Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

ross flynn presenting say hi to the new guy how diverse backgrounds can mature your security program how's that oh whoa how about that that's a world of difference did you hear even in person we're still on mute i like that um i appreciate the the patience with that um so the the first comment i got on this was this is exclusionary uh so i want to preface i'm in no way saying this is exclusive to guys i don't know if that needs to be said but guy rhymes with hi and i thought that sounded good the other thing i want to say is that during this presentation i'm going to make a lot of comments about people that

come from non-traditional backgrounds the value they bring i in no way want to portray that coming from a traditional background in this field is any less valid any less needed it is very very crucial and it's how we've gotten to where we are what i want to present today is just a new thought so about me uh i don't usually like to talk about myself but i think it's important for me to say a fair bit about myself so that you understand why i'm so passionate about this um a little bit of me as a person uh my my beautiful wife sarah she could not come with me she has family in knoxville and unfortunately

couldn't come with me but um she is a second grade teacher god bless her for raising up uh and teaching our future generations i love hot sauce so much uh so much so that i started a hot sauce company and in my free time myself and two other gentlemen uh run a hot sauce company and if you don't if i'm not doing something in this field you'll probably catch me making sauce or bottling sauce or any of the various things that come with owning a business um escape room expert i've done 20. i just love them i can't say it it's a big big claim but um and then i'm an avid sumo fan a lot

of people in the u.s love football i'm just i'm a little obsessed with sumo right now if you're interested they're in their second tournament of the year right now just google sumo and it's going to be one of the first things that comes up i want to release this field i got some credentials some people like the letters some people don't i think they're they're fine they've definitely helped me get to where i am at this point because as you'll see i have a degree in crisis counseling i have a lot of non-infosec related history starting from the bottom i was a dorm mom for a period which meant that i had a house of 16 international students 15 of

them from china one from south korea and my role was to make sure whenever they got home on the bus in the afternoon i was already there we would get them all their stuff put away if they had chores to do i had to make sure they did their chores i started cleaning the house before they got home i cooked their dinner we had some time group time to discuss uh what the day looked like what do they have problems with their homework all of that and then we had like a game time at night and then i made sure they were in bed by the right time and someone came and uh took over for me so

i did that for a while i was a truck driver for the longest time i said that i had more truck driving and moving experience than i had infosec experience for a good several years because throughout college and after i worked as a truck driver for a moving company several moving companies i hate moving like i'm sure many of you do i will put my numbers against yours any day i have done more moves um it's it's not a life that i would wish upon anybody but i give a lot of credit to anybody that has come from that and i will tell you that that has been one of the driving forces in my

work ethic i was a logistics coordinator for a company called tough mudder so it's a 10 mile obstacle course we would go to a site i actually did one um i think it was in just south of south of nashville a couple years ago and i would go there and make sure that the site was set up i worked with djs vendors etc and then made sure all the participants had a good time so i was responsible for coordinating a lot of that and then the most interesting one that a lot of people like to or that i think has really helped me in this field is my family counselor experience i was a family preservation counselor in

the social welfare system i spent several years doing foster care recommendations family preservation counseling i would go into a home when we got a recommendation from the county if there was an issue in the home that the child wasn't safe there weren't appropriate boundaries then my role was to assess the situation if i could help them build the boundaries help them build a safe foundation and if not i made foster care recommendations and as you can imagine it was very emotionally draining i had a a lot of burnout in that period and it made me re-evaluate what i wanted to do with my the rest of my career so through some friends mutual mutual friends family

this field was introduced to me and i will tell you the beginning i had no i.t experience i had to have my friends help me download video games on my computer because i couldn't figure it out so there was a steep steep learning curve for me going from nothing to learning this field but what you might find more interesting is my infosec history i actually started off in cloud security i was learning more of the compliance side than the it side i had learned the basics of networking at this point through a lot of self-study the basics of how an info or an organization might run and i started in cloud security looking at cloud service provider

self-assessments and reviewing them against the cloud security matrix i moved into a fortune 200 on their security team doing identity and access management moved from there into internal audit where i got into more more compliance more stocks auditing and understanding where does um where does everything fit within the larger scope of the business and then went on to risk management within that same organization so there's a lot about me um i generally don't share that much but i think it is particularly relevant for this talk um but about me now i'm a manager for a cyber security cyber security firm echelon risk in cyber we're based in the pittsburgh area so i flew in yesterday i

