just kind of moved me a little bit right that's kind of the the pattern is starting to form now that now here's where the task fails successfully um around 2016 it occurred to me maybe it's time to move overseas again no particular reason and um I moved to Netherlands I picked up a platform engineer job and at that point it was at that point about six weeks in my boss at the time I talked to him they say I talked to my boss and I said I I I say um you know no one's doing the security stuff in for this team should someone do that it's like can you do it yeah I can do that I don't mind uh so I got my first security-ish job you know in 2016. not that long ago and um at that point they I look around I say well how exactly do I secure this company there's never been a security person there still isn't I'm kind of not it and it occurs to me I need to do everything again just like in Japan only this time I got to do it from scratch so I got to work I get to this I I go to these meetups after work and I go to conferences like this and learn about security from from zero um I equate my I acquaint myself with the words and the terms of the people that are would be my peers and I start kind of like just picking services and Technologies off a shelf and I shove them into a box and make a presentation out of it put it to the CSO and the the CTO and um and I just I do everything I do the policy the design the architecture the everything but the implementation because I told you I'm a mediocre engineer right mediocre truly I had help putting in place but I designed it all I designed it all I organized it um I set up the set up instant response I wrote policies procedures the governance I I chose my bosses off a shelf off the org chart I wrote it all up and I didn't ask permission I just started doing it um and I was also what because I was a mediocre engineer no one expected me to do much more in the job I was hired for I was doing my on-call rotation I was making sure the uptime was good I was okay at my job but I was also building security from zero um and so that's when that's when it truly failed that's when the fail upward truly occurred is right after that because um at certain point I finally a new ciso shows up and he takes a look at what I built and he says hey I see you've built a lot of stuff it's like yeah yeah I'm really glad you're here because we got a lot of work to do and and he's and he looks and he says yo