got to spend some time here we we have three main pillars of our organization three service lines we have our offensive security and testing where we get to work with some of the most talented pen testers i've i've come across i'm constantly impressed with the new ways that they're coming up with to uh to fish our our clients to getting privilege escalation they're they're just incredible i get to do some of those pen tests sometimes the bulk of my time is on our audits assessment and compliance side where i'm performing risk assessments we work a lot in the regulated space highly regulated with gm i can't can't speak glba um hipaa i do a lot of cmmc business

continuity dr uh all the fun stuff and then our defensive security engineers are um helping with the the hands-on making defensive decisions and helping organizations figure out more of the traditional blue team side then all of that gets wrapped up in our vcso service where we help the organizations develop a roadmap and we help them reach their goals throughout the year so the question that i i wanted to really address before we even got started is why does any of this matter we have a lot of qualified people already in the field we have a lot of people that um already know what they're doing why should we consider people that are coming from non-traditional backgrounds

one of the first things that came to mind is the fact that there is there's a lot but there's not enough in infosec we are looking at the depending on who you ask a several million position deficit the need is constantly growing in our field and we're only projected to continue growing i think 20 28 percent uh by 2026 we're just going to continue growing the rate that college graduates are coming out right now with degrees that are related to our field is not sustainable for getting us into a place where we have what we need to defend our organizations so i think this matters for a couple reasons one that we have a lot of

applicants coming from non-traditional backgrounds we're going to i'm going to dive into why i think that is but even right now i'm hiring for a couple positions and i keep seeing more and more people like me people that came from something that wasn't traditionally seen as part of i.t or part of infosec but when i think through and i look through what their experience is i'm seeing a lot of value and elements of what they've been doing but we're going to continue getting these these applicants that are coming from different backgrounds another reason i think there's a ton of great experience out there we i mentioned some of what i've done i'm going to share some stories later

about how people have leveraged their experience and made it valuable to the organization and bolstered the their security posture through it there's great experience and as i said we need good people we need problem solvers we need critical thinkers we need lifelong learners because this is not a solely technical field anymore infosec is so interdisciplinary it's no longer well we can just set up firewalls and sim and things will be fine it's we have to talk with risk we have to talk with compliance we have to talk with communications we have to talk with finance there it is touching every aspect of the organization now and we need to have an interdisciplinary mindset whenever we're

looking at it so i put together this this agenda this is basically what we're gonna go through i didn't think this jacket was gonna last long and it's not

this is what i'd like to cover with you guys today if you'll uh if you're you're here for the ride why are people switching careers i think there's some some uh good reason i think infosec is particularly appealing whenever people look at something else to do we'll talk about that people are quitting jobs at an alarming rate right now um we keep hearing this great resignation there's a lot of people that are leaving their roles and like i said the scope of cyber security continues to grow it's it's no longer just the the little silo we're touching everything i also wanted to talk today about what can people with these non-traditional backgrounds offer what should we be looking for with them

while we're interviewing while we're we're talking to colleagues what are the qualities we should be looking for and then how do we support people industry transplants as i like to call them how do we support them and best leverage them when they are in the organization out of curiosity a show of hands how many of you came from what you would deem a non-traditional background it's a fair amount i love that that i feel camaraderie with all of you because i think that you you know that there's a you might relate with my steep learning curve and you might relate with some of my struggles the imposter syndrome which i don't think that's solely people coming from different

fields i think we all feel a level of imposter syndrome but it it really sets in for me because i traditionally i came from a non-i.t background so to get started why are we getting these applicants well there's a couple reasons i think you know you talk to a sociologist and they may disagree but what i think we are seeing unprecedented career transition uh it's not just our field it's in a lot of fields i think the copa pandemic was a very clear catalyst we we start seeing our employees that are expecting remote work we start seeing a lot of the world once from our work because we've seen that it works and there's now this struggle that

organizations are going through trying to go back into the office because as we said there's two 2.7 million roles in this field that are unfulfilled if you're trying to push somebody to go in the office there's 2.7 million other roles they could go try to fill so organizations are just facing this cultural cultural divide what is the right move for us but from the side of being the employee i mean remote work is nice for a lot of us some people really love it some people they prefer to be in the office but we've kind of lost the integration the what's the right word the division between home and work life we have this integration where

you know a good example is my day i might start at 7 and work until 11 and then grab something to eat and work out and run an errand and then start back at one and work until 3 30 and then i start i do another errand i have to do and i get dinner started and then i jump out going at seven and i work until nine or ten and there's this loss of uh the the division or the the separation of work and home life which i think there's good and bad to that um i think i see there's some some concerns because it makes it very hard to have a balanced life but i think

there's a lot of good because it does allow us to have flexible work schedules and live a life and do what we need to do um so i think the copen pandemic it highlighted a lot of that and it made it almost the expectation now another reason is societal changes like i said we have this great resignation people are leaving not only other industries they're leaving our industry for another role because right now it's it's hard to get a raise or a salary compensation modification unless you go to another company which is just the truth right now i think i have seen some organizations that are trying to combat that but it's tough um so i think societal change is where

we're kind of expecting now that people might be leaving we had this four and a half million people quit their roles in november of 2021 not our field just in general and that's a record number that's the most in the last 20 years we have not seen numbers of people quitting like that part of that i also think is the the level of emphasis put upon degrees the federal bank did a study to see how many people were actually using the degree for which they went to school and they found that 27 are which means that's awesome for those 27 percent that we have 73 percent of our labor force that is not using the degree they want

to school for and so you have people like me and you have people like some of you that went to school for teaching or you went to school for finance and now you find yourself here so i think that's that's part of why we're seeing people change is we are almost innately led to believe that our degrees right now are not as valuable as we thought they might be and then we're seeing rollback of requirements there are organizations that are no longer even quiet requiring a degree to get into this field which i think is stellar i think there's great experience out there that is being ignored because we don't see an associated degree the rollback of some of these

requirements is a great move so why do people choose this field what is it about infosec that people are enjoying and i think it's obviously because it's the best job in the world yeah i i i um this came up in a conversation a few weeks ago in a team meeting somebody googled best job in the world and sure enough information security analysts came up so i i couldn't i couldn't not include this but i think there are some very real things and i'm happy to tell you what drew me to this field the first one is the accessibility of information we have resources like youtube and pluralsight and udemy and a humble bundle and there's there's so

many ways for us to learn facets of this field and learn the basics of this field that other other fields don't really offer i would say as an example if i wanted to advance in my career as a counselor my next step was to get my masters i had to get it in social work or counseling something related and then i had to go through internship and then i had to go through licensure and i went through all of that i put myself in this i would go through this immense amount of debt to have this degree that then i have to fight to actually continue using um because there's there's an abundance of that role and then the other part is uh

the salary i mean when i looked at what i could potentially earn in that field compared to what this field thankfully does offer in a lot of sense it was almost a no-brainer for me if i could start to learn and really push myself to study from the youtube from youtube watch the videos like uh no homsek and and john hammond and uh null cody kenzie and null bite i i grew up or grew up in this field watching those guys and learning from them and it gave me so much so much uh insight into what this field really looks like and what i can do in it so i think the accessibility is to me

the biggest reason uh credentialing it's so much i hate to say easier but more cost effective and um uh beneficial i would say that's that's a little risky but definitely more cost effective to work on certifications and work on classes and work on courses in this field rather than investing in another degree in in another field that like i was saying i was coming from the counseling side it made more sense to me

that's exactly it it's so much more time effective i could spend three months studying for my ceh and pass that when i could spend three months in a semester getting my master's and in social work and get through one one semester right and so i think the credentialing is a massive part there's just a lot of opportunity in our field for people to show that they know they know what they know without having to bring in additional work that said i think there's a lot of value to masters and future education further education doctorates whatever may be additional degrees in this field but i think there absolutely is ways for you to move in it without those additional

credentials the perceived stability was another one for me everywhere i i knew nothing about cyber security but man i heard about it on the news and now being in this field you know you hear ransomware attacks every other day you hear um this this hack happened and we're in the public eye all the time everybody's hearing about the field so there's this perceived stability in the in this projected growth that we are expected to as i said continue growing and those are real draws for somebody that's at a precipice of what do i want to do for the rest of my life we also talked about how interdisciplinary this field is this a lot of people that i've talked

with have done associated work they've worked with the business they've been a part of the business and they have worked with i.t in their cyber security infosec in some capacity in compliance and now they want to do it because they found it cool that's the last one it does sound cool everybody you watch mr robot or you you watch one of those the movies where there's a hacker sitting in a keyboard i don't know if you guys have ever seen i think it's csi where there's the two hackers one keyboard video like it's ridiculous but it looks cool so i think that's one definitely one of the things and then finally the breadth of options this gets updated every couple

years it's from henry zhang over at diligent and every couple years he does these cyber security domains and each time it just gets bigger and bigger and i get more excited when i see these because there's so much room to grow how can i get bored when there's so much room for for us to grow in here get all excited when i see it and the nice thing is that we as infosec um professionals we're not pigeonholed to any of this we can't be pigeonholed to any of this because we have to be interdisciplinary we have to be thinking about multiple levels of this so i think those are some of the the main reasons why people really want to

come to this field and then the other side of the the coin is well what can these candidates offer because we have traditionally hired from the the the normal background you know you come up in a computer science degree or you come up in maybe even a cyber security degree now we we have these candidates we've traditionally going been going to but i think that there is something that non-traditional applicants can provide so the three that i i came up with um were perspective that's the easy one everybody says well they have a unique perspective well what does that mean i'm we're going to jump into that i think they provide a cultural impact we so frequently talk about well is this

person going to fit the culture i think we need to be asking is this person going to improve the culture culture right now especially when we're doing so much remote work when we're doing so much that we can't be face to face the culture is going to be what keeps a lot of our people interested and relevant in the field so finding people that bolster your culture they don't just fit but they make it better i think is key and then i want to talk through the qualities that people i think people will bring from non-traditional backgrounds my disclaimer on that of course everybody's going to bring something different based on what they were doing

before it's a no-brainer but i think there are a few key qualities that almost all of them will have because it takes these to get into it so we'll start with perspective uh i like this this uh meme because the new guy as um i was abusing it in this is anybody a new candidate they they have a perspective of what does the end user think of this what does the business think of this what does the project manager think of this coming from something unrelated seemingly unrelated brings so much perspective into where our team fits into the whole organization so i i like to think that the new guy has all of these and i started making

with like legal and compliance and and all these different things and i thought i'm just getting ridiculous now but you get the idea the the individual coming from a non-traditional background is going to have the perspective of another part of the organization with which we're working and that could be the the end user and why is this person still clicking on phishing emails they've gone through the training so many times and they're still clicking on it well a lot of times the uh somebody coming from a non-traditional background is gonna say well i was that person and here's what i thought i didn't care about security because you never really made it seem like a threat to me

um some organizations do i have not worked with many that do but yeah i mean they they bring this perspective they bring the this um the business idea i i'm sure you guys have seen it i've saw it in former roles i see with clients that i work with now i'd see versus the business and how we're we're siloed and it's almost like we're combating each other i think they bring verbiage and mindset that can help us change the way that we're speaking with the business and show the value of what we're going to provide and why we need to do this one of my i think my greatest skill sets in this field has been my conflict

de-escalation from counseling and the ability to gain trust easily with people because how i've approached my conversations with clients my conversations with people that may not be part of infosec is here's why this matters to you i understand you don't want to do this i understand that this dr plan seems stupid to you but let me show you what you're doing by preparing for this and when i can position it as we are working together rather than we are working apart from each other it's been really one of my greatest assets and has made some of the biggest changes in how i work with people so i think people that come from a non-traditional background are going to

bring this perspective i like the if the only tool you have is a hammer it's tempting to treat everything as if it were a nail and that's what i think in a lot of senses we we have done is we have brought traditional means to true traditional problems and now we have emerging problems and we're still trying to apply traditional fixes to emerging problems having somebody come from another perspective is going to give us opportunities to look at this from a different side like i said we i want to find the problem solvers i want to find the critical thinkers we we just can't be so limited to the idea that there's one way so then we talk a bit about cultural

impact of course the culture is going to be defined partially by the perspective i just mentioned the different ways to approach a problem i think somebody that comes from another field is going to bring new ways to look at the problem they're going to help us find spots where the we're going to be able to need to find spots where the perspective the prospect can benefit the team it's hard whenever we know that we need we have a need but we can't figure out quite how to fill it and a lot of those positions a lot of those needs i think are going to be able to be filled by non-traditional people i've got a cool infographic

i can't say it's an infographic it's just a picture uh it's it's a and it's in a couple slides but you'll get what i mean whenever i get there there's the learning culture so one of the things that i noticed whenever i moved into the this corporation i was talking about is that i had been learning non-stop since i got into the field i had been going to different i'd been buying courses i had been saving money from my nine to five while i was working nine to five so that i could afford more courses i had this level of um i needed a self-investment because i wanted to show that this is mine somebody that comes in is going to

expect to continue learning and so when i went into this organization i thought i'm going to be among these peers in infosec and these guys like the cyber security analyst they're going to teach me everything and i'm just so excited to learn from them and then i got in and i saw there's it's more of the mentality of well i started the help desk and then this position opened here and i don't i don't really mind it but it just kind of is what it is and for me that was so discouraging because i thought everybody in this field was going to be super excited and i thought everybody was going to be like knowledge hungry

so what i noticed and what has been brought to my attention from my my superiors at the time and some colleagues is that i brought in the change i started asking do you have an interest in this for me what drew me was wi-fi hacking and i was like do you have any interest in hacking wi-fi i think it's like the coolest thing and so i started studying it and i started studying for the oswp and i asked some friends do you have any interest in colleagues do you have any interest in studying with me and they nobody had really posed that question like why should i bother advancing or learning more when it's not

a requirement um and that was just kind of mind-blowing to me so i ended up knocking the oswp not yet it's going to happen but what we did find is that some of them found other interests in the field when they started studying for the security plus and they started for studying for ceh but it took a catalyst to make that happen so i think you somebody coming from another field is going to bring that that hunger to learn more and then i think they're going to bring new methods they're going to bring tools and tactics one of my my favorite examples of that is when i was an internal audit i was testing terminated users manually and getting

really frustrated how slow it was and we had hired a new guy and he came from manufacturing another form of manufacturing but he was not on the infosec side at first he was on the supply chain side so he had a spreadsheet that was just a vlookup that he had customized to find only specific specific parts but it ended up being perfect for what i was doing and it was something that i had i had never even considered but this guy that came from a totally unrelated role was giving me like the most valuable tool in my arsenal at the time and i was really excited about that i think it's a great example of

how the types of tools and the tactics that somebody might bring they're going to bring good habits whatever has made them successful in other fields i think they're going to bring with them whether it's their time management their project management how they interact with other people they're going to bring their good habits the flip side of that is going to bring their bad habits uh that can be and that can be a learning point that can be a point of growth and i think that's why as we're learning to support people that come from non-traditional backgrounds we need to keep that in mind is that while there is a lot of benefit the unfortunate reality is not everybody

is a gem um so we're we're going to talk a bit about what to look for but i think something that almost everybody will have in this field coming from a non-traditional background there are a few qualities i think they're going to have perseverance because they have already got rejections from other places they have been told why are you making this secu this change you don't really come from that field their friends and family likely have tried to discourage them so they're going to have to have perseverance they're going to have to have discipline to repeatedly dedicate their time after work while they're working their own nine to fives they're going to have to find time to

manage that and it's it's discipline they're going to have a level of self-investment like i said the the sacrifice of their own time their own resources i i paid for all of my uh courses i paid for all of my certifications out of pocket because i knew this is something that i wanted if you've seen uh the rock did a verse last year with uh with i think it was with tech nine and it became a big meme and he goes it's about drive it's about power and everybody saw it i remember it was all over the internet and i couldn't help but put uh put him next to drive but they're to have a drive they're going to

have to continually motivate themself intrinsically because there's not always an extrinsic um motivator and in a lot of cases there is a deterrent and then finally they have to have humility which is what i think most of us have anyway in this field because you talk to other people and you're like i've been doing this for 30 years and they know way more than i do this is the most i think one of the most humbling fields you can get into because we saw that map of the breadth of things we talked about there's just so much to learn um so they're gonna have that humility and they're gonna have that understanding that it's okay they don't know anything

um they're gonna be encouraged to keep learning so while we're talking with people prospects that might be interested in coming to an organization a couple things i think we need to ask ourselves and we need to ask them uh what what drew them to the field for me like i said it was wi-fi hacking i thought that if i could figure out how to hack wi-fi and have wi-fi anywhere i was that was the coolest thing now i'm not going to incriminate myself but i did learn i learned a lot but what drew them to the field why are they interested in it i think you will be able to tell a lot about a person if

they tell you what their passions are what experience do they have outside of work and that doesn't mean it has to be an internship or formal experience but do they have a raspberry pi setup at home you know have they done any type of home lab have they um done a like a raspberry pi cluster maybe i that was one of my my first projects was building a raspberry pi cloud cluster and i was so proud of myself even though i didn't understand the code i just copied something off of uh off of github but i made it work and that was worth its weight in gold to me so i think talking when we're asking

people about their experience ask them what do they do outside to continue improving their abilities the evidence of personal investment they said what what have you done to grow in a more traditional sense so what courses have you taken what um special interest groups are you a part of are you are you going to isoca chapter meetings are you going to your local b-sides conventions what are you doing to stay involved with the community and then ask them what sets them apart i if you were to ask me what sets me apart from other people i would say my conflict de-escalation my ability to build trust and my ability to hear people it's at this point i have told enough people

that that that is where i feel i stand out but i think anybody that's going to try to make this transition is going to have something that they say sets them apart so i would i would pose to you ask them about it and ask them why they think it sets them apart some of the questions we need to ask ourselves is how do we commute how do they communicate we need people that are articulate we need people that can flesh out their thoughts and that's one of the value i think that comes from non-traditional backgrounds because a lot of them are something like a journalist or a teacher ways where careers where you need to

express yourself in written form or orally we should take stock of how they're communicating and then how are they going to affect the culture are they going to be a hindrance are they going to be a value add to the the culture that you have so talking about how do we support and utilize these this is the picture i was talking about from the movie 300 the idea that we have these gaps we're always going to have gaps in our architecture and our organizations and our culture but one of the ways i think we can fill that in fill gaps we don't even know is with people with different different views because they're going to fill maybe that

that report writing or the the needs of the business we're going to build to make each other better what i don't want to come across is that we need to accommodate everything to people because they don't have experience they don't have i.t experience we don't need to cater to people we need to strategically fill gaps with who we have and who we're gaining rather than hiring people and then trying to accommodate so as i was going through this i thought well it might seem like i'm saying you know cater their needs and i'm really not i'm i want to get across that um it's not so much catering it's just using them in the right getting the

right people in the right seats but some ways that you can encourage their support them is by encouraging them we talk about imposter syndrome a bit it was one of my biggest struggles coming in is that i knew i learned quickly that i did know what i was talking about but as soon as somebody would question me about it i thought well this person has 10 more years experience i must not know what i'm talking about just encourage them validate them talk let them know you know we're all struggling in some sense play to their strengths you know if their strength is report writing if their strength is communicating if their strength is uh being creative put them

in positions that let them do those things give them opportunities to learn if you're moving from another field into this field you have to be an avid learner and just continue to give them those opportunities because they're already used to it they already have been doing the work for it and then be honest with your feedback and constructive with your feedback i i did have people in my career that i would say inflated my ability more than what i what i actually was capable of doing and there were times when i did i feel maybe i failed a task because i wasn't quite ready be honest let them know i don't think you're ready for this let them know

maybe this isn't the right fit but we're going to find you the right fit because we do have this need elsewhere but be constructive and show them this is how we're going to do it we are running low on time i'm going to give you just a couple examples um of some people that i i was as i was thinking through like oh who can i who can i call or who can i ask about their specific experience i realized i knew several right off the top of my head because i have worked with other people that have made these transplants or been these transplants the first one that came to mind is a friend when i went to get my first

certification i was the holistic information security practitioner and i went to seattle to take a course and i met a couple people there that i had never met before and one of them was similar to me and that he was coming from something he deemed totally unrelated but he had gotten this security role in physical security and he was like ross i really don't feel qualified because i worked in a prison for eight years i was at the um he was at the the the local prison and he started off as a prison guard i don't really know what i'm doing but somebody after he grew in in his uh his knowledge of that specific prison and

then he became a program director where he became a trainer then a program director and somebody approached him and said i think that your knowledge of physical security the things that you need to protect the assets you're protecting the physical infrastructure you're protecting could be really valuable in this field and they they poached him they convinced him to try it and we sat there taking this course together thinking neither of us should be here because we don't know what we're talking about and he and i were two of the only three to um to pass that course first round oddly enough the other one it was a she was a bicycle patrol officer at a

physical security company she started very early in her career just being being first responder being an emt um on this campus and grew grew in a role grew to be again another program director after doing the training portion but didn't see how any of that related to infosec until somebody said i think that your knowledge of the physical security elements you've been doing could be really effective here so she came to this as well not really thinking that uh she was gonna pass and then all three of us passed and it was awesome um another one i have a friend that uh he owned a daycare he and his family owned a daycare center and he

similar to uh what i was talking about with my hot sauce company he knows the ins and outs of running a business and those have been some of his greatest strengths now he's a soccer analyst he's leading a sock team because he pays attention to detail he has to because he he manages the books he manages everything for his daycare center his entrepreneurial spirit and his ability to delegate his ability to pay attention to the small details those are things that make him successful now as a sock analyst so i think what i want to get across is that we are looking for specific qualities right there are certain things that make that will make somebody successful in

this field and i think a lot of those we can and we need to continue finding and non-traditional backgrounds there's there's a need for well-rounded information security professionals we have this deficit it's going to continue growing the range of cyber services are just exploding we we everyone was so excited to move to the cloud and that was the big thing for a while is everyone's moving their architecture the cloud but then you had other cloud service providers that would then assess the cloud and now that's a new new realm and now you have assessors that are assessing the assessors of the first cloud you know how compliant are they and we just continue to go down these

these rabbit holes and they're needed they're needed from a compliance standpoint from a security standpoint but it just grows and we need people that are willing to do the work that have the personalities to get this done and we're not going to fill that with traditional backgrounds i think candidates with non-traditional backgrounds i don't know how many more times i can say it there's a lot of value they bring their knowledge their experience their personalities can really make a change to your your culture and when you're going to talk to these people just make sure you're looking for the right candidate ask questions beyond technical to find out how they got here ask them why they're interested in the

field and look for someone that's going to improve your culture not just fit in there were a lot of things there and i touched a lot of topics does anybody have questions no everybody's hungry

um i'm a hiring manager for an identity and access management team okay we have had a lot of challenges finding someone in that sphere that domain right and i have found that some of the candidates that had come into me were better from outside right but everyone that a recruiting company is bringing to me is always a cyber analyst or they've been something else right how do you find those people what methodologies are you using an echelon or in your past life since recruiters have not quite gotten on board with that what avenues are you using to find those people that fit those non-traditional entries yeah that's a great question i think for a lot of what i've seen it's been

the person looking has found the job um to your point the recruiters are not looking in the right places i have a i just read a really cool article about how hiring managers specifically can start looking so i would love to get you that article i can't i can't tell you specifically what website it's on but i'll get it to you but i think um my recommendation is talking to who you already have on the team and telling them this is something that we're looking for and that somebody doesn't specifically has to have to come from this background to thrive in it i i'm very particular and i know many people are very particular about who

they'll put their name out if you can find somebody on your team that you trust and they have somebody that they trust then it's worth having the conversation um in a more entry-level iam position i think a lot of that and i can tell you from experience a lot of that can be taught to anybody you don't really need specifically a computer degree to thrive in that field because that's how i started uh was was an iam and i thrived out of that so finding somebody with the right personality is going to be massive i would say start with with the employees you already have and talk to them see if they have people in their

colleagues they've worked with in other roles that might be a good fit

um with your previous lines of study yeah so the question was do i think there was anything that i in the field that i wouldn't have understood if i had not gone through my previous study uh absolutely i think for example when i first looked up wi-fi hacking i i saw this video from cody kenzie at uh cody kinsey at um nullbyte about aircrack i said all right well so what's aircrack and i'm on a windows machine googling aircrack how do i install aircrack which doesn't work um i i learned what is uh i have to use this thing called a linux distro what is a distro and what is linux so you know those basic questions were

things that started to come out of necessity of me searching but they also came out of courses so i went through a python course through udemy and it was very basic like how do you just start and that gave me some very baseline understanding of if i'm going to work with the tool i can modify it a lot of times or i can develop my own tools and i can script out what i want to do i learned some basic networking when i was going through some courses from um oh there's a guy on youtube and i'm blanking on his name professor messer i learned a lot from professor messer when i just went through his network

plus course so learning those basics of how infrastructure works how data is transmitted was massive and a very big deal for me so yeah i would say there it was definitely key that i learned those basics

oh i'm sorry i misunderstood yeah so family family counseling background i think it it helped me understand the psychology of people in the organization i had more opportunities to practice counseling in my last role where i would sit with people that had just lost a family member or i would sit with people that were going through a divorce or something along those lines and it gave me an opportunity to practice what i had already been doing and build those relationships that are pretty crucial in any field but they especially are in this field when we are so process and results driven that we don't get a lot of opportunities to talk to people one-on-one and build

those relationships so i would say that's that's one way that my counseling degree in specific or my counseling experience was able to help me yeah i also had a question kind of coming from the other side um so as somebody trying to get into the cyber security field from i would say pretty diverse background what would you what's the best way to convey like what you've done that's maybe not directly cyber security related like i have a pretty heavy networking background but i just i can't even get a call back personally yeah you guys need to connect um it's it's tough and i say that being a hiring hiring people now and going through applications

there are a lot of good candidates and there are a lot of people that i want to give a shot but then there are other candidates that just are in the moment better suited for what i'm looking for i will say that specifically me i'm looking for somebody that is articulate somebody that can has a repo um has a background in something that's somewhat related so i do a lot of report writing i need somebody that can clearly convey their their thoughts so i'm i'm open to people that are coming from a highly regulated field like a finance or if somebody is coming from law i'm open to that for you coming trying to to portray that

i would do as much as you can on your cover letter talk about the things that you're doing outside of your your experience so if you're doing any type of home lab or you're doing like i said a raspberry pi talk about groups that you're involved with talk about why you love the field and then just as a personal aside reach out to the person directly on linkedin shoot them a message people that shoot me a message on linkedin even if i don't have a position for them right now i'm going to talk to them because they want the extra effort they made themselves uncomfortable and did a cold reach out and i respect that

so i would definitely say consider reaching out to them directly and then in your cover letter put as much as you can about why you like this field what you think you want to accomplish in it and try to convey the passion so i think in your slides you mentioned the emphasis you emphasize a lot on certifications one thing i just wanted to mention that there are certifications that are good but then just like with any other degree out there some certifications are just too expensive and too much for a beginner to start with yeah and some people there have been descriptions in you know recruitments out there which say you need to have this this certification

which don't make sense for someone who's just beginning into the field a very good example being you need to have cisp to just join uh as an abstract engineer which is ridiculous out there you can't expect that no one even gives that certification for that matter um but at the same time i as a person who has been hiring actively for our company as well um it's it's actually something that i've been looking out for a different perspective we don't want the same school of thought in our team we want different schools of thought so that we have different perspectives coming in when we are you know reaching out to our clients and offering them solutions

um one thing i wanted to mention for those who are in the non-traditional sense and trying to switch over a great way to reach out is through blogging or through just you know talking about what you're doing talking about your journey about trying to switch over to the field on social media i personally picked up some candidates from twitter because they were talking about this and it was just simple tweets maybe say i did this today i tried the story it showed that they were passionate about work and at least you can have a conversation see how it goes if it's the right fit in your company out there but it kind of introduces to people

other people in the field out here who are working for that so that's just what i wanted to mention yeah no i appreciate that i think you know people love people with personality and people that are interesting i know we are way over the time i'm just looking i'm so sorry um if you have any other questions for me feel free to come up afterwards um that's my contact information you can check me out that's my email that's my twitter and if you want just introduce yourself with a firm handshake i would love to talk with you but that's been my time thank you so much for being patient and uh [Applause]